chg: [blog] MISP 2.4.121 release

pull/19/head
Alexandre Dulaunoy 2020-02-12 21:00:40 +01:00
parent 8bc68b4e0c
commit 22a5999aaf
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 11 additions and 6 deletions

View File

@ -6,8 +6,7 @@ featured: /assets/images/misp/blog/t-misp-overview.png
# MISP 2.4.121 released # MISP 2.4.121 released
A new version of MISP ([2.4.121](https://github.com/MISP/MISP/tree/v2.4.120)) has been released. This version is a security/bug fix release and users are highly encouraged to update as soon as possible. Besides that several issues were resolved and some new functionalities were added. A new version of MISP ([2.4.121](https://github.com/MISP/MISP/tree/v2.4.121)) has been released. This version is a security/bug fix release and users are highly encouraged to update as soon as possible. Besides that several issues were resolved and some new functionalities were added.
# Security issues # Security issues
@ -16,9 +15,11 @@ The new version includes fixes to a set of vulnerabilities, kindly reported by D
- A reflected XSS in the galaxy view [CVE-2020-8893](https://cve.circl.lu/cve/CVE-2020-8893) - A reflected XSS in the galaxy view [CVE-2020-8893](https://cve.circl.lu/cve/CVE-2020-8893)
- ACL wasn't always correctly adhered to for the discussion threads [CVE-2020-8894](https://cve.circl.lu/cve/CVE-2020-8892) - ACL wasn't always correctly adhered to for the discussion threads [CVE-2020-8894](https://cve.circl.lu/cve/CVE-2020-8892)
- Potential time skew between web server and database would cause the brute force protection not to fire.[CVE-2020-8890](https://cve.circl.lu/cve/CVE-2020-8890) - Potential time skew between web server and database would cause the brute force protection not to fire.[CVE-2020-8890](https://cve.circl.lu/cve/CVE-2020-8890)
- Whilst investigating the above, we have identified and resolved other issues with the brute force protection:
* Missing canonicalisation of the usernames before issuing the bruteforce entry.[CVE-2020-8891](https://cve.circl.lu/cve/CVE-2020-8891) Whilst investigating the above, we have identified and resolved other issues with the brute force protection:
* PUT requests for the login were skipping the protection. [CVE-2020-8892](https://cve.circl.lu/cve/CVE-2020-8892)
- Missing canonicalisation of the usernames before issuing the bruteforce entry.[CVE-2020-8891](https://cve.circl.lu/cve/CVE-2020-8891)
- PUT requests for the login were skipping the protection. [CVE-2020-8892](https://cve.circl.lu/cve/CVE-2020-8892)
Whilst the issues identified are not deemed critical, it is highly suggested to update and inform your peers to follow suit. Whilst the issues identified are not deemed critical, it is highly suggested to update and inform your peers to follow suit.
@ -42,6 +43,10 @@ Various improvements to both better inform administrators about potential issues
A massive list of improvements to the usability of MISP, with a special thank you to Jakub Onderka again for his endless stream of improvements. A massive list of improvements to the usability of MISP, with a special thank you to Jakub Onderka again for his endless stream of improvements.
# MISP Objects templates
We received a significant number of [new object templates](https://www.misp-project.org/objects.html) to describe specific additional use cases including disinformation, media and also improved HTTP representation.
# Acknowledgement # Acknowledgement
We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large. We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large.