Skip to content

Security Fix, Small Bug Fixes and Minor Improvements / Features
Compare
Choose a tag to compare
@barryo barryo released this 20 Aug 14:04
· 705 commits to master since this release
v5.7.0
8e2aab9

This release primarily fixes a XSS security issue in IXP Manager. It also has a small number of bug fixes and improvements. All IX's running < v5.7.0 are advised to upgrade. This release has a minor version bump as there are two small database schema changes.

Summary:

git --no-pager diff --shortstat --no-merges v5.6.0 v5.7.0
 152 files changed, 13874 insertions(+), 8307 deletions(-)

Upgrade Instructions

Please follow the official upgrade documentation without skipping any steps.

There are no additional release specific steps required.

Security Fix

This release includes a fix for a XSS security bug in the looking glass feature.

The bug allows a potential attacker to provide an IXP Manager user or administrator a crafted URL which would result in the execution of supplied JavaScript within the user's browser.

If you are running IXP Manager with the looking glass feature enabled, you are advised to upgrade. If you wish to delay the upgrade and mitigate the risk in the mean time then you could:

  1. set the looking glass access privileges to SUPERUSER in each of your router configurations;
  2. advise your SUPERADMINS to examine any externally provided IXP Manager URL for the presence of potential XSS code.

Credit to Bart Vrancken (AbuseIO CERT) for responsibly disclosing this issue.

Small Features and Improvements

  • New Artisan command to reindex switch ports' ifIndex based on ifName. This is useful when a port's ifIndex changes in a switch operating system update. See this documentation for more information.
    • And suplemantal to this, we can now also exclude a switch from polling (via 00ccf4d).
  • IX-F Member Export: improvements include: (7286616)
    • Provides a more user friendly error message if the schema-required IX-F IXP ID is not set.
    • Allows the poller to provide an IX-F ID per infrastructure if one is not set via the parameter: &ixfid_1=xx&ixfid_2=yy.
    • Allows the poller to ignore the missing IX-F ID and set it to zero via the parameter: ?ignore_missing_ixfid=1.
    • Tag IXP Manager as the generator of the IX-F JSON document (4185fe6)
  • Better member logo layouts (c10c712) and option to add a background colour to check transparency (8a0ce56)

Bug Fixes

  • Can not update IRRDB if only IPv6 is configured. #662
  • Insufficient permissions error downloading crossconnect documents #663
  • VLAN Tagging should be warned/enforced when >2 vlan interfaces exist #667
  • ASN max length too short in IRRDB database due to the 32-bit ASN integer representation in database being signed - fixes #664
  • Admin log on as this user updates last login date when it shouldn't - fixes #652
  • Rack field in patch panel port verification page is blank (f95a893)
  • Off by one couting issue for admin dashboard - ports by location (4a10448)
Assets 2
Loading