|
2 | 2 |
|
3 | 3 | ### (2025-08-28) What's new in **ROR 1.66.0** |
4 | 4 | <details> |
5 | | -<summary><strong>๐จ Security Fix</strong> (KBN) <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-7339">CVE-2025-7339</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-7783">CVE-2025-7783</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-54419">CVE-2025-54419</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-9288">CVE-2025-9288</a></summary> |
6 | | -Addresses multiple third-party library vulnerabilities including: CVE-2025-7339 (on-headers middleware header modification), CVE-2025-7783 (form-data library HTTP parameter pollution), CVE-2025-54419 (Node-SAML authentication bypass), and CVE-2025-9288 (sha.js input validation). These updates prevent potential security exploits in dependent components. |
| 5 | +<summary><strong>๐จSecurity Fix</strong> (KBN) <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-7339">CVE-2025-7339</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-7783">CVE-2025-7783</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-54419">CVE-2025-54419</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-9288">CVE-2025-9288</a></summary> |
| 6 | +Addresses multiple critical security vulnerabilities in Node.js dependencies including header modification, HTTP parameter pollution, authentication bypass, and input validation issues. These updates prevent potential security exploits in the Kibana integration. |
7 | 7 | </details> |
8 | 8 | <details> |
9 | | -<summary><strong>๐ Security Fix</strong> (KBN) <a href="https://forum.readonlyrest.com/t/hidden-functions-are-available-through-the-search/2840/2">Prevented visibility of hidden functions through Kibana UI search</a></summary> |
10 | | -Fixes a security issue where hidden functions that should be restricted were discoverable through Kibana's search interface. This ensures that only authorized functions are visible to users based on their access permissions. |
| 9 | +<summary><strong>๐จSecurity Fix</strong> (KBN) <a href="https://forum.readonlyrest.com/t/hidden-functions-are-available-through-the-search/2840/2">Prevented visibility of hidden functions through Kibana UI search</a></summary> |
| 10 | +Fixes a security issue where hidden functions and administrative features were inadvertently exposed through Kibana's search functionality, preventing unauthorized discovery of restricted capabilities. |
11 | 11 | </details> |
12 | 12 | <details> |
13 | 13 | <summary><strong>๐จSecurity Fix</strong> (ES) Removed internal failure details from error responses to prevent unintended information disclosure</summary> |
14 | | -Enhances security by eliminating sensitive internal error information from API responses. This prevents potential attackers from gathering system intelligence through error messages while maintaining necessary debugging information for administrators. |
| 14 | +Enhances security by sanitizing error responses to exclude internal system details that could be exploited by attackers, preventing potential information leakage. |
| 15 | +</details> |
| 16 | +<details> |
| 17 | +<summary><strong>๐New</strong> (ES) 9.1.3, 9.1.2, 9.0.6, 9.0.4, 8.19.3, 8.18.6 support</summary> |
| 18 | +Adds official support for the latest Elasticsearch patch versions, ensuring compatibility with recent security updates and bug fixes from Elasticsearch. |
15 | 19 | </details> |
16 | 20 | <details> |
17 | 21 | <summary><strong>๐งEnhancement</strong> (ES) Refined user metadata selection logic during login to prioritize matched blocks associated with a defined Kibana index</summary> |
18 | | -Improves login behavior by optimizing how user metadata is selected, ensuring that blocks with explicitly defined Kibana indices are prioritized over generic blocks for better access control consistency. |
| 22 | +Improves authentication flow by optimizing metadata selection to prioritize ACL blocks with Kibana index definitions, ensuring more consistent user session behavior. |
19 | 23 | </details> |
20 | 24 | <details> |
21 | 25 | <summary><strong>๐งEnhancement</strong> (ES) Patching: improved handling of the consent flag when provided via environment variables for more reliable configuration</summary> |
22 | | -Enhances configuration reliability by improving how consent flags are processed when set through environment variables, ensuring consistent behavior across different deployment scenarios. |
| 26 | +Enhances configuration reliability by improving how consent flags are processed when set through environment variables, preventing configuration issues. |
