diff --git a/SUMMARY.md b/SUMMARY.md index b787eaa..5df46bf 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -42,4 +42,4 @@ * [Elastic Fleet](examples/fleet/README.md) * [Contribution License Agreement](contributing.md) * [Commercial Licenses](commercial.md) -* [Changelog](detailed_changelog.md) +* [Changelog](changelog.md) diff --git a/detailed_changelog.md b/changelog.md similarity index 99% rename from detailed_changelog.md rename to changelog.md index bf0f6ed..3a0b7c1 100644 --- a/detailed_changelog.md +++ b/changelog.md @@ -1,5 +1,21 @@ + + # Changelog +### (2026-06-12) What's new in **ROR 1.70.1** +
+🚨Security Fix (ES) CVE-2026-42587 +This release addresses a Netty vulnerability (CVE-2026-42587) where the HttpContentDecompressor's maxAllocation limit was silently ignored for Brotli, Zstd, and Snappy compression encodings, allowing an attacker to trigger unbounded memory allocation and denial of service via a crafted compressed payload. The fix updates the bundled Netty dependency to a patched version that properly enforces the decompression buffer limit for all supported content encodings. +
+
+🐞Fix (KBN) Fixed tenancy creation after in-place Kibana 8.x→9.x upgrade; stale tenancy indices are repaired automatically (reindex + atomic alias swap) +When upgrading Kibana in-place from 8.x to 9.x, existing tenancy indices could become stale and block the creation of new tenants. This fix automatically detects and repairs such stale indices by performing a reindex operation followed by an atomic alias swap, ensuring a seamless upgrade path without manual intervention. +
+
+🐞Fix (ES) Fixed Grok Debugger and Painless Lab in DevTools forbidden error for admin, RW, and RO, RO-strict kibana.access levels +Users with admin, RW, RO, or RO-strict kibana.access levels were incorrectly receiving forbidden errors when trying to use the Grok Debugger and Painless Lab tools in DevTools. This fix ensures these built-in Kibana debugging tools are properly authorized for all standard access levels. +
+ ### (2026-06-03) What's new in **ROR 1.70.0**
🚨Security Fix (KBN) Fixed kibana.allowed_api_paths to only check Kibana and ReadonlyREST API calls, and to only be usable when api_only user access is configured