From ba383858e9e69737e05026fcf9effab1641ec054 Mon Sep 17 00:00:00 2001 From: Kerry Carmichael Date: Mon, 31 Mar 2025 09:40:20 -0400 Subject: [PATCH] Patch release notes for 4.7.1 --- release_notes/47-release-notes.adoc | 43 +++++++++++++++++++---------- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/release_notes/47-release-notes.adoc b/release_notes/47-release-notes.adoc index 064f645b69f7..c51ddaf7fe29 100644 --- a/release_notes/47-release-notes.adoc +++ b/release_notes/47-release-notes.adoc @@ -16,6 +16,7 @@ toc::[] |{product-title-short} version |Released on |`4.7.0` | 17 March 2025 +|`4.7.1` | 31 March 2025 |==== @@ -85,7 +86,7 @@ For more information about how to use the Azure Entra ID service principals for [id="view-the-violation-status-directly-on-the-violations-page_{context}"] === View the violation status directly on the Violations page -With {product-title-short} 4.7, you can now see the status of a violation directly on the *Violations* page so that you can quickly determine whether the violation is still active. This streamlines automation workflows, such as creating a Jira ticket and sending it to an owner who does not use {product-title-short} regularly. +With {product-title-short} 4.7, you can now see the status of a violation directly on the *Violations* page so that you can quickly determine whether the violation is still active. This streamlines automation workflows, such as creating a Jira ticket and sending it to an owner who does not use {product-title-short} regularly. By following the link in the ticket, the owner can immediately see if the violation is still relevant, reducing the risk of unnecessary delays or deprioritization. In addition, the page provides the full context of the violation and ensures that all relevant details are immediately available. @@ -93,9 +94,9 @@ By following the link in the ticket, the owner can immediately see if the violat [id="prioritize-cves-with-the-epss-integration_{context}"] === Prioritize CVEs with the EPSS integration -{product-title-short} 4.7 introduces integration with the Exploit Prediction Scoring System (EPSS), a data-driven model that estimates the likelihood of a software vulnerability being exploited. +{product-title-short} 4.7 introduces integration with the Exploit Prediction Scoring System (EPSS), a data-driven model that estimates the likelihood of a software vulnerability being exploited. -In addition to the severity and Common Vulnerability Scoring System (CVSS) score, an EPSS probability score from 0%-100% is now displayed for detected Common Vulnerabilities and Exposures (CVEs). +In addition to the severity and Common Vulnerability Scoring System (CVSS) score, an EPSS probability score from 0%-100% is now displayed for detected Common Vulnerabilities and Exposures (CVEs). You can use the EPSS score to better prioritize the remediation of CVE vulnerabilities and strengthen your security strategy. For more information, see xref:../operating/manage-vulnerabilities/vulnerability-management.adoc#vulnerability-management-prioritizing_acs-operating-manage-vulnerabilities[Prioritizing the vulnerabilities]. @@ -105,7 +106,7 @@ For more information, see xref:../operating/manage-vulnerabilities/vulnerability [id="gain-visibility-into-the-external-ips-in-the-network-graph_{context}"] === Enhanced visibility into the external IPs in the network graph -With {product-title-short} 4.7, you can now get a better insight into the external IPs behind external entities in the network graph. +With {product-title-short} 4.7, you can now get a better insight into the external IPs behind external entities in the network graph. :FeatureName: Visualizing external entities include::snippets/technology-preview.adoc[] @@ -118,7 +119,7 @@ For more information, see xref:../operating/visualizing-external-entities.adoc#v [id="enhanced-options-for-the-roxctl-netpol-generate-command_{context}"] === Enhanced options for the roxctl netpol generate command -In {product-title-short} 4.7, the `roxctl netpol generate` command automatically detects when DNS connections are required and generates them accordingly. If you do not specify a port, port `53` is selected automatically, but you can change this by using the `--dnsport` flag. The `--dnsport` flag also accepts port names in addition to numbers. For example,`--dnsport dns`. +In {product-title-short} 4.7, the `roxctl netpol generate` command automatically detects when DNS connections are required and generates them accordingly. If you do not specify a port, port `53` is selected automatically, but you can change this by using the `--dnsport` flag. The `--dnsport` flag also accepts port names in addition to numbers. For example,`--dnsport dns`. You can use port names as a more robust method of specifying the port if the service has a defined name. If you are a {osp} customer and use the default DNS setting, you should use the `--dnsport` flag to change the default port, as the OpenShift DNS pod listens on port `5353`. @@ -144,7 +145,7 @@ For more information, see xref:../configuration/configuring-and-integrating-the- [id="generate-sboms-from-the-scanned-container-images_{context}"] === Generate SBOMs from the scanned container images -With {product-title-short} 4.7, you can now generate a Software Bill of Materials (SBOM) from the scanned container images. +With {product-title-short} 4.7, you can now generate a Software Bill of Materials (SBOM) from the scanned container images. :FeatureName: Generation of SBOMs from the scanned container images include::snippets/technology-preview.adoc[] @@ -174,7 +175,7 @@ For more information about the automatic certificate renewal, see xref:../config [id="cluster-registration-secret-for-secured-cluster-bootstrapping_{context}"] === Cluster Registration Secret for secured cluster bootstrapping -In {product-title-short} 4.7, you can now use the Cluster Registration Secret (CRS) to bootstrap a secured cluster and register it with Central. +In {product-title-short} 4.7, you can now use the Cluster Registration Secret (CRS) to bootstrap a secured cluster and register it with Central. :FeatureName: Cluster Registration Secret include::snippets/technology-preview.adoc[] @@ -212,13 +213,13 @@ This release contains the following