-
Notifications
You must be signed in to change notification settings - Fork 25
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #62 from sei-vsarvepalli/version-1.50.5
Version 1.50.5
- Loading branch information
Showing
31 changed files
with
618 additions
and
319 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,61 +1,56 @@ | ||
# VINCE Changelog | ||
|
||
Version 1.50.4: 2022-10-05 | ||
========================== | ||
## Version 1.50.5: 2022-10-25 | ||
|
||
UI improvements for vincetrack for search experience | ||
Performance tweaks for Tickets search use $queryset.count() instead len($queryset) when pagination is used | ||
Fix HTML injection vulnerabilities reported by Rapid7 researcher Nick Sanzotta (CVE-2022-40248,CVE-2022-40257) | ||
* Updates to settings_.py to match public GitHub | ||
* UI tweaks for Loading div, asynchronous search via delaySearch | ||
* Add Access-Control-Origin header to CSAF output for Secvisogram | ||
* Fix Python Pickle Code Injection vulnerability reported by Rapid7 researcher Marcus Chang CVE-2022-40238 | ||
* Address reported failure with better error reporting from Encrypt-and-Send | ||
* Avoid TimeZone spurious warning errors flooding logs | ||
|
||
## Version 1.50.4: 2022-10-05 | ||
|
||
Version 1.50.3: 2022-09-16 | ||
========================== | ||
* UI improvements for vincetrack for search experience | ||
* Performance tweaks for Tickets search use $queryset.count() instead len($queryset) when pagination is used | ||
* Fix HTML injection vulnerabilities reported by Rapid7 researcher Nick Sanzotta (CVE-2022-40248,CVE-2022-40257) | ||
|
||
Full support for CSAF 2.0 export of vulnerability Case | ||
Fix for a number of Views to avoid digit parameter confusion | ||
Add view CSAF and VINCE JSON to support download of Case data in machine-readable format | ||
If upgrading, make sure you verify settings.py has new variables `CONTACT_PHONE` `ORG_POLICY_URL` and `ORG_AUTHORITY` populated. | ||
|
||
## Version 1.50.3: 2022-09-16 | ||
|
||
Version 1.50.2: 2022-08-29 | ||
-========================= | ||
* Full support for CSAF 2.0 export of vulnerability Case | ||
* Fix for a number of Views to avoid digit parameter confusion | ||
* Add view CSAF and VINCE JSON to support download of Case data in machine-readable format | ||
* If upgrading, make sure you verify settings.py has new variables `CONTACT_PHONE` `ORG_POLICY_URL` and `ORG_AUTHORITY` populated. | ||
|
||
Resolves issue of enumerating user_id and group_id - reported by Sharon Brizinov of Claroty Research [#51](https://github.com/CERTCC/VINCE/issues/51) | ||
Removed lxml library no longer in use in requirements.txt - reported by dependabot via [#38](https://github.com/CERTCC/VINCE/pull/38) | ||
Add [DISABLED] Keyword for users in `inactive` status in vincetrack `Teams` menu view. | ||
|
||
## Version 1.50.2: 2022-08-29 | ||
|
||
Version 1.50.1: 2022-08-08 | ||
========================== | ||
* Resolves issue of enumerating user_id and group_id - reported by Sharon Brizinov of Claroty Research [#51](https://github.com/CERTCC/VINCE/issues/51) | ||
* Removed lxml library no longer in use in requirements.txt - reported by dependabot via [#38](https://github.com/CERTCC/VINCE/pull/38) | ||
* Add [DISABLED] Keyword for users in `inactive` status in vincetrack `Teams` menu view. | ||
|
||
BugFix for API key generation issue. The generate_key method was disabled accidentally | ||
|
||
## Version 1.50.1: 2022-08-08 | ||
|
||
# Version 1.50.0: 2022-07-19 | ||
============================ | ||
* BugFix for API key generation issue. The generate_key method was disabled accidentally | ||
