2.9.3

(2021-07-01)

Enhancements

• MSR now tags all analytics reports with the user license ID when telemetry is enabled. It does not, though, collect any further identifying information. In line with this change, the MSR settings API no longer contains anonymizeAnalytics, and the MSR web UI no longer includes the Make data anonymous toggle (ENGDTR-2607).

• The response for the /api/v0/meta/settings/compliance security compliance API now includes the following information:

  • Product version

  • Global enforcement policy

  • For each repository, a list of the following:

    • Enforcement policies

    • Promotion policies

    • Pruning policies

    • Push mirroring policies

    • Poll mirroring policies

  (ENGDTR-2532)

• Added a matches operator to the rule engine that matches subject fields to a user-provided regex. This operator can be used for promotion, pruning, image enforcement, and push mirroring policies (ENGDTR-2498).

• MSR now boosts container security by running the scanner process in a sandbox with restricted permissions. In the event the scanner process is compromised, it does not have access to the Rethink database private keys or any portion of the file system that it does not require access to (ENGDTR-1915).

• Updated Django to version 3.1.10, resolving the following CVEs: CVE-2021-31542 and CVE-2021-32052 (ENGDTR-2651).

Addressed issues

• Fixed an issue with the MSR web UI wherein the repository listing on the Organizations > Teams > Permissions tab displayed no more than ten teams (FIELD-3998).

• Fixed an issue in the MSR web UI wherein the Scanning enabled setting failed to display correctly after changing it, navigating away from, and back to the Security tab (FIELD-3541).

• Fixed an issue in the MSR web UI wherein after clicking Sync Database Now, the In Progress icon failed to disappear at the correct time and the scanning information (including the database version) failed to update without a browser refresh (FIELD-3541).

• Fixed an issue in the MSR web UI wherein the value of Scanning timeout limit failed to display correctly after changing it, navigating away from, and back to the Security tab (FIELD-3541).

• Fixed an issue wherein one or more RethinkDB servers in an unavailable state caused dtr emergency-repair to hang indefinitely (ENGDTR-2640).

• Fixed an issue in MSR 2.9.2 that caused bootstrapper to panic when performing manual operations in an unhealthy environment.

Security information

• Vulnerability scans no longer reveal a false positive for CVE-2020-17541 as of CVE database version 1388, published 2021-06-24 at 1:04 PM EST (ENGDTR-2634).

• Vulnerability scans no longer reveal a false positive for CVE-2021-23017 as of CVE database version 1437, published 2021-06-27 at 5:11 PM EST (ENGDTR-2634).

• Vulnerability scans may reveal the following CVE, though MSR is not impacted: CVE-2021-29921 (ENGDTR-2634).

• Resolved the following CVEs in MSR containers:

  • libxml: CVE-2021-3517, CVE-2021-3537, and CVE-2021-3518

  • posgresql: CVE-2021-32027

  (ENGDTR-2634)