changes: * Scanner V4 now uses Red{nbsp}Hat VEX files instead of the Common Vulnerabilities and Exposures (CVE) map to provide vulnerability data for non-RPM content in official Red{nbsp}Hat images. * You can no longer set the `ROX_NODE_INDEX_CONTAINER_API` environment variable in the Compliance pod. The node scanner never used this variable because the node scanner never connected to the Red{nbsp}Hat Container Catalog. + -To enable node scanning with Scanner V4 while the nodes continue to be scanned in parallel with Scanner V2, update the variable ROX_NODE_INDEX_ENABLED variable from a Boolean setting to a feature flag. This change ensures that the {product-title-short} portal can access the setting through the Central API. +To enable node scanning with Scanner V4 while the nodes continue to be scanned in parallel with Scanner V2, update the variable ROX_NODE_INDEX_ENABLED variable from a Boolean setting to a feature flag. This change ensures that the {product-title-short} portal can access the setting through the Central API. + By default, Central with Scanner V4 prioritizes Scanner V4 scans, while StackRox Scanner V2 remains operational without any changes. You can manually enable or disable Scanner V4 and StackRox Scanner V2 for node scanning without affecting image scanning. + For more information, see xref:../operating/manage-vulnerabilities/vulnerability-management.adoc#vulnerability-management[Vulnerability management overview]. -* `stackrox.io` Content Delivery Network (CDN) has been moved from CloudFlare to Akamai. When configuring firewall rules, use the hostname instead of the IP addresses. If you previously allowed the IP ranges to `stackrox.io`, you must update these rules. +* `stackrox.io` Content Delivery Network (CDN) has been moved from CloudFlare to Akamai. When configuring firewall rules, use the hostname instead of the IP addresses. If you previously allowed the IP ranges to `stackrox.io`, you must update these rules. + The following values are associated with a stable subset of Akamai Classless Inter-Domain Routings (CIDRs): @@ -354,13 +355,13 @@ For more information, see link:https://cloud.google.com/artifact-registry/docs/t 3. Kernel support packages and driver download functionality are deprecated. -4. The `rhacs-collector-slim*` image is deprecated and has been removed in {product-title-short} 4.7.0. `rhacs-collector*` image used to contain kernel modules and eBPF probes, but {product-title-short} no longer needs those items. -The `rhacs-collector*` and the `rhacs-collector-slim*` images are now functionally the same. +4. The `rhacs-collector-slim*` image is deprecated and has been removed in {product-title-short} 4.7.0. `rhacs-collector*` image used to contain kernel modules and eBPF probes, but {product-title-short} no longer needs those items. +The `rhacs-collector*` and the `rhacs-collector-slim*` images are now functionally the same. 5. A feature flag controls this API object, and you can enable or disable this API object by using the `ROX_VULN_MGMT_LEGACY_SNOOZE` environment variable. -6. The format for specifying duration in JSON requests to `v1/nodecves/suppress`, `v1/clustercves/suppress`, and `v1/imagecves/suppress` has been changed to the ProtoJSON format. -Only a numeric value representing seconds with optional fractional seconds for nanosecond precision and followed by the `s` suffix is supported. +6. The format for specifying duration in JSON requests to `v1/nodecves/suppress`, `v1/clustercves/suppress`, and `v1/imagecves/suppress` has been changed to the ProtoJSON format. +Only a numeric value representing seconds with optional fractional seconds for nanosecond precision and followed by the `s` suffix is supported. + For example, `0.300s`, `-5400s`, or `9900s`. The previously valid time units of `ns`, `us`, `µs`, `ms`, `m`, and `h` are no longer supported. @@ -389,7 +390,7 @@ This issue occurred when the system reported errors when encountering zombie pro With this update, the system now specifically recognizes zombie processes and adjusts the message level to a less strict classification. However, the system can still trigger an error if the detection of zombie processes exceeds a certain threshold, helping to identify faulty workloads. //ROX-25638 -* Before this update, the Central logs were not rotated, which caused the log file for {product-title-short} to grow indefinitely and eventually take up the entire node memory. This issue occurred because `/var/log/stackrox` was mounted by using an `emptyDir` volume, which does not persist across pod restarts and has no built-in log rotation. +* Before this update, the Central logs were not rotated, which caused the log file for {product-title-short} to grow indefinitely and eventually take up the entire node memory. This issue occurred because `/var/log/stackrox` was mounted by using an `emptyDir` volume, which does not persist across pod restarts and has no built-in log rotation. + With this update, logs are deleted and the `emptyDir` volume is recreated when you restart the Central pod. A log size limit has been introduced to prevent excessive memory usage and to ensure that the Central logs do not overload the node. @@ -402,4 +403,18 @@ With this update, the filter logic in Central has been adjusted to ensure that ` //ROX-27829 * Before to this update, the {product-title-short} portal incorrectly validated Slack webhook URLs and blocked the Mattermost integration due to strict regex rules. With this update, the regex check has been removed to allow for more flexible URL formats. +[id="about-release-4.7.1_{context}"] +== About release version 4.7.1 + +*Release date*: 31 March 2025 + +This release of {product-title-short} includes the following bug fix: + +* Fixed a bug in which Scanner V4 performed TLS validation even for integrations that had TLS validation disabled. + +This release also addresses the following security vulnerabilities: + +* link:https://access.redhat.com/security/cve/cve-2025-22869[CVE-2025-22869] Flaw in the `golang.org/x/crypto/ssh` package. +* link:https://access.redhat.com/security/cve/cve-2025-27144[CVE-2025-27144] Go JOSE's parsing vulnerable to denial of service. + include::modules/image-versions.adoc[leveloffset=+1] \ No newline at end of file