All Versions
87
Latest Version
Avg Release Cycle
29 days
Latest Release
558 days ago

Changelog History
Page 2

  • v4.2.7 Changes

    May 30, 2022

    Manager

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fixed a crash in Vuln Detector when scanning agents running on Windows (backport from 4.3.2). (#13617)

  • v4.2.6 Changes

    March 29, 2022

    Manager

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fixed an integer overflow hazard in wazuh-remoted that caused it to drop incoming data after receiving 231 messages. (#11974)

  • v4.2.5 Changes

    November 15, 2021

    Manager

    ๐Ÿ”„ Changed

    • Active response requests for agents between v4.2.0 and v4.2.4 is now sanitized to prevent unauthorized code execution. (#10809)

    Agent

    ๐Ÿ›  Fixed

    • A bug in the Active response tools that may allow unauthorized code execution has been mitigated. Reported by @rk700. (#10809)

  • v4.2.4 Changes

    October 20, 2021

    Manager

    ๐Ÿ›  Fixed

    • Prevented files belonging to deleted agents from remaining in the manager. (#9158)
    • ๐Ÿ›  Fixed inaccurate agent group file cleanup in the database sync module. (#10432)
    • Prevented the manager from corrupting the agent data integrity when the disk gets full. (#10479)
    • ๐Ÿ›  Fixed a resource leak in Vulnerability Detector when scanning Windows agents. (#10559)
    • ๐Ÿšš Stop deleting agent related files in cluster process when an agent is removed from client.keys. (#9061)

  • v4.2.3 Changes

    October 06, 2021

    Manager

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fixed a bug in Remoted that might lead it to crash when retrieving an agent's group. (#10388)

  • v4.2.2 Changes

    September 28, 2021

    Manager

    ๐Ÿ”„ Changed

    • Clean up the agent's inventory data on the manager if Syscollector is disabled. (#9133)
    • Authd now refuses enrollment attempts if the agent already holds a valid key. (#9779)

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fixed a false positive in Vulnerability Detector when packages have multiple conditions in the OVAL feed. (#9647)
    • Prevented pending agents from keeping their state indefinitely in the manager. (#9042)
    • ๐Ÿ›  Fixed Remoted to avoid agents in connected state with no group assignation. (#9088)
    • ๐Ÿ›  Fixed a bug in Analysisd that ignored the value of the rule option noalert. (#9278)
    • ๐Ÿ›  Fixed Authd's startup to set up the PID file before loading keys. (#9378)
    • ๐Ÿ›  Fixed a bug in Authd that delayed the agent timestamp update when removing agents. (#9295)
    • ๐Ÿ›  Fixed a bug in Wazuh DB that held wrong agent timestamp data. (#9705)
    • ๐Ÿ›  Fixed a bug in Remoted that kept deleted shared files in the multi-groups' merged.mg file. (#9942)
    • ๐Ÿ›  Fixed a bug in Analysisd that overwrote its queue socket when launched in test mode. (#9987)
    • ๐Ÿ›  Fixed a condition in the Windows Vulnerability Detector to prevent false positives when evaluating DU patches. (#10016)
    • ๐Ÿ›  Fixed a memory leak when generating the Windows report in Vulnerability Detector. (#10214)
    • ๐Ÿ›  Fixed a file descriptor leak in Analysisd when delivering an AR request to an agent. (#10194)

    Agent

    ๐Ÿ”„ Changed

    • ๐ŸŽ Optimized Syscollector scan performance. (#9907)
    • ๐Ÿ”ง Reworked the Google Cloud Pub/Sub integration module to increase the number of processed events per second allowing multithreading. Added new num_threads option to module configuration. (#9927)
    • โฌ†๏ธ Upgraded google-cloud-pubsub dependency to the latest stable version (2.7.1). (#9964)
    • ๐Ÿง Reimplemented the WPK installer rollback on Linux. (#9443)
    • โšก๏ธ Updated AWS WAF implementation to change httpRequest.headers field format. (#10217)

