From 8a647d7591348fc317415d182a127f2ce2cdb9c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Mon, 5 Nov 2018 15:20:58 +0100 Subject: [PATCH] Add Change Logs --- ChangeLog | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 8a5767b..42bbee1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,41 @@ 27/09/2018 Oleg Moskalenko Mihály Mészáros -Version 4.5.0.9 'dan Eider': +Version 4.5.1.0 'dan Eider': + Consider to change config file after upgrade, because it contains not backward compatible breaking changes! + - Security fixes + Many thanks to Nicolas Edet (Cisco) who reported all of the following issues!! + * DB/SQL injection in stun realm. Fix: add extra string validation. + * DB/SQL injection in web-admin interface lack of admin user validation. + Fix: add extra string validation. + * Fix for earlier unsafe default settings: + o HTTPS administrator interface should be disabled by default + It could be enbled with "web-admin" option. + o Default configuration allowed earlier forwarding traffic + from an external interface to loopback interface. Now it + has been changed and option name is also changed! + + !!BREAKING change!! Don't forget to change config!! + "no-loopback-peers" replaced by "allow-loopback-peers" + + o Unauthenticated telnet admin interface runs on the + loopback interface, which can be accessed by exploiting the + loopback relay that was enabled by default. + - Admin portal does not list TCP session ( reported and fixed by Nicolas Edet ) + - Fix memory leak in read_config_file (by Thibaut Ackermann) + - Add a release helper script. + - Web Admin interface use own listener (it is disableb by default) + + !!BREAKING change!! Don't forget to change/review config!! + + * Add new option "web-admin-ip" to set listener ip. By default (127.0.0.1) + * Add new option "web-admin-port" to set webadmin listen port + * Add new option "web-admin-listen-on-workers" to change back to earlier + behaviour and listen web admin on all worker processes and ports. + - Not allow to start server if "allow-loopback-peers" set without "cli-password" + + !!BREAKING change!! Don't forget to change config!! + + Added a warning if cli-password is empty or missing, but allow-loopback-peers + set, and so loopback allocation is enalbed. 27/09/2018 Oleg Moskalenko Mihály Mészáros Version 4.5.0.8 'dan Eider':