Merge pull request #1706 from rundeck/4.0.x

jsboak · web-flow · commit f628339aed3d · 2025-09-26T14:25:51.000-07:00
rebase
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -5,7 +5,6 @@ orbs:
 jobs:
   build:
     docker:
-      # specify the version you desire here
       - image: cimg/node:22.12.0
         environment:
           NODE_OPTIONS="--max-old-space-size=6144"
@@ -128,7 +127,7 @@ jobs:
             }
   update_index:
     machine:
-      image: ubuntu-2004:2023.07.1
+      image: ubuntu-2204:current
     resource_class: medium
     working_directory: ~/repo
     steps:
diff --git a/.docsearch/config.json b/.docsearch/config.json
@@ -8,7 +8,7 @@
         "version": [
           "docs",
           "4.0.x",
-          "5.14.1"
+          "5.15.0"
         ]
       }
     }
@@ -19,19 +19,14 @@
   "selectors": {
     "default": {
       "lvl0": {
-        "selector": ".vp-sidebar-links > li:first-child > .vp-sidebar-group > .vp-sidebar-header > .vp-sidebar-title",
+        "selector": ".vp-sidebar > .vp-sidebar-links > li > .vp-sidebar-group > p.vp-sidebar-header.active .vp-sidebar-title",
         "global": true,
         "default_value": "Documentation"
       },
-      "lvl1": {
-        "selector": ".theme-hope-content h1",
-        "global": true,
-        "default_value": "Documentation"
-      },
-      "text": {
-        "selector": "//div[contains(@class, \"theme-hope-content\")]//li | //div[contains(@class, \"theme-hope-content\")]//p | //div[contains(@class, \"theme-hope-content\")]//pre[string-length(string()) < 5000]",
-        "type": "xpath"
-      },
+      "lvl1": "#markdown-content h1",
+      "lvl2": "#markdown-content h2",
+      "lvl3": "#markdown-content h3",
+      "text": "#markdown-content p, #markdown-content li",
       "lang": {
         "selector": "/html/@lang",
         "type": "xpath",
diff --git a/docs/.vuepress/setup.js b/docs/.vuepress/setup.js
@@ -1,7 +1,7 @@
 import { BaseTransition } from "vue"
 
-const RUNDECK_VERSION='5.14.1'
-const RUNDECK_VERSION_FULL='5.14.1-SNAPSHOT'
+const RUNDECK_VERSION='5.15.0'
+const RUNDECK_VERSION_FULL='5.15.0-SNAPSHOT'
 const API_VERSION='53'
 const API_DEP_REL='6.0.0'
 const API_DEP_VER='17'
diff --git a/docs/.vuepress/sidebar-menus/history.ts b/docs/.vuepress/sidebar-menus/history.ts
@@ -70,6 +70,10 @@ export default [
             text: 'Version 5.x',
             collapsible: true,
             children: [
+              {
+                text: "5.15.0",
+                link: "https://docs.rundeck.com/5.15.0/"
+              },
               {
                 text: "5.14.1",
                 link: "https://docs.rundeck.com/5.14.1/"
diff --git a/docs/.vuepress/sidebar-menus/user-guide.ts b/docs/.vuepress/sidebar-menus/user-guide.ts
diff --git a/docs/administration/configuration/config-file-reference.md b/docs/administration/configuration/config-file-reference.md
@@ -235,10 +235,48 @@ used. Specified from [jaas-loginmodule.conf](#jaas-loginmodule-conf).
 
 ## Session timeout
 
-See [rundeck-config.properties > Server Settings](#server-settings)
+Session Timeout Behavior:
 
-Or set `server.servlet.session.timeout` via [System Properties Configuration](/administration/configuration/system-properties.md).
+- **Activity-based timeout**: Under normal operations, sessions time out based on inactivity using the value defined in `server.servlet.session.timeout` (default: 3600 seconds).
+- **Forced re-authentication**: When `rundeck.userSessionDuration.forceReauthentication` is enabled, sessions will expire after the duration defined in `rundeck.userSessionDuration.maxMinutes`, regardless of user activity.
+- **Default values**: When `rundeck.userSessionDuration.forceReauthentication` is enabled and `rundeck.userSessionDuration.maxMinutes` isn't specified, the default `userSessionDuration.maxMinutes` is 60 minutes.
 