    ๐Ÿ›  Fixed

    • ๐Ÿ”ง Prevented the manager from hashing the shared configuration too often. (#9710)
    • ๐Ÿ›  Fixed a memory leak in Logcollector when re-subscribing to Windows Eventchannel. (#9310)
    • ๐Ÿ›  Fixed a memory leak in the agent when enrolling for the first time if it had no previous key. (#9967)
    • โœ‚ Removed CloudWatchLogs log stream limit when there are more than 50 log streams. (#9934)
    • ๐Ÿ›  Fixed a problem in the Windows installer that causes the agent to be unable to get uninstalled or upgraded. (#9897)
    • ๐Ÿ›  Fixed AWS WAF log parsing when there are multiple dicts in one line. (#9775)
    • ๐Ÿ›  Fixed a bug in AWS CloudWatch Logs module that caused already processed logs to be collected and reprocessed. (#10024)
    • ๐Ÿ Avoid duplicate alerts from case-insensitive 32-bit registry values in FIM configuration for Windows agents. (#8256)
    • ๐Ÿ›  Fixed error with Wazuh path in Azure module. (#10250)
    • ๐Ÿ›  Fixed a bug in the sources and WPK installer that made upgrade unable to detect the previous installation on CentOS 7. (#10210)

    RESTful API

    ๐Ÿ”„ Changed

    • ๐Ÿ”ง Made SSL ciphers configurable and renamed SSL protocol option. (#10219)

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fixed a bug with distributed API calls when the cluster is disabled. (#9984)

  • v4.2.1 Changes

    September 03, 2021

    ๐Ÿ›  Fixed

    • Installer:

      • Fixed a bug in the upgrade to 4.2.0 that disabled Eventchannel support on Windows agent. (#9973)

    • Modules:

      • Fixed a bug with Python-based integration modules causing the integrations to stop working in agents for Wazuh v4.2.0. (#9975)

  • v4.2.0 Changes

    August 25, 2021

    โž• Added

    • Core:

      • Added support for bookmarks in Logcollector, allowing to follow the log file at the point where the agent stopped. (#3368)
      • Improved support for multi-line logs with a variable number of lines in Logcollector. (#5652)
      • Added an option to limit the number of files per second in FIM. (#6830)
      • Added a statistics file to Logcollector. Such data is also available via API queries. (#7109)
      • Allow statistical data queries to the agent. (#7239)
      • Allowed quoting in commands to group arguments in the command wodle and SCA checks. (#7307)
      • Let agents running on Solaris send their IP to the manager. (#7408)
      • New option <ip_update_interval> to set how often the agent refresh its IP address. (#7444)
      • Added support for testing location information in Wazuh Logtest. (#7661)
      • Added Vulnerability Detector reports to Wazuh DB to know which CVEโ€™s affect an agent. (#7731)
      • Introduced an option to enable or disable listening Authd TLS port. (#8755)

    • API:

      • Added new endpoint to get agent stats from different components. (#7200)
      • Added new endpoint to modify users' allow_run_as flag. (#7588)
      • Added new endpoint to get vulnerabilities that affect an agent. (#7647)
      • Added API configuration validator. (#7803)
      • Added the capability to disable the max_request_per_minute API configuration option using 0 as value. (#8115)

    • Ruleset:

      • Decoders
      • Added support for UFW firewall to decoders. (#7100)
      • Added Sophos firewall Decoders (#7289)
      • Added Wazuh API Decoders (#7289)
      • Added F5 BigIP Decoders. (#7289)
      • Rules
      • Added Sophos firewall Rules (#7289)
      • Added Wazuh API Rules (#7289)
      • Added Firewall Rules
      • Added F5 BigIp Rules. (#7289)
      • SCA
      • Added CIS policy "Ensure XD/NX support is enabled" back for SCA. (#7316)
      • Added Apple MacOS 10.14 SCA (#7035)
      • Added Apple MacOS 10.15 SCA (#7036)
      • Added Apple MacOS 11.11 SCA (#7037)

