Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion SUMMARY.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,4 +42,4 @@
* [Elastic Fleet](examples/fleet/README.md)
* [Contribution License Agreement](contributing.md)
* [Commercial Licenses](commercial.md)
* [Changelog](detailed_changelog.md)
* [Changelog](changelog.md)
16 changes: 16 additions & 0 deletions detailed_changelog.md → changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,21 @@
<!-- AUTO-GENERATED from changelog/*.yaml by ror-api — do not edit by hand; maintainers edit the per-version YAMLs in changelog/. -->

# Changelog

### (2026-06-12) What's new in **ROR 1.70.1**

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix the heading level for the new release section.

### jumps straight from the document’s # Changelog title to an h3, which breaks the heading hierarchy and triggers the markdown lint warning. Use ## here instead.

🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 5-5: Heading levels should only increment by one level at a time
Expected: h2; Actual: h3

(MD001, heading-increment)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@changelog.md` at line 5, The release heading currently uses "### (2026-06-12)
What's new in **ROR 1.70.1**" which skips an h2 and triggers lint warnings;
change that heading token from "###" to "##" so the document goes from the
top-level "# Changelog" to a proper h2 for the new release section.

Source: Linters/SAST tools

<details>
<summary><strong>🚨Security Fix</strong> (ES) <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-42587">CVE-2026-42587</a></summary>
This release addresses a Netty vulnerability (CVE-2026-42587) where the HttpContentDecompressor's maxAllocation limit was silently ignored for Brotli, Zstd, and Snappy compression encodings, allowing an attacker to trigger unbounded memory allocation and denial of service via a crafted compressed payload. The fix updates the bundled Netty dependency to a patched version that properly enforces the decompression buffer limit for all supported content encodings.
</details>
<details>
<summary><strong>🐞Fix</strong> (KBN) <a href="https://forum.readonlyrest.com/t/1-69-1-es9-4-2-unable-to-create-new-tenancy/2989">Fixed tenancy creation after in-place Kibana 8.x→9.x upgrade; stale tenancy indices are repaired automatically (reindex + atomic alias swap)</a></summary>
When upgrading Kibana in-place from 8.x to 9.x, existing tenancy indices could become stale and block the creation of new tenants. This fix automatically detects and repairs such stale indices by performing a reindex operation followed by an atomic alias swap, ensuring a seamless upgrade path without manual intervention.
</details>
<details>
<summary><strong>🐞Fix</strong> (ES) Fixed Grok Debugger and Painless Lab in DevTools forbidden error for <code>admin</code>, <code>RW</code>, and <code>RO</code>, <code>RO-strict</code> <code>kibana.access</code> levels</summary>
Users with admin, RW, RO, or RO-strict kibana.access levels were incorrectly receiving forbidden errors when trying to use the Grok Debugger and Painless Lab tools in DevTools. This fix ensures these built-in Kibana debugging tools are properly authorized for all standard access levels.
</details>

### (2026-06-03) What's new in **ROR 1.70.0**
<details>
<summary><strong>🚨Security Fix</strong> (KBN) Fixed <code>kibana.allowed_api_paths</code> to only check Kibana and ReadonlyREST API calls, and to only be usable when <code>api_only</code> user access is configured</summary>
Expand Down