+:::tip
+Beware that using the forced re-authentication feature may result in data loss if jobs are not saved when the session is invalidated.
+:::
+
+### Inactivity Timeout
+
+To configure the inactivity timeout use `server.servlet.session.timeout`. The default is 3600 seconds. 
+
+Example configurations:
+
+```properties
+# Standard activity-based timeout (2 hours)
+server.servlet.session.timeout=7200
+```
+
+Also see [rundeck-config.properties > Server Settings](#server-settings)
+
+### Forced re-authentication (Commercial Products Only)
+
+It is also possible to force re-authentication regardless of activity levels.
+
+- `rundeck.userSessionDuration.maxMinutes`: Maximum duration in minutes for user sessions. Default: 60 minutes.
+- `rundeck.userSessionDuration.forceReauthentication`: Default: `false`. When set to `true`, enforces session timeout regardless of user activity. When set to `false` (default), no forced re-authentication occurs and sessions only time out based on inactivity.
+
+All of these can be set via [System Properties Configuration](/administration/configuration/system-properties.md) or in `rundeck-config.properties`.
+
+Example configurations:
+
+```properties
+# Force reauthentication after 8 hours regardless of activity
+rundeck.userSessionDuration.maxMinutes=480
+rundeck.userSessionDuration.forceReauthentication=true
+
+# Force reauthentication regardless of activity with default 60-minute timeout
+rundeck.userSessionDuration.forceReauthentication=true
+```
 ## rundeck-config.properties
 
 This is the primary Rundeck webapp configuration file. Defines default
diff --git a/docs/administration/configuration/email-settings.md b/docs/administration/configuration/email-settings.md
@@ -31,7 +31,9 @@ grails.mail.password=pass
 
 If you need more advanced configuration (e.g., authenticated and secured over SSL), see the grails Mail plugin configuration:
 
-[Grails Mail Configuration](https://gpc.github.io/grails-mail/guide/2.%20Configuration.html)
+[Grails Mail Configuration](https://grails.github.io/grails-mail/latest/guide/2.%20Configuration.html)
+
+> Note: The link above is for version 4.0.0.  In the Rundeck version 5.0 series we are using version 3.0.0.
 
