Table of Contents | ||
---|---|---|
|
...
Disclaimer:
The enhancements, feature changes and tickets listed below are subject to change up until the final GA release date.
- The list is incomplete and more items will be added over the coming days.
- Items you see listed may be removed before the official GA release date at the sole discretion of frevvo.
...
GA Release Matrix
Include Page | ||||
---|---|---|---|---|
|
frevvo™ v10.
12
Cloud Upgrade: June 26April 30, 20212022
v10.1 2 is a major Cloud only release. Please see the Detailed Release Notes for specific version enhancements and tickets fixed.
Security Vulnerabilities
The following security vulnerabilities have been addressed as follows:
- Man in the middle - This has to do with executing the CGI Servlet. This servlet is disabled in the frevvo Apache tomcat distribution. Customers who choose to enable the servlet are responsible for ensuring security viz. adding filter etc.
Version Disclosures - Resolved by configuring the ErrorReportValve in \frevvo\tomcat\conf\server.xml file (in the Host section) as described in this Apache tomcat website. The parameter that needs to be modified is:
Code Block <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false"/>
X-Frame-Options Header Not Set - Resolved by modification at the tomcat level. In-house customers can uncomment the HttpHeaderSecurityFilter provided in the tomcat web.xml. The filter is documented here. Specify the appropriate X-Frame-Options value in the antiClickJackingOption parameter - (SAMEORIGIN or ALLOW-FROM).
Warning Setting this parameter to SAMEORIGIN may interfere when embedding frevvo forms/flows in your website. Use ALLOW-FROM instead. Click the appropriate link below for filter examples.
Code Block title Example of filter with SAMEORIGIN collapse true <filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> <async-supported>true</async-supported> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
Code Block theme Confluence title Example of filter with ALLOW-FROM for embedded forms collapse true <filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value> http://example.com:80/*</param-value> </init-param> <async-supported>true</async-supported> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
- frevvo v10.2 resolved Apache Log4j vulnerability with SOLR upgrade.