Skip to content

Release 4.5.0

Latest
Latest

Choose a tag to compare

View all tags
@cedricbonhomme cedricbonhomme released this 30 Apr 09:28
· 41 commits to main since this release
v4.5.0
This tag was signed with the committer’s verified signature.
cedricbonhomme Cédric Bonhomme
GPG key ID: A1CB94DE57B7A70D
Verified
Learn about vigilant mode.
713a398
This commit was signed with the committer’s verified signature.
cedricbonhomme Cédric Bonhomme
GPG key ID: A1CB94DE57B7A70D
Verified
Learn about vigilant mode.

What's New

  • new: [sightings] Sightings can now originate from Telegram channels via the companion Vulnerability-Lookup Telegram sighting tool.
  • new: [templates] Three new tabs on every vulnerability page: sighting type repartition (pie chart), source repartition (pie chart grouping URLs by hostname and collapsing Telegram and MISP feeds), and an experimental adaptive forecast (logistic when the trend is rising, exponential decay when falling — a JavaScript port of the TARDISSight prototype). Each chart is interactive and filters the sightings table when clicked.
    d8bfc88, 8e2ed8c, 0640874, d573e31
  • new: [templates] Display trend slope (linear fit on daily counts) near the sightings chart.
    7e22eb0
  • new: [sightings] Optional content field on the Sighting model and API.
    4923f87
  • new: [templates] Add download/correlations icons to the sightings table on the vuln page.
    6de9cf1

Changes

  • chg: [api] Use case-insensitive substring match for the sighting source filter.
    db8e14f
  • chg: [schema] Align Sighting JSON schema with the model.
    67cc01f
  • chg: [templates] Index page now displays published proofs of concept instead of confirmed sightings.
    8908ce3
  • chg: [security] Switch markdown URL sanitizer to a scheme allowlist.
    347c9b4
  • chg: [feeders] EPSS feeder improvements: configurable ingestion from Kvrocks with API fallback, Redis pipelining, year-boundary fix, reduced memory usage, error handling for GitHub API calls. EPSS scores are no longer published on the Redis pub/sub channel.
    939d800, eabc5ad, a9be57e, 2a1c75d, 7d9867b, 054d4ab, 9a0822e, 9277d03, ac9a9f4
  • chg: [templates] Improve full-text search UX and clarify exact vs approximate matching.
    05d5ef9
  • chg: [dependencies] The project now requires Python >=3.11,<4.0; restrict myst-parser to Python ≥3.11; updated gevent.
    69d36da, 27d1300, 28bad8c
  • chg: [dependencies] Updated Python and JavaScript dependencies.
    74902de, 9d5ab76, 44fe2a2, ecb766e
  • chg: [github] Added issue templates and pull request template.
    d4a74b8
  • chg: [documentation] Updated README and contributor notes.
    09aca11, 8ed689f

Fixes

  • fix: [security] Hardened several DOM-injection sites against XSS, including escaping vendor/product and vulnerability ID in the sightings correlations tooltip; URLs are now normalized before the scheme check.
    68b96c8, e4f4da0, 205dad1
  • fix: [forecast] Restrict decay fit to post-peak data so the forecast cannot contradict the observed trend.
    acd8425
  • fix: [disclosure] Warn about CSRF expiry on the new disclosure form and extend token lifetime.
    baff893
  • fix: [templates] Long credit names no longer break layout.
    cc267fe
Assets 2
Loading