Version 3.0.13

Release 3.0.13

===========

Date: 2019-01-23

Name: "jalapeño popper khaki headphones"

Notes

Security and bug fixes, and some enhancements.

Security fixes:

• potential stored XSS vulnerability (https://github.com/rundeck/rundeck/pull/4406)

Discovered by Ishaq Mohammed by at qualys.com

• add Content-Security-Policy and other security HTTP headers to responses (see more info https://github.com/rundeck/rundeck/pull/4405)

Contributors

• Alberto Hormazabal (ahormazabal)
• Greg Schueler (gschueler)
• Jaime Tobar (jtobard)
• Luis Toledo (ltamaster)
• Greg Zapp (ProTip)
• Stephen Joyner (sjrd218)
• Ishaq Mohammed

Bug Reporters

• ProTip
• ahormazabal
• gschueler
• jtobard
• ltamaster
• sebastianbello
• sjrd218
• vinillum

Issues

Milestone 3.0.13

• new version of winrm plugin 1.0.10
• Fix Plugin list api by referencing correct plugin list information service
• Add CSP header control variables to Docker image
• Fix #4406: stored xss vulnerability
• Security: stored XSS vulnerability
• Add common web-app security headers
• Add new flag to enable UI plugins on all pages
• Remove environment variable that hijacks jvm ssl settings
• UI plugin install status fix
• Fix #4374. User and role set by AJP were not being properly set.
• Fixes #4376. Partial templates are now expanded and added to base property file.
• Update spring security plugin to last version.
• UUID validation on jobref
• email notification enhancement
• Fix #2975 multiple threads modify the map
• Fixes #115.
• User profile information can be sync'd from LDAP
• UUID validation and Autocomplete in Job Reference Workflow step
• Feature/multi repository support
• Execution Metrics API
• java.lang.ClassCastException: java.util.HashMap$Node cannot be cast to java.util.HashMap$TreeNode
• LDAP login with empty password