23 | 27 | </details> |
24 | 28 | <details> |
25 | | -<summary><strong>๐ Fix</strong> (KBN) Resolved issue with index deletion in <strong>Index Management</strong> via Kibana UI</summary> |
26 | | -Fixes a bug that prevented proper index deletion operations through Kibana's Index Management interface when using ReadOnlyRest security controls. |
| 29 | +<summary><strong>๐Fix</strong> (KBN) Resolved issue with index deletion in <strong>Index Management</strong> via Kibana UI</summary> |
| 30 | +Fixes a bug that prevented proper index deletion operations through Kibana's Index Management interface, restoring full lifecycle management functionality. |
27 | 31 | </details> |
28 | 32 | <details> |
29 | | -<summary><strong>๐ Fix</strong> (KBN) Corrected document display in <strong>Discover</strong> when indices are defined in the user ACL block</summary> |
30 | | -Addresses an issue where document visibility in Kibana's Discover tab was inconsistent when indices were configured through user ACL blocks, ensuring proper document display based on access permissions. |
| 33 | +<summary><strong>๐Fix</strong> (KBN) Corrected document display in <strong>Discover</strong> when indices are defined in the user ACL block</summary> |
| 34 | +Addresses inconsistent document visibility in Kibana's Discover tab when user ACLs include index definitions, ensuring proper rendering based on permissions. |
31 | 35 | </details> |
32 | 36 | <details> |
33 | | -<summary><strong>๐ Fix</strong> (KBN) Fixed an error preventing <strong>Spaces</strong> from being deleted in Kibana <strong>9.1.0</strong></summary> |
34 | | -Resolves a compatibility issue with Kibana 9.1.0 where Space deletion operations were failing due to conflicts with ReadOnlyRest's security enforcement mechanisms. |
| 37 | +<summary><strong>๐Fix</strong> (KBN) Fixed an error preventing <strong>Spaces</strong> from being deleted in Kibana <strong>9.1.0</strong></summary> |
| 38 | +Resolves a compatibility issue with Kibana 9.1.0 that prevented Space deletion, restoring full Spaces management functionality for administrators. |
35 | 39 | </details> |
36 | 40 | <details> |
37 | | -<summary><strong>๐ Fix</strong> (KBN) Corrected handling of <code>readonlyrest_kbn.whitelistedPaths</code> in <code>kibana.yml</code> when <code>xpack.security.enabled: true</code></summary> |
38 | | -Fixes configuration parsing for whitelisted paths when X-Pack security is enabled, ensuring that path exclusions work correctly alongside Elasticsearch's native security features. |
| 41 | +<summary><strong>๐Fix</strong> (KBN) Corrected handling of <code>readonlyrest_kbn.whitelistedPaths</code> in <code>kibana.yml</code> when <code>xpack.security.enabled: true</code></summary> |
| 42 | +Fixes configuration parsing issues when both ROR whitelisted paths and X-Pack security are enabled, ensuring proper path-based access control. |
39 | 43 | </details> |
40 | 44 | <details> |
41 | | -<summary><strong>๐ Fix</strong> (KBN) Resolved startup issues for Kibana versions <strong>7.9.0 โ 7.10.2</strong></summary> |
42 | | -Addresses compatibility problems that caused startup failures in older Kibana versions (7.9.0 to 7.10.2), ensuring backward compatibility and smooth operation across supported Kibana releases. |
| 45 | +<summary><strong>๐Fix</strong> (KBN) Resolved startup issues for Kibana versions <strong>7.9.0 โ 7.10.2</strong></summary> |
| 46 | +Addresses compatibility problems causing startup failures in older Kibana versions 7.9.0-7.10.2, ensuring backward compatibility. |
43 | 47 | </details> |
44 | 48 | <details> |
45 | | -<summary><strong>๐ Fix</strong> (KBN) Fixed report generation when <code>xpack.security.enabled: true</code> and <code>xpack.encryptedSavedObjects.encryptionKey</code> is set in Kibana <strong>8.19.x</strong> and <strong>9.1.x</strong></summary> |
46 | | -Resolves report generation failures in specific Kibana versions when both X-Pack security and encrypted saved objects are configured, ensuring proper functionality of reporting features with security enhancements. |
| 49 | +<summary><strong>๐Fix</strong> (KBN) Fixed report generation when <code>xpack.security.enabled: true</code> and <code>xpack.encryptedSavedObjects.encryptionKey</code> is set in Kibana <strong>8.19.x</strong> and <strong>9.1.x</strong></summary> |
| 50 | +Resolves report generation failures when X-Pack security is enabled with encrypted saved objects, ensuring proper reporting functionality in secured environments. |
47 | 51 | </details> |
48 | 52 |
|
49 | 53 | ### (2025-07-15) What's new in **ROR 1.65.1** |
|
0 commit comments