Adding changes for Fleet v4.53.0 (#19965)

2026-04-21 13:37:30 +00:00 · 2024-06-28 14:21:58 -07:00 · 2024-06-28 14:21:58 -07:00 · 972988e39b
commit 972988e39b
parent 36f7406eda
63 changed files with 55 additions and 77 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,9 +1,52 @@
+## Fleet 4.53.0 (Jun 25, 2024)
+
+### Endpoint Operations
+
+- Enabled `fleetctl gitops` to create teams with no enroll secrets, or clear enroll secrets for an existing team.
+- Added support for upgrades to `fleetd` RPMs packages.
+- Changed `activities.created_at` timestamp precision to microseconds.
+- Added character validation to /api/fleet/orbit/device_token endpoint.
+- Cleaned up count rendering fixing clientside flashing counts.
+- Improved performance by removing unnecessary database query that listed host software during
+  initial page load of the "My device" page.
+- Made the rendering of empty text cell values consistent. Also render the '0' value as a number instead of the default value.
+- Added a server setting to configure the query report max size.
+- Fixed a bug where scrollbars were always present on modal backgrounds.
+- Fixed bug in `fleetctl preview` caused by creating enroll secrets.
+
+### Device Management (MDM)
+
+- Extended the timeout for the endpoint to upload a software installer.
+- Improved the logic used by Fleet to detect if a host is currently MDM-managed.
+- Added S3 config variables with a `carves_` and `software_installers` prefix.
+- Fixed bug where MDM migration failed when attempting to renew enrollment profiles on macOS Sonoma devices.
+- Fixed issue where Windows-specific error message was displayed when failing to parse macOS configuration profiles.
+- Fixed a bug where MDM migration failed when attempting to renew enrollment profiles on macOS Sonoma devices.
+- Fixed a server panic when sending a request to `/mdm/apple/mdm` without certificate headers.
+- Fixed issue where profiles larger than 65KB were being truncated when stored on MySQL 8.
+- Fixed a bug that prevented unused script contents to be periodically cleaned up from the database.
+- Fixed UI bug where error detail was overflowing the table in "OS settings" modal in "My device"
+  page UI.
+- Fixed a bug where the software installer exists in the database but the installer does not exist
+  in the storage.
+- Added a "soft-delete" approach when deleting a host so that its script execution details are still
+  available for the activities feed.
+- Fixed UI bug where Zoom icon was displayed for ZoomInfo.
+- Fixed issue with backwards compatibility with the deprecated `FLEET_S3_*` environment variables.
+- Fixed a code linter issue where a slice was created non-empty and appended-to, instead of empty with the required capacity.
+
+### Vulnerability Management
+
+- Added vulnerabilities matching for applications that include an OS scope.
+- Added vulnerability detection in NVD for custom ubuntu kernels.
+- Removed duplicate `os_versions` results in /api/latest/fleet/vulnerabilities/:cve endpoint.
+- Removed vscode false positive vulnerabilities.
+- Clarified Fleet uses CVSS base score version 3.x.
+
 ## Fleet 4.52.0 (Jun 20, 2024)