    ๐Ÿ”„ Changed

    • Cluster:

      • Improved the cluster nodes integrity calculation process. It only calculates the MD5 of the files that have been modified since the last integrity check. (#8175)
      • Changed the synchronization of agent information between cluster nodes to complete the synchronization in a single task for each worker. (#8182)
      • Changed cluster logs to show more useful information. (#8002)

    • Core:

      • Wazuh daemons have been renamed to a unified standard. (#6912)
      • Wazuh CLIs have been renamed to a unified standard. (#6903)
      • Wazuh internal directories have been renamed to a unified standard. (#6920)
      • Prevent a condition in FIM that may lead to a memory error. (#6759)
      • Let FIM switch to real-time mode for directories where who-data is not available (Audit in immutable mode). (#6828)
      • Changed the Active Response protocol to receive messages in JSON format that include the full alert. (#7317)
      • Changed references to the product name in logs. (#7264)
      • Syscollector now synchronizes its database with the manager, avoiding full data delivery on each scan. (#7379)
      • Remoted now supports both TCP and UDP protocols simultaneously. (#7541)
      • Improved the unit tests for the os_net library. (#7595)
      • FIM now removes the audit rules when their corresponding symbolic links change their target. (#6999)
      • Compilation from sources now downloads the external dependencies prebuilt. (#7797)
      • Added the old implementation of Logtest as wazuh-logtest-legacy. (#7807)
      • Improved the performance of Analysisd when running on multi-core hosts. (#7974)
      • Agents now report the manager when they stop. That allows the manager to log an alert and immediately set their state to "disconnected". (#8021)
      • Wazuh building is now independent from the installation directory. (#7327)
      • The embedded python interpreter is provided in a preinstalled, portable package. (#7327)
      • Wazuh resources are now accessed by a relative path to the installation directory. (#7327)
      • The error log that appeared when the agent cannot connect to SCA has been switched to warning. (#8201)
      • The agent now validates the Audit connection configuration when enabling whodata for FIM on Linux. (#8921)

    • API:

      • Removed ruleset version from GET /cluster/{node_id}/info and GET /manager/info as it was deprecated. (#6904)
      • Changed the POST /groups endpoint to specify the group name in a JSON body instead of in a query parameter. (#6909)
      • Changed the PUT /active-response endpoint function to create messages with the new JSON format. (#7312)
      • New parameters added to DELETE /agents endpoint and older_than field removed from response. (#6366)
      • Changed login security controller to avoid errors in Restful API reference links. (#7909)
      • Changed the PUT /agents/group/{group_id}/restart response format when there are no agents assigned to the group. (#8123)
      • Agent keys used when adding agents are now obscured in the API log. (#8149)
      • Improved all agent restart endpoints by removing active-response check. (#8457)
      • Improved API requests processing time by applying cache to token RBAC permissions extraction. It will be invalidated if any resource related to the token is modified. (#8615)
      • Increased to 100000 the maximum value accepted for limit API parameter, default value remains at 500. (#8841)

    • Framework:

      • Improved agent insertion algorithm when Authd is not available. (#8682)

    • Ruleset:

      • The ruleset was normalized according to the Wazuh standard. (#6867)
      • Rules
      • Changed Ossec Rules. (#7260)
      • Changed Cisco IOS Rules. (#7289)
      • Changed ID from 51000 to 51003 in Dropbear Rules. (#7289)
      • Changed 6 new rules for Sophos Rules. (#7289)
      • Decoders
      • Changed Active Response Decoders. (#7317)
      • Changed Auditd Decoders. (#7289)
      • Changed Checkpoint Smart1 Decoders. (#8676)
      • Changed Cisco ASA Decoders. (#7289)
      • Changed Cisco IOS Decoders. (#7289)
      • Changed Kernel Decoders. (#7837)
      • Changed OpenLDAP Decoders. (#7289)
      • Changed Ossec Decoders. (#7260)
      • Changed Sophos Decoders. (#7289)
      • Changed PFsense Decoders. (#7289)
      • Changed Panda PAPS Decoders. (#8676)

