i-net Clear Reports

Overview

  • Added strong named assemblies for i-net Clear Reports .Net Bridge to the SDK
  • New rendering output formats: DOCX and JSON

Migration Information

Web Server

  • The *Allowed Cross Origins* option is renamed to *Allowed Origins* and performs additional checks on the server side when configured.
    • The external visible URL is also sent as allowed origin using the CORS header
    • Connections to the server (either HTTPs or WSs) are also checked against the list of allowed origins and the external visible URL

Plugins

Reporting

  • The rendering output format Microsoft Word (*.docx) is now supported
  • Improved image quality in PDF output format if it is not saved in JPEG or PNG format in the report template.
  • The rendering output format JSON is now supported
  • Rendering text as HTML-Advanced output does not embed images anymore, but downloads and references them. The HMTL-Viewer supports these images even for URLs referenced in the inlined css, e.g. for background images.
  • Comments on MySQL table columns are no longer used as column alias.
  • Improved performance of date/time parsing functions date/time and datetime in formula
  • Continuous Stacked Bar Chart is now supported
  • ShowValue can now display a value from a formula on simple chart types.
  • Images in HTML-advanced fields are stored as separate files instead of inlined data when exporting to HTML

Fixed Bugs

  • Section with enabled “Print at Bottom of Page” was not printed at the end of the page if HTML output format was used and the page before this section was empty.
  • Sorting of Fields did not work in HTML Viewer.
  • Under certain circumstances, narrow blank table rows occurred in XLSX and ODS export when the report contained horizontal lines near other fields and they were not correctly rasterized.
  • Array parameters of formula user functions were always considered to be constant. As a result, database fields in these arrays were not evaluated.
  • Fixed `java.lang.IllegalArgumentException: Comparison method violates its general contract!` that occurred when searching in the viewer

i-net Designer

Fixed Bugs

  • The following errors occurred sometimes in Remote Designer when opening a report from the repository: “No repository configuration found for file: ”…rpt“” and “Not authorized. Please check your permissions and restart the Designer if applicable.”.
  • The query timeout set via the Designer user interface was ignored.

Security Fixes

  • The JNLP client could theoretically be sent another client's cookie at startup.

Render Reports

  • Fixed setting the password for exporting reports as encrypted PDF files.

SVG image embedding

  • Updated the internal Batik libraries to version 1.14.

Calendar

  • There is a new calendar trigger that allows running Task Planner task with a time offset when an event occurs in the given ics or iCal file.

Collaboration

Fixed Bugs

  • Improved the Server Status Command in regards to its CPU load calculation when the server is running on Windows.

CoWork Calls

  • Improved the automatic reconnection of calls
  • Added option to set TURN servers which are responsible for negotiating audio and video call connections
  • The overlay of a call from another channel can now be moved to another corner of the window
  • Audio output improved when switching channels: no more interruptions
  • Sounds are played when another participant joins or leaves a call or raises the hand (configurable)
  • Optionally, the entering or leaving of a participant in a call can be announced by voice ( configurable)
  • Audio and video calls are automatically reconnected when the connection to the server is restored, or the page is reloaded by mistake
  • In the channel list, the participants of a call are now listed below the channel
  • The caller view and the call overlay have been further optimized
  • The available reactions within a call can now be defined in the configuration. If all emojis are removed, this feature will also be disabled
  • Layout improvements for calls in the Safari browser

Fixed Bugs

  • Speech recognition when switching with a call to another channel

CoWork Meeting Rooms

  • With CoWork meeting rooms, temporary channels can be set up and external users can be invited. Many use cases such as external support, product demonstrations and the creation of temporary workgroups are possible.

Diagnostics

  • Added support for a memory dump when running with an OpenJ9 Java VM.

Field Settings

  • Added new Data Type “Date with Time” and “Time”
  • Added option “Ignore timezone” for “Date” and “Date with Time” in order to work with local dates
  • Label and description of predefined and user-defined fields can be translated into multiple languages via the Field Settings dialog
  • Added task in maintenance which will backup all user field settings with translations and custom fields.

FTP Transfer

Fixed Bugs

  • When using a relative target directory with multiple file results, the target directory was not reset. This resulted in the same directory structure being created for each additional file result within the previous one.

Help

  • Links that require another plugin to be enabled open the Plugins Store where the required plugin can be activated or loaded.

HTTP

Fixed Bugs

  • Fixed access to trigger when set to be available for everyone

i-net CoWork

  • Added support for the creation of temporary meeting rooms.
  • Added support for emoji
  • Integrated idle detection with a configurable delay. Will switch from online to away when absent
  • A marker is now displayed to indicate new messages
  • CoWork reconnects to the server without reloading the whole page
  • The Task Planner trigger “CoWork Command” is able to split the parameters into single values to be referenced via placeholder in jobs and actions
  • Drafts are saved per channel and also synchronize across multiple devices
  • Links in messages can be copied via a click in the context menu
  • Smaller thumbnails are generated for images. Attachments are cached in the client for up to 30 days.
  • Improved focus handling for touch devices

System Core

  • Installer for macOS using Apple Silicon is available
  • The bundled Eclipse Temurin is version 17.0.6
  • Added support for DynamoDB persistence
  • Added support for the HTTP header Forward (RFC 7329) for use with reverse proxies.
  • Database Persistence accepts any configuration scope (USER or SYSTEM) and can also run as a non-root account.

