Bug 248330 - textproc/kibana6: Update to 6.8.11
Summary: textproc/kibana6: Update to 6.8.11
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Greg Lewis
URL: https://www.elastic.co/guide/en/kiban...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-28 15:43 UTC by Juraj Lutter
Modified: 2020-08-08 18:56 UTC (History)
2 users (show)

See Also:
otis: maintainer-feedback+
otis: maintainer-feedback+

Attachments
textproc/kibana6: Update to 6.8.11 (956 bytes, patch)
2020-07-28 15:43 UTC, Juraj Lutter 		otis: maintainer-approval+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Juraj Lutter freebsd_committer freebsd_triage 2020-07-28 15:43:35 UTC 
Created attachment 216841 [details]
textproc/kibana6: Update to 6.8.11

Hi,

please find the patch attached.

Changelog:

* Security updates
  - In Kibana 6.8.11 and earlier, there is a denial of service (DoS) flaw in Timelion. Attackers can construct a URL that when viewed by a Kibana user, the Kibana process consumes large amounts of CPU and becomes unresponsive, CVE-2020-7016.
    You must upgrade to 6.8.11. If you are unable to upgrade, set timelion.enabled to false in your kibana.yml file to disable Timelion.

  - In all Kibana versions, region map visualizations contain a stored XSS flaw. Attackers that can edit or create region map visualizations can obtain sensitive information or perform destructive actions on behalf of Kibana users who view the region map visualization, CVE-2020-7017.
    You must upgrade to 6.8.11. If you are unable to upgrade, set xpack.maps.enabled, region_map.enabled, and tile_map.enabled to false in kibana.yml to disable map visualizations.

* Enhancements
  - Platform
    - Makes SameSite cookie’s attribute configurable

* Security
  - Supports deep links inside of RelayState for SAML IdP initiated login

    If users want to deep link into Kibana after a successful SAML Identity Provider initiated login, they can set xpack.security.authc.providers.saml.<provider-name>.useRelayStateDeepLink for a specific SAML authentication provider and provide a deep link in the RelayState parameter.

* Bug fixes
  - Maps
    - Loads configuration from EMS-metadata in region-maps

* Security
  - Redirects to Logged Out UI on SAML Logout Response #69676

  - Previously Kibana redirected users to a default location as the last step of a SAML User/SP Initiated Single Logout (SP SLO), which forced users to log in again when the Login Selector UI was not available. Now, Kibana redirects users to either the Login Selector UI or the Logged Out UI at the end of SP SLO.


Poudriere log:
https://freebsd-stable.builder.wilbury.net/data/12_STABLE_GENERIC_amd64-default/2020-07-28_17h03m49s/logs/kibana6-6.8.11.log
Comment 1 commit-hook freebsd_committer freebsd_triage 2020-08-08 18:56:17 UTC 
A commit references this bug:

Author: glewis
Date: Sat Aug  8 18:55:46 UTC 2020
New revision: 544508
URL: https://svnweb.freebsd.org/changeset/ports/544508

Log:
  Update to 6.8.11

  PR:		248330
  Submitted by: 	Juraj Lutter <juraj@lutter.sk>

Changes:
  head/textproc/kibana6/Makefile
  head/textproc/kibana6/distinfo
Comment 2 Greg Lewis freebsd_committer freebsd_triage 2020-08-08 18:56:55 UTC 
Thanks Juraj