This documentation is for frevvo v10.1. Not for you? Earlier documentation is available too.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

 
 

GA Release Matrix

The table lists the latest released DocuPhase Forms versions.

Product Version Matrix

Product

Latest Version

Release Date

Release Notes

DocuPhase Forms Cloud

v11.3.2

12/03/2024

Detailed Release Notes

DocuPhase Forms On Premise

v11.0.14

10/08/2024

Detailed Release Notes

frevvo for Confluence

v10.1.22*

03/30/2022

Detailed Release Notes

frevvo Confluence Plugin

see ref

Confluence Add-on Release Notes

*Not available in v11.0+

DocuPhase Forms Database Connector

v2.9.0 (Cloud Only)

v2.7.1

07/23/2024

09/17/2022

Database Connector Release Notes

DocuPhase Forms Filesystem Connector

v1.6.0

07/23/2024

Filesystem Connector Release Notes

DocuPhase Forms Google Connector (Legacy)

v3.4.0 (Cloud Only)

v3.1.1

07/23/2024

01/05/2023

Google Connector Release Notes

DocuPhase Forms SharePoint Connector (Legacy)

v1.4.0 (Cloud Only)

v1.2.0

07/23/2024

09/17/2022

SharePoint Connector Release Notes

DocuPhase Forms API .NET Client

see ref

Data API Client Libraries Releases

*frevvo for Confluence is no longer available in v11.0+.


frevvo™ v10.1

Cloud Upgrade: June 26, 2021

v10.1 is a major Cloud only release. Please see the Detailed Release Notes for specific version enhancements and tickets fixed. 


Security Vulnerabilities

The following security vulnerabilities have been addressed as follows:

  • Man in the middle - This has to do with executing the CGI Servlet. This servlet is disabled in the frevvo Apache tomcat distribution. Customers who choose to enable the servlet are responsible for ensuring security viz. adding filter etc.
  • Version Disclosures - Resolved by configuring the ErrorReportValve in \frevvo\tomcat\conf\server.xml file (in the Host section) as described in this Apache tomcat website. The parameter that needs to be modified is:

    <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false"/>
  • X-Frame-Options Header Not Set - Resolved by modification at the tomcat level. In-house customers can uncomment the HttpHeaderSecurityFilter provided in the tomcat web.xml. The filter is documented here. Specify the appropriate X-Frame-Options value in the antiClickJackingOption parameter - (SAMEORIGIN or ALLOW-FROM).

    Setting this parameter to SAMEORIGIN may interfere when embedding frevvo forms/flows in your website. Use ALLOW-FROM instead.

    Click the appropriate link below for filter examples.

    Example of filter with SAMEORIGIN
    <filter>
            <filter-name>httpHeaderSecurity</filter-name>
            <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    		<init-param>
    			<param-name>antiClickJackingOption</param-name>
    			<param-value>SAMEORIGIN</param-value>
    		</init-param>
            <async-supported>true</async-supported>
    </filter>
    
    <filter-mapping>
            <filter-name>httpHeaderSecurity</filter-name>
            <url-pattern>/*</url-pattern>
            <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
    
    Example of filter with ALLOW-FROM for embedded forms
    <filter>
            <filter-name>httpHeaderSecurity</filter-name>
            <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    		<init-param>
    			<param-name>antiClickJackingOption</param-name>
    			<param-value>ALLOW-FROM</param-value>
    		</init-param>
    		<init-param> 
                <param-name>antiClickJackingUri</param-name> 
                <param-value> http://example.com:80/*</param-value> 
            </init-param>
            <async-supported>true</async-supported>
    </filter>
    
    <filter-mapping>
            <filter-name>httpHeaderSecurity</filter-name>
            <url-pattern>/*</url-pattern>
            <dispatcher>REQUEST</dispatcher>
    </filter-mapping> 

  • v10.1.11 Mitigation applied to Address Critical RCE (log4j / solr) Vulnerability Under Exploitation. The SOLR version on will be upgraded in a future release. Security checks may flag this vulnerability based on the version alone; however as long as you are running v10.1.11+ or you have applied the mitigation described in this article, you are not exposed to this vulnerability.







  • No labels