From 22a5999aaf6d6184811f40da2afa7637767f9b79 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 12 Feb 2020 21:00:40 +0100 Subject: [PATCH] chg: [blog] MISP 2.4.121 release --- _posts/2020-02-12-MISP.2.4.121.released.md | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/_posts/2020-02-12-MISP.2.4.121.released.md b/_posts/2020-02-12-MISP.2.4.121.released.md index 71d61de..847902c 100644 --- a/_posts/2020-02-12-MISP.2.4.121.released.md +++ b/_posts/2020-02-12-MISP.2.4.121.released.md @@ -6,8 +6,7 @@ featured: /assets/images/misp/blog/t-misp-overview.png # MISP 2.4.121 released -A new version of MISP ([2.4.121](https://github.com/MISP/MISP/tree/v2.4.120)) has been released. This version is a security/bug fix release and users are highly encouraged to update as soon as possible. Besides that several issues were resolved and some new functionalities were added. - +A new version of MISP ([2.4.121](https://github.com/MISP/MISP/tree/v2.4.121)) has been released. This version is a security/bug fix release and users are highly encouraged to update as soon as possible. Besides that several issues were resolved and some new functionalities were added. # Security issues @@ -16,9 +15,11 @@ The new version includes fixes to a set of vulnerabilities, kindly reported by D - A reflected XSS in the galaxy view [CVE-2020-8893](https://cve.circl.lu/cve/CVE-2020-8893) - ACL wasn't always correctly adhered to for the discussion threads [CVE-2020-8894](https://cve.circl.lu/cve/CVE-2020-8892) - Potential time skew between web server and database would cause the brute force protection not to fire.[CVE-2020-8890](https://cve.circl.lu/cve/CVE-2020-8890) -- Whilst investigating the above, we have identified and resolved other issues with the brute force protection: -* Missing canonicalisation of the usernames before issuing the bruteforce entry.[CVE-2020-8891](https://cve.circl.lu/cve/CVE-2020-8891) -* PUT requests for the login were skipping the protection. [CVE-2020-8892](https://cve.circl.lu/cve/CVE-2020-8892) + +Whilst investigating the above, we have identified and resolved other issues with the brute force protection: + +- Missing canonicalisation of the usernames before issuing the bruteforce entry.[CVE-2020-8891](https://cve.circl.lu/cve/CVE-2020-8891) +- PUT requests for the login were skipping the protection. [CVE-2020-8892](https://cve.circl.lu/cve/CVE-2020-8892) Whilst the issues identified are not deemed critical, it is highly suggested to update and inform your peers to follow suit. @@ -28,7 +29,7 @@ One of the most annoying side-effects of the synchronisation mechanism was the p # New background worker configuration loading -Background workers were loading the server wide configurations on startup, meaning that changes to server settings would not be reflected by any background processed job unless the workers were restarted. A new helper resolves this and loads the configuration on each job execution (Thanks to @RichieB2B for reporting the issue). +Background workers were loading the server wide configurations on startup, meaning that changes to server settings would not be reflected by any background processed job unless the workers were restarted. A new helper resolves this and loads the configuration on each job execution (Thanks to @RichieB2B for reporting the issue). # Memory envelope improvements @@ -42,6 +43,10 @@ Various improvements to both better inform administrators about potential issues A massive list of improvements to the usability of MISP, with a special thank you to Jakub Onderka again for his endless stream of improvements. +# MISP Objects templates + +We received a significant number of [new object templates](https://www.misp-project.org/objects.html) to describe specific additional use cases including disinformation, media and also improved HTTP representation. + # Acknowledgement We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large.