github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[DOCS] 6.8.7 Release Notes (#58486)

Browse source 
* [DOCS] 6.8.7 Release Notes

* Security issues

* Links
This commit is contained in:
Kaarina Tungseth 2020-03-02 15:47:39 -06:00 committed by GitHub
parent 0b8870d2d5
commit 84b51b63e4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 32 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

38
docs/CHANGELOG.asciidoc
View file

@ -14,6 +14,7 @@
This section summarizes the changes in each release.
* <<release-notes-6.8.7>>
* <<release-notes-6.8.6>>
* <<release-notes-6.8.5>>
* <<release-notes-6.8.4>>
@ -93,6 +94,31 @@ This section summarizes the changes in each release.
//=== Known Issues
////
[[release-notes-6.8.7]]
== {kib} 6.8.7
[float]
[[bug-6.8.7]]
=== Bug fixes
Operations::
* Updates Node.js to version 10.19.0 {pull}56940[#56940]
Platform::
* Limits fetching index patterns {pull}56603[#56603]
[float]
[[security-fix-6.8.7]]
=== Security issues
In {kib} 6.8.7 and earlier, Node.js contains the following security issues:
* The TLS handling code for Node.js includes a Denial of Service (DoS) issue. Successful exploitation of the flaw could result in {kib} crashing. Refer to https://www.elastic.co/community/security/, CVE-2019-15604.
+
There are no known workarounds for this issue.
* There are issues with how Node.js handles malformed HTTP headers. The malformed headers could result in an HTTP request smuggling attack when {kib} is running behind a proxy that is vulnerable to HTTP request smuggling attacks. Refer to https://www.elastic.co/community/security/, CVE-2019-15605 and CVE-2019-15606.
+
For instructions on how to mitigate HTTP request smuggling attacks, contact your proxy vendor.
Administrators running {kib} in an environment with untrusted users should upgrade to {kib} 6.8.7, which updates Node.js to 10.19.0.
[[release-notes-6.8.6]]
== {kib} 6.8.6
@ -101,12 +127,12 @@ This section summarizes the changes in each release.
[[bug-6.8.6]]
=== Bug fix
Maps::
* Fixes a cross-site scripting (XSS) flaw in Coordinate and Region Map
visualizations. An attacker could create a malicious visualization that
executes JavaScript in a victims browser when the visualization, or dashboard
containing the visualization, was viewed. Since Kibana 6.7.0, Content Security
Policy (CSP), which prevents attackers from using this flaw, is enabled by
default. However, an attacker can still inject arbitrary HTML into the page.
* Fixes a cross-site scripting (XSS) flaw in Coordinate and Region Map
visualizations. An attacker could create a malicious visualization that
executes JavaScript in a victims browser when the visualization, or dashboard
containing the visualization, was viewed. Since Kibana 6.7.0, Content Security
Policy (CSP), which prevents attackers from using this flaw, is enabled by
default. However, an attacker can still inject arbitrary HTML into the page.
See https://www.elastic.co/community/security/, CVE-2019-7621.
* Sanitizes attribution {pull}52309[#52309]