 ### Bug fixes

-### Changelog
-
 * Fixed an issue where profiles larger than 65KB were being truncated when stored on MySQL 8.
 * Fixed activity without public IP to be human readable.
 * Made the rendering of empty text cell values consistent. Also rendered the '0' value as a number instead of the default value `---`.
--- a/changes/148940-app-os-vuln-matching
+++ b/changes/148940-app-os-vuln-matching
@ -1 +0,0 @@
- Fleet now matches vulnerabilies for applications that include an OS scope [example](https://nvd.nist.gov/vuln/detail/CVE-2023-0400)
--- a/changes/16393-add-warning-log-duplicate-uuid
+++ b/changes/16393-add-warning-log-duplicate-uuid
@ -1 +0,0 @@
-* Added warning server log when hosts are enrolling with duplicate hardware identifiers.
--- a/changes/16961-return-api-token-for-api-only-users
+++ b/changes/16961-return-api-token-for-api-only-users
@ -1,2 +0,0 @@
- Endpoint `/api/latest/fleet/users/admin` to return API token when creating API-only (non-SSO) users.
- Added API-token of the created API-only (non-SSO) user to the output of `fleetctl user create --api-only`.
--- a/changes/17316-parse-config-profile-error
+++ b/changes/17316-parse-config-profile-error
@ -1 +0,0 @@
- Fixed issue where Windows-specific error message was displayed when failing to parse macOS configuration profiles.
--- a/changes/17365-update-osquery-flags
+++ b/changes/17365-update-osquery-flags
@ -1 +0,0 @@
-* Update osquery flags with new flags added on 5.12.X.
--- a/changes/17387-soft-delete-host-script-and-software-install-results
+++ b/changes/17387-soft-delete-host-script-and-software-install-results
@ -1 +0,0 @@
-* Use a "soft-delete" approach when deleting a host so that its script execution details are still available for the activities feed.
--- a/changes/17528-automatic-install-enable-scripts
+++ b/changes/17528-automatic-install-enable-scripts
@ -1,2 +0,0 @@
-* Scripts are now enabled by default when fleet is automatically installed
-* The fleet msi installer now has a parameter `ENABLE_SCRIPTS` to enable or disable scripts when installed through cmd
--- a/changes/17728-send-408-instead-of-500-for-apple-mdm-timeout
+++ b/changes/17728-send-408-instead-of-500-for-apple-mdm-timeout
@ -1 +0,0 @@
-* Fixed the `/mdm/apple/mdm` endpoint so that it returns status code 408 (request timeout) instead of 500 (internal server error) when encountering a timeout reading the request body.
--- a/changes/18115-host_issues
+++ b/changes/18115-host_issues
@ -1,4 +0,0 @@
-* /api/latest/fleet/hosts and /api/latest/fleet/labels/:id/hosts now return `critical_vulnerabilities_count` for premium users. This data is held in the new `host_issues` table. The failing policies total is updated in real-time, while the critical vulnerabilities total is updated every hour after vulnerabilities job.
-* /api/latest/fleet/hosts and /api/latest/fleet/labels/:id/hosts can be sorted by total_issues_count by specifying `order_key=issues` query parameter.
-* /api/latest/hosts/:id and /api/latest/hosts/identifier/:identifier now return `critical_vulnerabilities_count` for premium users.
-* For /api/latest/fleet/hosts, /api/latest/fleet/hosts/report, and /api/latest/fleet/labels/:id/hosts endpoints, the `disable_failing_policies` query parameter has been deprecated. Instead, use `disable_issues` to disable the failing policies and critical vulnerabilities counts.
--- a/changes/18130-fleetd-linux-end-user-email
+++ b/changes/18130-fleetd-linux-end-user-email
@ -1 +0,0 @@
- Added support for `--end-user-email` option when building fleetd Linux packages.
--- a/changes/18427-cert-names
+++ b/changes/18427-cert-names
@ -1 +0,0 @@
-* Use Fleet instead of FleetDM in MDM certificates
--- a/changes/18534-support-rpm-upgrade
+++ b/changes/18534-support-rpm-upgrade
@ -1 +0,0 @@
-* Added support for upgrades to fleetd RPMs packages.
--- a/changes/18733-vscode-false-pos
+++ b/changes/18733-vscode-false-pos
@ -1 +0,0 @@
-removed vscode false positive vulnerabilities
--- a/changes/18993-404-when-no-team-on-delete-team-policies
+++ b/changes/18993-404-when-no-team-on-delete-team-policies
@ -1 +0,0 @@
-* Error with 404 when the user attempts to delete team policies for a non-existent team
--- a/changes/19000-zoominfo-icon
+++ b/changes/19000-zoominfo-icon
@ -1 +0,0 @@
- Fixed UI bug where Zoom icon was displayed for ZoomInfo.
--- a/changes/19090-flashing-count
+++ b/changes/19090-flashing-count
@ -1 +0,0 @@