|
||
New MFA reset workflow | ||
|
||
Allow comments when re-assigning tickets | ||
## Version 1.50.0: 2022-07-19 | ||
|
||
Sorting improvements on VINCEComm Dashboard | ||
* New MFA reset workflow | ||
* Allow comments when re-assigning tickets | ||
* Sorting improvements on VINCEComm Dashboard | ||
* Add Vul Note download button in VINCETrack | ||
* Fixed open redirect vulnerability (CVE-2022-25799)[https://nvd.nist.gov/vuln/detail/CVE-2022-25799] reported by Jonathan Leitschuh [#45](https://github.com/CERTCC/VINCE/issues/45) | ||
* Bug Fixes | ||
|
||
Add Vul Note download button in VINCETrack | ||
## Version 1.49.0: 2022-07-19 | ||
|
||
Fixed open redirect vulnerability (CVE-2022-25799)[https://nvd.nist.gov/vuln/detail/CVE-2022-25799] reported by Jonathan Leitschuh [#45](https://github.com/CERTCC/VINCE/issues/45) | ||
* Contact Management Updates | ||
* Dependency Upgrades | ||
* Bug Fixes | ||
|
||
Bug Fixes | ||
## Version 1.48.0: 2022-05-13 | ||
|
||
# Version 1.49.0: 2022-07-19 | ||
=========================== | ||
|
||
Contact Management Updates | ||
|
||
Dependency Upgrades | ||
|
||
Bug Fixes | ||
|
||
# Version 1.48.0: 2022-05-13 | ||
============================= | ||
|
||
Initial Open Source Release | ||
* Initial Open Source Release |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -654,10 +654,10 @@ def send_templated_mail(template_name, | |
locale = context['queue'].get('locale') or VINCE_EMAIL_FALLBACK_LOCALE | ||
else: | ||
locale = VINCE_EMAIL_FALLBACK_LOCALE | ||
|
||
|
||
context['homepage'] = f"{settings.KB_SERVER_NAME}/vince/comm/dashboard/" | ||
|
||
try: | ||
t = EmailTemplate.objects.get(template_name__iexact=template_name, locale=locale) | ||
except EmailTemplate.DoesNotExist: | ||
|
@@ -999,10 +999,9 @@ def encrypt_mail(contents, admin_email): | |
logger.debug(encrypted_data.ok) | ||
logger.debug(encrypted_data.status) | ||
logger.debug(encrypted_data.stderr) | ||
except: | ||
send_sns(traceback.format_exc()) | ||
logger.warning(traceback.format_exc()) | ||
logger.warning("Could not encrypt data") | ||
except Exception as e: | ||
logger.warning("PGP Encryption failed due to error "+str(e)) | ||
send_sns(str(e)) | ||
return None | ||
return encrypted_data | ||
|
||
|
@@ -1020,7 +1019,6 @@ def send_encrypted_mail(to_email, subject, contents, attachment=None): | |
msg.add_header(_name="Content-Type", _value="multipart/mixed", protected_headers="v1") | ||
msg["From"] = settings.DEFAULT_REPLY_EMAIL | ||
msg["To"] = admin_email.email | ||
#msg["Cc"] = "[email protected]" | ||
msg['Subject'] = subject | ||
|
||
msg_text = Message() | ||
|
@@ -1050,7 +1048,6 @@ def send_encrypted_mail(to_email, subject, contents, attachment=None): | |
pgp_msg = MIMEBase(_maintype="multipart", _subtype="encrypted", protocol="application/pgp-encrypted") | ||
pgp_msg["From"] = settings.DEFAULT_REPLY_EMAIL | ||
pgp_msg["To"] = admin_email.email | ||
#pgp_msg["Cc"] = "[email protected]" | ||
pgp_msg["Subject"] = subject | ||
|
||
pgp_msg_part1 = Message() | ||
|
@@ -1064,7 +1061,8 @@ def send_encrypted_mail(to_email, subject, contents, attachment=None): | |
pgp_msg_part2.add_header(_name="Content-Disposition", _value="inline", filename="encrypted.asc") | ||
try: | ||
payload = encrypt_mail(msg.as_string(), admin_email) | ||
except: | ||
except Exception as e: | ||
logger.warning("Encrypting PGP Email failed due to error "+str(e)) | ||
return f"Error encrypting data. Check key for {admin_email.email}" | ||
|
||
if payload == None: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.