[Bug 248330] textproc/kibana6: Update to 6.8.11

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Jul 28 15:43:37 UTC 2020 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248330

            Bug ID: 248330
           Summary: textproc/kibana6: Update to 6.8.11
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://www.elastic.co/guide/en/kibana/6.8/release-not
                    es-6.8.11.html
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: elastic at FreeBSD.org
          Reporter: juraj at lutter.sk
          Assignee: elastic at FreeBSD.org
             Flags: maintainer-feedback?(elastic at FreeBSD.org)
 Attachment #216841 maintainer-approval+
             Flags:
             Flags: maintainer-feedback+

Created attachment 216841
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=216841&action=edit
textproc/kibana6: Update to 6.8.11

Hi,

please find the patch attached.

Changelog:

* Security updates
  - In Kibana 6.8.11 and earlier, there is a denial of service (DoS) flaw in
Timelion. Attackers can construct a URL that when viewed by a Kibana user, the
Kibana process consumes large amounts of CPU and becomes unresponsive,
CVE-2020-7016.
    You must upgrade to 6.8.11. If you are unable to upgrade, set
timelion.enabled to false in your kibana.yml file to disable Timelion.

  - In all Kibana versions, region map visualizations contain a stored XSS
flaw. Attackers that can edit or create region map visualizations can obtain
sensitive information or perform destructive actions on behalf of Kibana users
who view the region map visualization, CVE-2020-7017.
    You must upgrade to 6.8.11. If you are unable to upgrade, set
xpack.maps.enabled, region_map.enabled, and tile_map.enabled to false in
kibana.yml to disable map visualizations.

* Enhancements
  - Platform
    - Makes SameSite cookie’s attribute configurable

* Security
  - Supports deep links inside of RelayState for SAML IdP initiated login

    If users want to deep link into Kibana after a successful SAML Identity
Provider initiated login, they can set
xpack.security.authc.providers.saml.<provider-name>.useRelayStateDeepLink for a
specific SAML authentication provider and provide a deep link in the RelayState
parameter.

* Bug fixes
  - Maps
    - Loads configuration from EMS-metadata in region-maps

* Security
  - Redirects to Logged Out UI on SAML Logout Response #69676

  - Previously Kibana redirected users to a default location as the last step
of a SAML User/SP Initiated Single Logout (SP SLO), which forced users to log
in again when the Login Selector UI was not available. Now, Kibana redirects
users to either the Login Selector UI or the Logged Out UI at the end of SP
SLO.


Poudriere log:
https://freebsd-stable.builder.wilbury.net/data/12_STABLE_GENERIC_amd64-default/2020-07-28_17h03m49s/logs/kibana6-6.8.11.log

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list