    • External dependencies:

      • Upgrade boto3, botocore, requests, s3transfer and urllib3 Python dependencies to latest stable versions. (#8886)
      • Update Python to latest stable version (3.9.6). (#9389)
      • Upgrade GCP dependencies and pip to latest stable version.
      • Upgrade python-jose to 3.1.0.
      • Add tabulate dependency.

    ๐Ÿ›  Fixed

    • Cluster:

      • Fixed memory usage when creating cluster messages. (#6736)
      • Fixed a bug when unpacking incomplete headers in cluster messages. (#8142)
      • Changed error message to debug when iterating a file listed that is already deleted. (#8499)
      • Fixed cluster timeout exceptions. (#8901)
      • Fixed unhandled KeyError when an error command is received in any cluster node. (#8872)
      • Fixed unhandled cluster error in send_string() communication protocol. (#8943)

    • Core:

      • Fixed a bug in FIM when setting scan_time to "12am" or "12pm". (#6934)
      • Fixed a bug in FIM that produced wrong alerts when the file limit was reached. (#6802)
      • Fixed a bug in Analysisd that reserved the static decoder field name "command" but never used it. (#7105)
      • Fixed evaluation of fields in the tag <description> of rules. (#7073)
      • Fixed bugs in FIM that caused symbolic links to not work correctly.ย (#6789)
      • Fixed path validation in FIM configuration. (#7018)
      • Fixed a bug in the "ignore" option on FIM where relative paths were not resolved. (#7018)
      • Fixed a bug in FIM that wrongly detected that the file limit had been reached. (#7268)
      • Fixed a bug in FIM that did not produce alerts when a domain user deleted a file. (#7265)
      • Fixed Windows agent compilation with GCC 10. (#7359)
      • Fixed a bug in FIM that caused to wrongly expand environment variables. (#7332)
      • Fixed the inclusion of the rule description in archives when matched a rule that would not produce an alert. (#7476)
      • Fixed a bug in the regex parser that did not accept empty strings. (#7495)
      • Fixed a bug in FIM that did not report deleted files set with real-time in agents on Solaris. (#7414)
      • Fixed a bug in Remoted that wrongly included the priority header in syslog when using TCP. (#7633)
      • Fixed a stack overflow in the XML parser by limiting 1024 levels of recursion. (#7782)
      • Prevented Vulnerability Detector from scanning all the agents in the master node that are connected to another worker. (#7795)
      • Fixed an issue in the database sync module that left dangling agent group files. (#7858)
      • Fixed memory leaks in the regex parser in Analysisd. (#7919)
      • Fixed a typo in the initial value for the hotfix scan ID in the agents' database schema. (#7905)
      • Fixed a segmentation fault in Vulnerability Detector when parsing an unsupported package version format. (#8003)
      • Fixed false positives in FIM when the inode of multiple files change, due to file inode collisions in the engine database. (#7990)
      • Fixed the error handling when wildcarded Redhat feeds are not found. (#6932)
      • Fixed the equals comparator for OVAL feeds in Vulnerability Detector. (#7862)
      • Fixed a bug in FIM that made the Windows agent crash when synchronizing a Windows Registry value that starts with a colon (:). (#8098 #8143)
      • Fixed a starving hazard in Wazuh DB that might stall incoming requests during the database commitment. (#8151)
      • Fixed a race condition in Remoted that might make it crash when closing RID files. (#8224)
      • Fixed a descriptor leak in the agent when failed to connect to Authd. (#8789)
      • Fixed a potential error when starting the manager due to a delay in the creation of Analysisd PID file. (#8828)
      • Fixed an invalid memory access hazard in Vulnerability Detector. (#8551)
      • Fixed an error in the FIM decoder at the manager when the agent reports a file with an empty ACE list. (#8571)
      • Prevented the agent on macOS from getting corrupted after an operating system upgrade. (#8620)
      • Fixed an error in the manager that could not check its configuration after a change by the API when Active response is disabled. (#8357)
      • Fixed a problem in the manager that left remote counter and agent group files when removing an agent. (#8630)
      • Fixed an error in the agent on Windows that could corrupt the internal FIM databas due to disabling the disk sync. (#8905)
      • Fixed a crash in Logcollector on Windows when handling the position of the file. (#9364)
      • Fixed a buffer underflow hazard in Remoted when handling input messages. Thanks to Johannes Segitz (@jsegitz). (#9285)
      • Fixed a bug in the agent that tried to verify the WPK CA certificate even when verification was disabled. (#9547)

