From 970821f6444e81304e520bc44145298a6aaa8e4f Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Fri, 25 Aug 2017 16:01:45 +0200 Subject: [PATCH] Update 2017-08-25-MISP.2.4.79.released.md --- _posts/2017-08-25-MISP.2.4.79.released.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/_posts/2017-08-25-MISP.2.4.79.released.md b/_posts/2017-08-25-MISP.2.4.79.released.md index 14bc73a..1bbffcf 100644 --- a/_posts/2017-08-25-MISP.2.4.79.released.md +++ b/_posts/2017-08-25-MISP.2.4.79.released.md @@ -4,19 +4,19 @@ layout: post featured: /assets/images/misp-small.png --- -A new version of MISP [2.4.79](https://github.com/MISP/MISP/tree/v2.4.79) has been released including an important security fix (XSS on comment field), multiple bug fixes and new functionalities. +A new version of MISP [2.4.79](https://github.com/MISP/MISP/tree/v2.4.79) has been released including an important security fix (persistent XSS on comment field), multiple bug fixes and new functionalities. All the taxonomies actions (including index, view, enable, disable) are now accessible via the API. The feed previews are now exposed to the API in addition to the graphical user-interface. -Additional command line tool like enabling/disabling misp or changing baseurl can be done from command line (e.g. easing automation and deployment of MISP instances at large scale). +Additional command line tool such as enabling/disabling misp or changing baseurl can be done from command line (e.g. easing the automation and deployment of MISP instances at large scales). Set the current password confirmation requirement for any user profile edits as optional (off by default). Feeds (caching and updates) can now be updated via the scheduler. -[CVE-2017-13671](https://www.circl.lu/advisory/CVE-2017-13671/) was fixed. A MISP user having access to a MISP instance can inject JavaScript in a comment field, aka XSS. The comment field is not part of the MISP synchronisation and only impacts the users of the same instance. Thanks to Jurgen Jans and Cedric Van Bockhaven from Deloitte for the security report. +[CVE-2017-13671](https://www.circl.lu/advisory/CVE-2017-13671/) was fixed. A MISP user having access to a MISP instance can inject JavaScript in a discussion comment field, aka XSS. The comment field is not part of the MISP synchronisation and only impacts the users of the same instance. Thanks to Jurgen Jans and Cedric Van Bockhaven from Deloitte for the security report. MISP taxonomies, galaxies (including the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™)) and PyMISP updated to the latest version. @@ -26,6 +26,6 @@ The full change log is available [here](https://www.misp.software/Changelog.txt) Don't hesitate to [open an issue](https://github.com/MISP/MISP/issues) if you have any feedback, found a bug or want to propose new features. -Don't forget our [MISP summit 0x3](https://2017.hack.lu/misp-summit/) before the [hack.lu](https://2017.hack.lu/) 2017 conference which will take place from 14:00 to 18:00, Monday 16 October 2017. The core team of MISP will also join the [hack.lu open source security software hackathon 0x2 ](https://hackathon.hack.lu/) which will take place the 19-20 October 2017. +Don't forget our [MISP summit 0x3](https://2017.hack.lu/misp-summit/) before the [hack.lu](https://2017.hack.lu/) 2017 conference which will take place from 14:00 to 18:00, Monday 16 October 2017. The core team of MISP will also join the [hack.lu open source security software hackathon 0x2 ](https://hackathon.hack.lu/) which will take place 19-20 October 2017. A new MISP training will take place in Luxembourg the 21st November 2017, [registration is now open](https://www.eventbrite.com/e/misp-training-november-edition-tickets-36347289722).