- Cleanup count rendering fixing clientside flashing counts
--- a/changes/19103-my-device-os-settings
+++ b/changes/19103-my-device-os-settings
@ -1,2 +0,0 @@
- Fixed UI bug where error detail was overflowing the table in "OS settings" modal in "My device"
-  page UI.
--- a/changes/19129-fleetctl-preview-enroll-secrets
+++ b/changes/19129-fleetctl-preview-enroll-secrets
@ -1 +0,0 @@
-* Fixed bug in `fleetctl preview` caused by creating enroll secrets.
--- a/changes/19181-software-empty-states
+++ b/changes/19181-software-empty-states
@ -1 +0,0 @@
- Clean up software empty states in the UI
--- a/changes/19184-activity-human-readable
+++ b/changes/19184-activity-human-readable
@ -1 +0,0 @@
- Fix activity without public IP to be human readable
--- a/changes/19197-fix-windows-remove-fleetd-script
+++ b/changes/19197-fix-windows-remove-fleetd-script
@ -1 +0,0 @@
-* Fixed an issue with the Windows-specific `windows-remove-fleetd.ps1` script provided in the Fleet repository where running the script did remove `fleetd` but made it impossible to reinstall the agent.
--- a/changes/19284-modal-background-scrollbars
+++ b/changes/19284-modal-background-scrollbars
@ -1 +0,0 @@
- Fix a bug where scrollbars were always present on modal backgrounds
--- a/changes/19290-fix-make-slice-with-capacity
+++ b/changes/19290-fix-make-slice-with-capacity
@ -1 +0,0 @@
-* Fixed a code linter issue where a slice was created non-empty and appended-to, instead of empty with the required capacity.
--- a/changes/19300-sticky-tooltips
+++ b/changes/19300-sticky-tooltips
@ -1 +0,0 @@
- Replace React Tooltip with Tooltipwrapper to fix "sticky tooltip"s observed in 2 places.
--- a/changes/19324-fix-panic-in-download-software
+++ b/changes/19324-fix-panic-in-download-software
@ -1 +0,0 @@
-* Fixed a panic (API returning code 500) when the software installer exists in the database but the installer does not exist in the storage.
--- a/changes/19332-clear-secrets-with-gitops
+++ b/changes/19332-clear-secrets-with-gitops
@ -1,2 +0,0 @@
-* Enabled `fleetctl gitops` to create teams with no enroll secrets, or clear enroll secrets for an existing team. This is done by setting `team_settings.secrets` to nothing or to null or to an empty array ( `[]` ) in YAML.
-* Enabled `fleetctl apply` to create teams with no enroll secrets, or clear enroll secrets for an existing team. This is done by setting `team.secrets` to an empty array in YAML.
--- a/changes/19347-custom-kernel-vuln-detection
+++ b/changes/19347-custom-kernel-vuln-detection
@ -1 +0,0 @@
- added vulnerability detection in NVD for custom ubuntu kernels
--- a/changes/19348-software-host-details-page
+++ b/changes/19348-software-host-details-page
@ -1,3 +0,0 @@
-Fixed host details page and device details page not showing the latest software.
-
-Added `exclude_software` query parameter to the `/api/latest/fleet/hosts/:id` endpoint to exclude software from the response.
--- a/changes/19365-disable-ai-migration
+++ b/changes/19365-disable-ai-migration
@ -1 +0,0 @@
-* Disabled AI features on non-new installations upgrading from < 4.50.X to >= 4.51.X.
--- a/changes/19453-improve-software-installer-upload-endpoint
+++ b/changes/19453-improve-software-installer-upload-endpoint
@ -1 +0,0 @@
-* Extended the timeout for the endpoint to upload a software installer (`POST /fleet/software/package`), and improved handling of the maximum size.
--- a/changes/19500-scripts-cleanup
+++ b/changes/19500-scripts-cleanup
@ -1 +0,0 @@
-* Fixed a bug that prevented unused script contents to be periodically cleaned up from the database.
--- a/changes/19501-team-level-no-teams-bug
+++ b/changes/19501-team-level-no-teams-bug
@ -1 +0,0 @@
-* bug fix: Hide no teams option from team level users
--- a/changes/19512-mdm-migration-sonoma
+++ b/changes/19512-mdm-migration-sonoma
@ -1 +0,0 @@
- Fixed bug where MDM migration failed when attempting to renew enrollment profiles on macOS Sonoma devices.
--- a/changes/19526-installers-bucket
+++ b/changes/19526-installers-bucket
@ -1,2 +0,0 @@
- Adds S3 config variables with a `carves_` and `software_installers` prefix, which are used to
-  configure buckets for those features. The existing non-prefixed variables are kept for backwards compatibility.
--- a/changes/19528-dot-notation-bug-on-queries
+++ b/changes/19528-dot-notation-bug-on-queries
@ -1 +0,0 @@
-* Fix queries with dot notation in the column name to show results
--- a/changes/19545-unlock-pin