Security Fixes

  • Added option to disable the “Stay logged in” feature for all users.
  • *Security Update for CVE-2020-36518*
    • jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
  • *Security Update for CVE-2022-24823*
    • Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own java.io.tmpdir when starting the JVM or use DefaultHttpDataFactory.setBaseDir(…) to set the directory to something that is only readable by the current user.
  • *Security Update for CVE-2021-23792*
    • The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
  • *Security Update for CVE-2022-21363*
    • Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
  • *Security Update for CVE-2020-11023*
    • In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
  • *Security Update for CVE-2022-2191*
    • In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.
  • *Security Update for CVE-2022-2047*
    • In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
  • *Security Update for CVE-2022-31160*
    • jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling .checkboxradio( “refresh” ) on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the label in a span.
  • *Security Update for CVE-2022-31197*
    • PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the java.sql.ResultRow.refreshRow() method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. ;, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the ResultSet.refreshRow() method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the refreshRow() method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as 42.2.26 and 42.4.1. Users are advised to upgrade. There are no known workarounds for this issue.
  • *Security Update for CVE-2022-31129*
    • moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
  • *Security Update for CVE-2022-36033*
    • jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks option is enabled, HTML including javascript: URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable SafeList.preserveRelativeLinks, which will rewrite input URLs as absolute URLs - ensure an appropriate Content Security Policy is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
  • *Security Update for CVE-2022-42003*
    • In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
  • *Security Update for CVE-2022-31684*
    • Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
  • *Security Update for CVE-2021-37533*
    • Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https:*issues.apache.org/jira/browse/NET-711.
  • *Security Update for CVE-2022-23494*
    • tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the `image` plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user. This vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements. Users are advised to upgrade to either 5.10.7 or 6.3.1. Users unable to upgrade may ensure the the `images_upload_handler` returns a valid value as per the images_upload_handler documentation.
  • *Security Update for CVE-2022-41915*
    • Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.
  • *Security Update for CVE-2023-24998*
    • Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Maintenance

  • When changing data of multiple users at once, custom user fields which accept multiple values can now be set to multiple values instead of only one as before.
  • The User Accounts section of the Maintenance application allows to deactivate multiple users at the same time.

Fixed Bugs

  • Fixed a rare error that could occur when changing data of users on custom user fields whose keys were purely numbers.

Microsoft Teams

  • Improved the configuration page to link to the store if the token authentication plugin needs to be installed.

Fixed Bugs

  • The task planner template “Microsoft Teams” would incorrectly insert the server's URL if it did not end on a slash.

Notifications

  • The default language for notifications created in the Configuration application is English. When opening and saving existing notifications, an automatic update of the default language is made in this dialog.
  • Notifications sent to the operating system require interaction from now on if the notification is critical. This feature is available only if it is supported by the browser and the operating system.

Remote GUI

  • The search bar has been updated to use CodeMirror for better overall keyboard support

Security Fixes

  • Upgraded library momentjs to version 2.29.4 due to CVE-2022-24785 and CVE-2022-31129
  • Upgraded library tinymce to version 5.10.2 to include latest bugfixes

Task Planner

  • The parallel execution of one and the same task is now in general allowed
    • Manually starting a task while it is running is now possible
    • PUBLIC-API: To distinguish between multiple executions the `TaskEvent` and `HistoryEntry` now contains `executionID`, a unique ID for the execution.
    • PUBLIC-API: `TaskPlanner`'s execute-method now return a `CompletableFuture` to allow more control over actions after the execution.
    • PUBLIC-API: New method `cancelTaskExecution(GUID,GUID,boolean)` to cancel a single running execution of a task instead of all running executions.
  • Added Low Memory Trigger to notify administrators of this critical situation.
  • PUBLIC-API: TimeTriggerFactory's generic type is now `Trigger` as it can return different types of trigger: `TimeTrigger` and `TimeTriggerForCustomSettings`

Fixed Bugs

  • Fixed loading of large lists of tasks in the UI
  • Fixed bug endlessly showing task as running with 0% or 100% progress although there was no execution.
  • The license check of the Reporting Plus license for the Task Planning application was incorrect.
  • The option *custom* in time triggers works correctly.

Themes

  • Removed experimental *Material Blue* theme

Two-Factor Authentication

  • A second factor can be made mandatory in the login settings of the server configuration. If there is no second factor set for a user, it is required to be set up after a fresh login.

Web API

  • Opened up the WebAPI UI to be available for public requests, such as the Task Planners HTTP trigger, allowing to run the trigger from the browser.
  • Added input field for the current URL, restricting editing to variable parts that require IDs
  • Added JSON area to send custom JSON to a request URL
  • Added selection for HTTP method and send key to re-submit the request
  • Added ability to remember ID-token in the current web API session and automatically fill them until page is refreshed

Web Server

  • Added placeholders for start and expiration date of the HTTPS certificate that is currently being used. The placeholders can then be used in Task Planner actions.
  • Changed Jetty server from version 9.4.x to 10.0.x.
  • Added support for HTTP/2 protocol.
  • *Allowed Cross Origins* is now called *Allowed Origins*

Security Fixes

  • If *Allowed Origins* is set, it will send CORS headers that also include the external visible URL.
    • The server now checks that it is addressed using any of the given values from either the external visible URL or the Alowed Origins
    • The server checks HTTP/s as well as WS/s connections
 

© Copyright 1996 - 2023, i-net software; All Rights Reserved.