MISP
/
misp-website
mirror of https://github.com/MISP/misp-website
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [blog] MISP 2.4.121 release

pull/19/head
Alexandre Dulaunoy 2020-02-12 21:00:40 +01:00
parent 8bc68b4e0c
commit 22a5999aaf
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
_posts/2020-02-12-MISP.2.4.121.released.md
View File

@ -6,8 +6,7 @@ featured: /assets/images/misp/blog/t-misp-overview.png
# MISP 2.4.121 released
A new version of MISP ([2.4.121](https://github.com/MISP/MISP/tree/v2.4.120)) has been released. This version is a security/bug fix release and users are highly encouraged to update as soon as possible. Besides that several issues were resolved and some new functionalities were added.
A new version of MISP ([2.4.121](https://github.com/MISP/MISP/tree/v2.4.121)) has been released. This version is a security/bug fix release and users are highly encouraged to update as soon as possible. Besides that several issues were resolved and some new functionalities were added.
# Security issues
@ -16,9 +15,11 @@ The new version includes fixes to a set of vulnerabilities, kindly reported by D
- A reflected XSS in the galaxy view [CVE-2020-8893](https://cve.circl.lu/cve/CVE-2020-8893)
- ACL wasn't always correctly adhered to for the discussion threads [CVE-2020-8894](https://cve.circl.lu/cve/CVE-2020-8892)
- Potential time skew between web server and database would cause the brute force protection not to fire.[CVE-2020-8890](https://cve.circl.lu/cve/CVE-2020-8890)
- Whilst investigating the above, we have identified and resolved other issues with the brute force protection:
* Missing canonicalisation of the usernames before issuing the bruteforce entry.[CVE-2020-8891](https://cve.circl.lu/cve/CVE-2020-8891)
* PUT requests for the login were skipping the protection. [CVE-2020-8892](https://cve.circl.lu/cve/CVE-2020-8892)
Whilst investigating the above, we have identified and resolved other issues with the brute force protection:
- Missing canonicalisation of the usernames before issuing the bruteforce entry.[CVE-2020-8891](https://cve.circl.lu/cve/CVE-2020-8891)
- PUT requests for the login were skipping the protection. [CVE-2020-8892](https://cve.circl.lu/cve/CVE-2020-8892)
Whilst the issues identified are not deemed critical, it is highly suggested to update and inform your peers to follow suit.
@ -42,6 +43,10 @@ Various improvements to both better inform administrators about potential issues
A massive list of improvements to the usability of MISP, with a special thank you to Jakub Onderka again for his endless stream of improvements.
# MISP Objects templates
We received a significant number of [new object templates](https://www.misp-project.org/objects.html) to describe specific additional use cases including disinformation, media and also improved HTTP representation.
# Acknowledgement
We would like to thank all the [contributors](https://www.misp-project.org/contributors), reporters and users who have helped us in the past months to improve MISP and information sharing at large.