+++ b/changes/19545-unlock-pin
@ -1,2 +0,0 @@
-* /api/latest/fleet/hosts/:id/lock returns `unlock_pin` for Apple hosts when query parameter `view_pin=true` is set
-* UI no longer uses unlock pending state for Apple hosts
--- a/changes/19580-fix-linux-unlock-script-for-user-without-password
+++ b/changes/19580-fix-linux-unlock-script-for-user-without-password
@ -1 +0,0 @@
-* Fixed the Linux unlock script to support passwordless users.
--- a/changes/19600-add-config-to-set-query-report-cap
+++ b/changes/19600-add-config-to-set-query-report-cap
@ -1 +0,0 @@
-* Added a server setting to configure the query repory cap size, `server_settings.query_report_cap` (default is 1000).
--- a/changes/19612-idp-ingest
+++ b/changes/19612-idp-ingest
@ -1 +0,0 @@
- Fixes issue where the MDM ingestion flow would fail if an invalid enrollment reference was passed.
--- a/changes/19618-device-user-pageload
+++ b/changes/19618-device-user-pageload
@ -1 +0,0 @@
- Improved performance by removing unnecessary database query that listed host software during initial page load of the "My device" page.
--- a/changes/19688-fleet-mdm-detection
+++ b/changes/19688-fleet-mdm-detection
@ -1 +0,0 @@
-* Improved the logic used by Fleet to detect if a host is currently MDM-managed.
--- a/changes/19771-prof-size
+++ b/changes/19771-prof-size
@ -1 +0,0 @@
- Fixes an issue where profiles larger than 65KB were being truncated when stored on MySQL 8. 
--- a/changes/19775-clarify-cvss-score
+++ b/changes/19775-clarify-cvss-score
@ -1 +0,0 @@
-* Clarify Fleet uses CVSS base score version 3.x
--- a/changes/19819-duplicate-os-versions
+++ b/changes/19819-duplicate-os-versions
@ -1 +0,0 @@
- Removed duplicate `os_versions` results in /api/latest/fleet/vulnerabilities/:cve endpoint
--- a/changes/19845-activities-created_at
+++ b/changes/19845-activities-created_at
@ -1 +0,0 @@
-* Changed `activities.created_at` timestamp precision to microseconds
--- a/changes/19928-empty-certs
+++ b/changes/19928-empty-certs
@ -1 +0,0 @@
-* Fixed a server panic when sending a request to `/mdm/apple/mdm` without certificate headers.
--- a/changes/6978-device-token-validation
+++ b/changes/6978-device-token-validation
@ -1 +0,0 @@
-Added character validation to /api/fleet/orbit/device_token endpoint
--- a/changes/conf-6385-host-policy-table-fixes
+++ b/changes/conf-6385-host-policy-table-fixes
@ -1 +0,0 @@
- Host policy table can be sortable by response and View all host link preserves the team
--- a/changes/feature_19010-ipad-ios-wipe
+++ b/changes/feature_19010-ipad-ios-wipe
@ -1 +0,0 @@
-* Added support to wipe iOS/iPadOS devices.
--- a/changes/fix-s3-back-compat
+++ b/changes/fix-s3-back-compat
@ -1 +0,0 @@
- Fixes an issue with backwards compatibility with the deprecated `FLEET_S3_*` environment variables.
--- a/changes/issue-15197-dont-send-500-debug-error
+++ b/changes/issue-15197-dont-send-500-debug-error
@ -1 +0,0 @@
- dont always send a 500 from the /debug/errors endpoint
--- a/changes/issue-19433-render-0-value-as-number
+++ b/changes/issue-19433-render-0-value-as-number
@ -1 +0,0 @@
- Makes the rendering of empty text cell values consistent. Also render the '0' value as a number instead of the default value `---`.
--- a/changes/issue-19555-dashboard-icon-fixes
+++ b/changes/issue-19555-dashboard-icon-fixes
@ -1 +0,0 @@
- fix various icon misalignments on the dashboard page
--- a/changes/part-of-19072-use-reader-db-for-stats
+++ b/changes/part-of-19072-use-reader-db-for-stats
@ -1 +0,0 @@
- Improved db usage when sending statistics
--- a/charts/fleet/Chart.yaml
+++ b/charts/fleet/Chart.yaml
@ -8,7 +8,7 @@ version: v6.1.0
 home: https://github.com/fleetdm/fleet
 sources:
  - https://github.com/fleetdm/fleet.git
-appVersion: v4.52.0
+appVersion: v4.53.0
 dependencies:
  - name: mysql
    condition: mysql.enabled
--- a/charts/fleet/values.yaml
+++ b/charts/fleet/values.yaml
@ -2,7 +2,7 @@
 # All settings related to how Fleet is deployed in Kubernetes
 hostName: fleet.localhost
 replicas: 3 # The number of Fleet instances to deploy
-imageTag: v4.52.0 # Version of Fleet to deploy
+imageTag: v4.53.0 # Version of Fleet to deploy
 podAnnotations: {} # Additional annotations to add to the Fleet pod
 serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account
 resources:
--- a/infrastructure/dogfood/terraform/aws/variables.tf
+++ b/infrastructure/dogfood/terraform/aws/variables.tf
@ -56,7 +56,7 @@ variable "database_name" {