    • API:

      • Fixed wrong API messages returned when getting agents' upgrade results. (#7587)
      • Fixed wrong user string in API logs when receiving responses with status codes 308 or 404. (#7709)
      • Fixed API errors when cluster is disabled and node_type is worker. (#7867)
      • Fixed redundant paths and duplicated tests in API integration test mapping script. (#7798)
      • Fixed an API integration test case failing in test_rbac_white_all and added a test case for the enable/disable run_as endpoint.(8014)
      • Fixed a thread race condition when adding or deleting agents without authd (8148)
      • Fixed CORS in API configuration. (#8496)
      • Fixed api.log to avoid unhandled exceptions on API timeouts. (#8887)

    • Ruleset:

      • Fixed usb-storage-attached regex pattern to support blank spaces. (#7837)
      • Fixed SCA checks for RHEL7 and CentOS 7. Thanks to J. Daniel Medeiros (@jdmedeiros). (#7645)
      • Fixed the match criteria of the AWS WAF rules. (#8111)
      • Fixed sample log in sudo decoders.
      • Fixed Pix Decoders match regex. (#7485)
      • Fixed regex in Syslog Rules. (#7289)
      • Fixed category in PIX Rules. (#7289)
      • Fixed authentication tag in group for MSauth Rules. (#7289)
      • Fixed match on Nginx Rules. (#7122)
      • Fixed sample log on Netscaler Rules. (#7783)
      • Fixed match field for rules 80441 and 80442 in Amazon Rules. (#8111)
      • Fixed sample logs in Owncloud Rules. (#7122)
      • Fixed authentication tag in group for Win Security Rules. (#7289)
      • Fixed sample log in Win Security Rules. (#7783)
      • Fixed sample log in Win Application Rules. (#7783)
      • Fixed mitre block in Paloalto Rules. (#7783)

    • Modules:

      • Fixed an error when trying to use a non-default aws profile with CloudWatchLogs (#9331)

    โœ‚ Removed

    • Core:

      • File /etc/ossec-init.conf does not exist anymore. (#7175)
      • Unused files have been removed from the repository, including TAP tests. (#7398)

    • API:

      • Removed the allow_run_as parameter from endpoints POST /security/users and PUT /security/users/{user_id}. (#7588)
      • Removed behind_proxy_server option from configuration. (#7006)

    • Framework:

      • Deprecated update_ruleset script. (#6904)

    • Ruleset

      • Removed rule 51004 from Dropbear Rules. (#7289)
      • Remuved rules 23508, 23509 and 23510 from Vulnerability Detector Rules.

  • v4.1.5 Changes

    April 22, 2021

    ๐Ÿ›  Fixed

    • Core:
      • Fixed a bug in Vulnerability Detector that made Modulesd crash while updating the NVD feed due to a missing CPE entry. (4cbd1e8)

  • v4.1.4 Changes

    March 25, 2021

    ๐Ÿ›  Fixed

    • Cluster:
      • Fixed workers reconnection after restarting master node. Updated asyncio.Task.all_tasks method removed in Python 3.9. (#8017)