/ 
App-Netdisco-2.017001_001
River stage one • 1 direct dependent • 1 total dependent
⭐ Starred 676 GitHub stars
/ App::Netdisco::Manual::ReleaseNotes
Security Advisories (9)
CVE-2020-11022 (2020-04-29)

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVE-2020-11023 (2020-04-29)

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVE-2019-11358 (2019-04-20)

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

CVE-2015-9251 (2018-01-18)

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

CVE-2011-4969 (2013-03-08)

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

CVE-2012-6708 (2018-01-18)

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

CVE-2020-7656 (2020-05-19)

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

CVE-2019-5428

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as _proto_, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

CVE-2014-6071 (2018-01-16)

jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after.

NAME

App::Netdisco::Manual::ReleaseNotes - Release Notes

Introduction

This document will list only the most significant changes with each release of Netdisco. You are STRONGLY recommended to read this document each time you install and upgrade. Also see the Changes file, for more information.

Migrating from Netdisco 1.x

This distribution (App::Netdisco) is a complete rewrite of the Netdisco application. Users often ask whether they can run both versions at the same time, and whether the database must be copied. Here are the guidelines for migrating from Netdisco 1.x:

  • You can run both Netdisco 1.x and App::Netdisco web frontends at the same time, using the same database.

  • Only enable the backend daemon and discovery jobs from either Netdisco 1.x or App::Netdisco.

  • You can share a single database between Netdisco 1.x and App::Netdisco. The deploy script for App::Netdisco will make some schema changes to the database, but they are backwards compatible.

2.017001_001

General Notices

The previous mentioned bug in Macsuck is now fixed.

During Arpnip, Node IPs are no longer resolved to DNS hostnames in real-time. In the next release, another job will be queued to perform this action for the device.

2.017000

General Notices

There is a bug in Macsuck whereby in rare circumstances some invalid SQL is generated. The root cause is known but we want to take more time to get the fix right. It should only be a few more days.

The no_port_control configuration setting is now called check_userlog and its logic is inverted. Don't worry if this is not familiar to you - the option is only used by Netdisco Developers.

2.016000

General Notices

The dangerous action log messages are now saved to the database. In a future version there will be a way to display them in the web interface.

2.015000

Heath Advice

Some of the "dangerous action" confirmation dialogs offer to take a log message (e.g. Port Control, Device Delete). Currently the log messages are not saved. This feature will be added in the next release.

2.014000

General Notices

The backend poller daemon is now considered stable. You can uncomment the housekeeping section of the example configuration and thereby enable regular device (re-)discovery, arpnip and macsuck.

2.013000

General Notices

You can now configure LDAP authentication for users.

2.012000

Security Notices

The read-write SNMP community is now stored in the database, when used for the first time on a device. If you don't want the web frontend to be able to access this, you need to:

  • Have separate deployment.yml files for web frontend and daemon, such that only the daemon config contains any community strings.

  • Use separate PostgreSQL users for web frontend and daemon, such that the web frontend user cannot SELECT from the community DB table.

2.011000

General Notices

Users can be managed through the web interface (by admins only).

2.010000

General Notices

You can now simplify database configuration to just the following, instead of the more verbose plugins/DBIC setting which was there before:

database:
  name: 'netdisco'
  host: 'localhost'
  user: 'someuser'
  pass: 'somepass'

Also, the REMOTE_USER environment variable and X-REMOTE_USER HTTP Header are now supported for delegating authentication to another web server. See the Deployment and Configuration documentation for further details.

2.008000

Heath Advice

This release contains the first version of our new poller, which handles device and node discovery. Please make sure to backup any existing Netdisco database before trying it out.

General Notices

You can remove any settings from ~/environments/deployment.yml which you didn't edit or add to the file yourself. All defaults are now properly embedded within the application. See the new deployment.yml sample which ships with this distribution for an example.

2.006000

Incompatible Changes

The default environment configuration file develpment.yml has been renamed to deployment.yml. This better reflects that users are not developers, and also fits with the default for PSGI compatible cloud deployment services.

Please rename or copy your environment file:

mv ~/environments/development.yml ~/environments/deployment.yml

General Notices

The installation is now relocateable outside of a user's home directory by setting the NETDISCO_HOME environment variable. This defaults to your own home directory.