 variable "fleet_image" {
  description = "the name of the container image to run"
-  default     = "fleetdm/fleet:v4.52.0"
+  default     = "fleetdm/fleet:v4.53.0"
 }

 variable "software_inventory" {
--- a/infrastructure/dogfood/terraform/gcp/variables.tf
+++ b/infrastructure/dogfood/terraform/gcp/variables.tf
@ -68,5 +68,5 @@ variable "redis_mem" {
 }

 variable "image" {
-  default = "fleet:v4.52.0"
+  default = "fleet:v4.53.0"
 }
--- a/terraform/addons/vuln-processing/variables.tf
+++ b/terraform/addons/vuln-processing/variables.tf
@ -24,7 +24,7 @@ variable "fleet_config" {
    vuln_processing_cpu                  = optional(number, 2048)
    vuln_data_stream_mem                 = optional(number, 1024)
    vuln_data_stream_cpu                 = optional(number, 512)
-    image                                = optional(string, "fleetdm/fleet:v4.52.0")
+    image                                = optional(string, "fleetdm/fleet:v4.53.0")
    family                               = optional(string, "fleet-vuln-processing")
    sidecars                             = optional(list(any), [])
    extra_environment_variables          = optional(map(string), {})
@ -82,7 +82,7 @@ variable "fleet_config" {
    vuln_processing_cpu                  = 2048
    vuln_data_stream_mem                 = 1024
    vuln_data_stream_cpu                 = 512
-    image                                = "fleetdm/fleet:v4.52.0"
+    image                                = "fleetdm/fleet:v4.53.0"
    family                               = "fleet-vuln-processing"
    sidecars                             = []
    extra_environment_variables          = {}
--- a/terraform/byo-vpc/example/main.tf
+++ b/terraform/byo-vpc/example/main.tf
@ -17,7 +17,7 @@ provider "aws" {
 }

 locals {
-  fleet_image = "fleetdm/fleet:v4.52.0"
+  fleet_image = "fleetdm/fleet:v4.53.0"
  domain_name = "example.com"
 }

--- a/terraform/example/main.tf
+++ b/terraform/example/main.tf
@ -63,8 +63,8 @@ module "fleet" {

  fleet_config = {
    # To avoid pull-rate limiting from dockerhub, consider using our quay.io mirror
-    # for the Fleet image. e.g. "quay.io/fleetdm/fleet:v4.52.0"
-    image = "fleetdm/fleet:v4.52.0" # override default to deploy the image you desire
+    # for the Fleet image. e.g. "quay.io/fleetdm/fleet:v4.53.0"
+    image = "fleetdm/fleet:v4.53.0" # override default to deploy the image you desire
    # See https://fleetdm.com/docs/deploy/reference-architectures#aws for appropriate scaling
    # memory and cpu.
    autoscaling = {
--- a/tools/fleetctl-npm/package.json
+++ b/tools/fleetctl-npm/package.json
@ -1,6 +1,6 @@
 {
  "name": "fleetctl",
-  "version": "v4.52.0",
+  "version": "v4.53.0",
  "description": "Installer for the fleetctl CLI tool",
  "bin": {
    "fleetctl": "./run.js"
				`@ -1 +0,0 @@`
				`- Fleet now matches vulnerabilies for applications that include an OS scope [example](https://nvd.nist.gov/vuln/detail/CVE-2023-0400)`
				`@ -1 +0,0 @@`
				`* Added warning server log when hosts are enrolling with duplicate hardware identifiers.`
				`@ -1 +0,0 @@`
				`- Fixed issue where Windows-specific error message was displayed when failing to parse macOS configuration profiles.`
				`@ -1 +0,0 @@`
				`* Update osquery flags with new flags added on 5.12.X.`
				`@ -1 +0,0 @@`
				`* Use a "soft-delete" approach when deleting a host so that its script execution details are still available for the activities feed.`
				`@ -1 +0,0 @@`
				* Fixed the `/mdm/apple/mdm` endpoint so that it returns status code 408 (request timeout) instead of 500 (internal server error) when encountering a timeout reading the request body.
				`@ -1 +0,0 @@`
				- Added support for `--end-user-email` option when building fleetd Linux packages.
				`@ -1 +0,0 @@`
				`* Use Fleet instead of FleetDM in MDM certificates`
				`@ -1 +0,0 @@`
				`* Added support for upgrades to fleetd RPMs packages.`
				`@ -1 +0,0 @@`
				`removed vscode false positive vulnerabilities`