 :::tip
 For the extended configuration properties, it needs to be appended to the property prefix `grails.mail.props.<key_props>`. For example, to enable `starttls`, the property should be `grails.mail.props.mail.smtp.starttls.enable=true`
diff --git a/docs/api/index.md b/docs/api/index.md
@@ -1445,7 +1445,8 @@ Success response, with a list of users:
     "created": "2017-10-01T09:00:20Z",
     "updated": "2018-08-24T13:53:02Z",
     "lastJob": "2018-08-28T13:31:00Z",
-    "tokens": 1
+    "tokens": 1,
+    "lastLogin": "2025-09-08T13:29:21Z"
 },
 {
     "login":"admin",
@@ -1455,10 +1456,15 @@ Success response, with a list of users:
     "created": "2016-07-17T18:42:00Z",
     "updated": "2018-08-24T13:53:00Z",
     "lastJob": "2018-08-28T13:31:00Z",
-    "tokens": 6
+    "tokens": 6,
+    "lastLogin": "2025-09-08T13:29:21Z"
 }]
 ```
 
+**Since v53**
+
+* `lastLogin` Last login time for a user.
+
 **Since v27**:
 
 * `created` Creation date of the user.
diff --git a/docs/history/5_x/version-5.15.0.md b/docs/history/5_x/version-5.15.0.md
@@ -0,0 +1,112 @@
+---
+
+title: "5.15.0 Release Notes"
+date: 2025-09-02
+image: /images/chevron-logo-red-on-white.png
+description: "Rundeck | Runbook Automation Releases 5.15.0 | Security Fixes and Community Updates"
+feed:
+ enable: true
+ description: "Security focused improvements with some community submissions!"
+
+---
+
+# 5.15.0 Release Notes
+
+<VidStack src="youtube/LLkpNPuQiKk" poster="https://img.youtube.com/vi/LLkpNPuQiKk/maxresdefault.jpg"/>
+
+## Overview
+
+We always appreciate Community submissions. As part of this release we have 6 contributors that provided enhancements alongside our dedicated staff team.
+
+This release focuses heavily on security improvements and product modernization, addressing multiple CVE findings including CVE-2025-55163, CVE-2024-21538, CVE-2022-38749, and several others. Key security enhancements include forced re-authentication capabilities and comprehensive dependency updates.
+
+Beyond security, this release includes important user experience improvements such as fixes for job loading in the Next UI, enhanced node filtering behavior, and finalized French translations. We've also made significant infrastructure improvements by removing legacy GSP pages that have been converted to Vue components and updating various plugins and dependencies.
+
+## Runbook Automation Updates
+
+> Also includes all Open Source updates from below
+
+### Additional Updates
+
+
+* Additional fixes to address CVE-2025-55163 findings
+* Fix: Force cross-spawn patched versions to fix CVE-2024-21538
+* Force Re-authentication regardless of activity status
+* Fixes for CVE-2025-55163
+* Finish CVE-2024-57699 mitigation
+* Fix CVE-2022-38749 - Groovy 3.0.25
+* Update snakeyaml to fix CVE-2022-38749
+* CVE-2025-48734 Mitigation - Common Beans 1.11.0
+* CVE-2024-25710 - High - Review/Resolve
+* Update Quartz for CVE-2019-5427
+* Upgrade WireMock to fix CVE-2024-8184
+* CVE-2020-26939
+* CVE-2024-47554
+
+
+## Rundeck Open Source Product Updates
+
+* [Fix jobs not loading in nextUI ](https://github.com/rundeck/rundeck/pull/9780)
+* [Back previous behavior for node filtering combining two filters by clicking on it](https://github.com/rundeck/rundeck/pull/9775)
+* [Finalize French translations](https://github.com/rundeck/rundeck/pull/9772)
+* [Fix for CVE-2025-4949 - jgit](https://github.com/rundeck/rundeck/pull/9769)
+* [Fix: Force cross-spawn patched versions to fix CVE-2024-21538](https://github.com/rundeck/rundeck/pull/9768)
+* [Fix CVE-2022-38749](https://github.com/rundeck/rundeck/pull/9759)
+* [Fix: repeated exceptions after SCM is disabled](https://github.com/rundeck/rundeck/pull/9756)
+* [Child processes not being killed on Windows OS nodes](https://github.com/rundeck/rundeck/pull/9747)
+* [Update Quartz for CVE-2019-5427](https://github.com/rundeck/rundeck/pull/9745)
+* [Update openshh-node-execution plugin version](https://github.com/rundeck/rundeck/pull/9744)
+* [update commons-compress version](https://github.com/rundeck/rundeck/pull/9743)
+* [Additional Fixes for CVE-2025-48976](https://github.com/rundeck/rundeck/pull/9742)
+* [Update execution metrics](https://github.com/rundeck/rundeck/pull/9741)
+* [Cleanup: Remove old gsp pages that were converted to Vue](https://github.com/rundeck/rundeck/pull/9739)
+* [cleanup: remove &#39;filterPref&#39; logic](https://github.com/rundeck/rundeck/pull/9738)
+* [CVE-2024-47554](https://github.com/rundeck/rundeck/pull/9736)
+* [Enh/Add logger.cleanup on Remco log4j template](https://github.com/rundeck/rundeck/pull/9716)
+* [Job editor card header section in vue](https://github.com/rundeck/rundeck/pull/9713)
+* [chore(deps): Bump jgit to 6.10.1.202505221210-r](https://github.com/rundeck/rundeck/pull/9699)
+* [Update dependency org.seleniumhq.selenium:selenium-java to v4.34.0](https://github.com/rundeck/rundeck/pull/9505)
+* [Update French Translations - From community](https://github.com/rundeck/rundeck/pull/9184)
+
+[Here is a link to the full list of public PRs](https://github.com/rundeck/rundeck/pulls?q=is%3Apr+milestone%3A5.15.0+is%3Aclosed)
+
+## Links
+
+- Download the Releases: [Open Source](https://www.rundeck.com/community-downloads/5.15.0) | [Self-Hosted](https://www.rundeck.com/enterprise-downloads/5.15.0)
+- [Sign up for Release Notes](https://www.rundeck.com/release-notes-signup)
+- [Upgrade instructions](/upgrading/index.md)
+- [Catch us on LinkedIn for the Live Stream Release Videos](https://www.linkedin.com/company/pagerduty/events)
+
+## Version Info
+
+Name: <span style="color: fuchsia"><span class="glyphicon glyphicon-sunglasses"></span> "Matterhorn fuchsia sunglasses"</span>
+
+Release Date: September 2nd, 2025
+
+
+## Community Contributors
+
+Submit your own Pull Requests to get recognition here!
+
+* Lucas Migliorini ([luqpy](https://github.com/luqpy))
+* Christian Schulze-Wiehenbrauk ([Ntr0](https://github.com/Ntr0))
+* Clément Mazzella ([mazzella-c](https://github.com/mazzella-c))
+* JP Lassnibatt ([jplassnibatt](https://github.com/jplassnibatt))
+* Bruno Dias ([brmdias](https://github.com/brmdias))
+* Rui Melo Amaro ([rmeloamaro](https://github.com/rmeloamaro))
+
+
+## Staff Contributors
+
+* Greg Schueler ([gschueler](https://github.com/gschueler))
+* Carlos Eduardo ([carlosrfranco](https://github.com/carlosrfranco))
+* Eduardo Baltra ([edbaltra](https://github.com/edbaltra))
+* Forrest Evans ([fdevans](https://github.com/fdevans))
+* Jake Cohen ([jsboak](https://github.com/jsboak))
+* Jaya Singh ([jayas006](https://github.com/jayas006))
+* Jason Brooks ([jbrookspd](https://github.com/jbrookspd))
+* Jesus Osuna ([Jesus-Osuna-M](https://github.com/Jesus-Osuna-M))
+* José Vásquez ([hiawvp](https://github.com/hiawvp))
+* Luis Toledo ([ltamaster](https://github.com/ltamaster))
+* Rodrigo Navarro ([ronaveva](https://github.com/ronaveva))
+* Sarah Martinelli Benedetti ([smartinellibenedetti](https://github.com/smartinellibenedetti))
diff --git a/docs/history/cves/cve-2024-38816.md b/docs/history/cves/cve-2024-38816.md
diff --git a/docs/history/cves/cve-2024-38819.md b/docs/history/cves/cve-2024-38819.md
diff --git a/docs/history/cves/cve-2024-45338.md b/docs/history/cves/cve-2024-45338.md
@@ -1,5 +1,5 @@
 ---
-order: 50
+order: 59
 ---
 
 # CVE-2024-45338
diff --git a/docs/history/cves/cve-2025-41242.md b/docs/history/cves/cve-2025-41242.md
@@ -0,0 +1,13 @@
+---
+order: 51
+---
+
+# CVE-2025-41242
+
+## Path traversal vulnerability on non-compliant Servlet containers
+
+::: danger FALSE POSITIVE
+ Rundeck and Runbook Automation are not vulnerable to this CVE.
+:::
+
+This is a Spring vulnerability, but the [CVE article](https://spring.io/security/cve-2025-41242) says "deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration."  The Rundeck product does not disable the default security features.
diff --git a/docs/history/cves/cve-2025-41249.md b/docs/history/cves/cve-2025-41249.md
@@ -0,0 +1,13 @@
+---
+order: 52
+---
+
+# CVE-2025-41249
+
+## The Spring Framework annotation detection mechanism may not correctly resolve annotation
+
+::: danger FALSE POSITIVE
+Rundeck and Runbook Automation are not vulnerable to this CVE.
+:::
+
+This is a Spring Framework vulnerability. [CVE-2025-41249](https://nvd.nist.gov/vuln/detail/CVE-2025-41249) only affects applications using the "EnableMethodSecurity" annotation, which we do not use.
diff --git a/docs/history/cves/cve-2025-48924.md b/docs/history/cves/cve-2025-48924.md
@@ -1,5 +1,5 @@
 ---
-order: 51
+order: 53
 ---
 
 # CVE-2025-48924
diff --git a/docs/history/cves/index.md b/docs/history/cves/index.md
@@ -53,4 +53,7 @@ These are the Security Advisories Rundeck has issued in the past.  It is always
 * [CVE-2024-38819 Path traversal vulnerability in functional web frameworks #2](cve-2024-38819.md).
 * [CVE-2024-38820 Spring Framework's DataBinder false positive](cve-2024-38820.md).
 * [CVE-2024-38827 Locale-sensitive string case conversion methods](cve-2024-38827.md).
-* [CVE-2024-45338 golang/x/net 0.20.0](cve-2024-38819.md).
+* [CVE-2024-45338 golang/x/net 0.20.0](cve-2024-38819.md).
+* [CVE-2025-41242 Spring Path traversal](cve-2025-41242.md).
+* [CVE-2025-48924 Issue in Apache Commons Lang](cve-2025-48924.md)
+* [CVE-2025-41249 Spring Framework annotation detection mechanism may not correctly resolve annotation](cve-2025-41249.md)
diff --git a/docs/history/release-calendar.md b/docs/history/release-calendar.md
@@ -9,6 +9,7 @@ Upgrade instructions [can be found here](/upgrading/index.md).
 
 | Release Version                          | Release Date         | Enterprise Support Status |
 |------------------------------------------|----------------------|---------------------------|
+| [5.15.0](/history/5_x/version-5.15.0.md)   | September 2nd, 2025   | Supported |
 | [5.14.1](/history/5_x/version-5.14.1.md)   | August 18th, 2025   | Supported |
 | [5.14.0](/history/5_x/version-5.14.0.md)   | August 4th, 2025   | Supported |
 | [5.13.0](/history/5_x/version-5.13.0.md)   | June 25th, 2025   | Supported |
diff --git a/docs/learning/howto/acls/group-project-full.md b/docs/learning/howto/acls/group-project-full.md
@@ -72,9 +72,8 @@ for:
   storage:
   - allow:
     - '*'
-    equals:
-      path: keys/project/prj-sandbox
-      name: .*
+    match:
+      path: keys/project/prj-sandbox(/.*)?
 context:
   project: prj-sandbox
 
@@ -128,4 +127,4 @@ for:
 context:
   project: prj-sandbox
 
-```
+```
diff --git a/scripts/_docsearch.sh b/scripts/_docsearch.sh
