.. Reminder for header structure: Parts (H1) : #################### with overline Chapters (H2) : ******************** with overline Sections (H3) : ==================== Subsections (H4) : -------------------- Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^ Paragraphs (H6) : """"""""""""""""""""" .. meta:: :description: Changelog :keywords: WAPT, History, Genesis, changelog, documentation .. |enterprise_feature| image:: wapt-resources/icon_wapt_enterprise.png :scale: 1% :alt: WAPT Enterprise feature only ######### Changelog ######### ************** WAPT-2.2 Serie ************** ============================= WAPT-2.2.3.12485 (2022-12-16) ============================= hash : 1724df7f This is a bugfixe release. * [FIX] Fixed fresh install issue on WAPTServer Windows installer * [FIX] Fixes waptexit freeze when in Discovery Edition (no licence registered) and the server is not accessible during WAPT Agent shutdown ============================= WAPT-2.2.3.12481 (2022-11-30) ============================= hash : ad3855c9 This is a security release with a few related bugfixes. All Wapt 2.0 version below 2.2.3.12481 are affected. Note : if you are using WAPTAgent deployment though GPO, don't forget to update your waptdeploy binary in the definition GPO. WAPT Core --------- * [SEC] upgrade python from 3.8.13 to 3.8.15 * [SEC] upgrade openssl from 1.1.1k to 1.1.1s * [SEC] upgrade agent kerberos lib from 1.19.3 to 1.20.1 (linux/mac) * [SEC] upgrade python modules with CVEs - pylint==2.12.2 -> 2.15.6 - ujson==4.0.2 -> 5.5.0 - waitress==2.0.0 -> 2.1.2 WAPT Agent ---------- * [SEC] waptdeploy.exe. Use only wapt_is1 install location from registry to get the current wapt install dir. don't run wapt-get to check working condition. * [FIX] Add fallback method to get domain in get_hostname * [FIX] windows, replace "wapt-get.exe" --hide by "waptpythonw.exe wapt-get.py" to run session-setup because --hide does not actually hide shell window * [FIX] wakeonlan relays * [REF] code cleanup for agent common.py. removed unused imports * [FIX] waptexit: fix only_priorities argument when starting waptexit from service. * [IMP] MacOS : update build script to handle binary file signing and better debugging WAPT Console ------------ * [UPD] wads: include hostname in template ipxe debian linux * [IMP] waptconsole: don't display empty confirmation messagebox WAPT Server ----------- * [FIX] server postconf: force path when running psql command in postconf (linux) ============================= WAPT-2.2.3.12463 (2022-09-29) ============================= hash : fc306143 This release is mainly a bugfix release. The main new feature is tech-preview support for MacOS on Apple M1 architecture. Note : * due to EOL and security issue, PostgreSQL database version has been updated on WAPT Server for Windows and Redhat7 from version PostgreSQL 9.6.24 to PostgreSQL 14.5. Upgrade will be automatic on Windows during waptserversetup.exe install, and is done during postconf.sh run on Redhat7. Be sure to run the postconf.sh script after upgrade. WAPT Server ----------- * [UPD] WAPT Server for Redhat7 / Centos7 ! upgrade PostgreSQL version from 9.6 to 14.5 * [UPD] WAPT Server for Windows : upgrade nginx to 1.22.0 * [UPD] WAPT Server for Windows : upgrade vcredist to 2022 * [UPD] WAPT Server for Windows : upgrade PostgreSQL version from 9.6 to 14.5 * [FIX] WAPT Server for Windows : Fix icacls for migrate_pg_db * [FIX] WAPT Server for Windows : allow install and upgrade with any server admins (does not require to use the local Administrator with RID -500 for install * [UPD] WAPT Server for Windows : waptserversetup: avoid automatic restart when installing msvc 2022 * [FIX] fix upgrade procedure : migrate data text to jsonb only if table hostauditdata in data_type text * [FIX] patch create_default_users when upgrading from 1.8.2 to 2.2 * [FIX] Fix unhandled redirections in TWaptServer wget * [FIX] Add RedirectMax parameter in WaptServer WGet * [UPD] added ubuntu 22.04 in waptagent bundle * [UPD] waptserver db: change primary of HostPackagesStatus, HostExtData, Packages, HostSoftwares, HostGroups, HostWebsocket, HostAuditData, ReportingSnapshots, HostWsus, LogsAPI to bigint * [FIX] postconf nginx: bad error string format WAPT Console ------------ * [FIX] host config package are not editable right after creating them. * [FIX] error editing same OU package in one session * [FIX] CleanupPackagesCache proper unlock even if no assigned package * [FIX] fix Access Violation at startup when no server is defined in inifile * [FIX] waptconsole: when deleting package in private repo page, package is still listed until console is restarted but actually deleted on server. * [FIX] waptconsole : random timeout error when running commands from waptconsole WAPT Agent ---------- * [FIX] setuphelpers. reintroduce running_as_system for linux and mac (uid==0) * [FIX] start waptservice only if wapt-get.ini config is exists * [FIX] add PYTHONNOUSERSITE=1 to all .sh scripts to avoid spoiling PYTHONPATH with locally installed lib in user home directory * [FIX] remove_file() was unable to remove symlinks * [FIX] reset properly Wapt core settings to default when reloading config from wapt-get.ini * [FIX] try to create a minimal wapt-get.ini file if it does not exist so that service can be started without any prior configuration. * [FIX] WAPT Agent for MacOS : use system_profiler_info for dmi_info on macosx for support for Apple m1 architecture * [FIX] WAPT Agent for MacOS : plistlib.readPlistFromBytes deprecation fix * [FIX] WAPT Agent for MacOS : core macos: use uuid from system_profiler_info instead of dmidecode * [FIX] WAPT Agent for MacOS : change postinst script for launchctl compatibility * [FIX] WAPT Agent for MacOS : macos core get_hostname return binary string instead of str -> update_status loop * [IMP] WAPT Agent for MacOS : rationalize pkg filename ================================= WAPT-2.2.3.12454-rc2 (2022-09-26) ================================= hash : 64bfc946 This is the second release candidate for WAPT 2.2.3. The main new feature is tech-preview support for MacOS on Apple M1 architecture. Otherwise it is mainly a bugfix release. Note : * due to EOL and security issue, PostgreSQL database version has been updated on WAPT Server for Windows and Redhat7 from version PostgreSQL 9.6.24 to PostgreSQL 14.5. Upgrade will be automatic on Windows during waptserversetup.exe install, and is done during postconf.sh run on Redhat7. Be sure to run the postconf.sh script after upgrade. Fixes since WAPT-2.2.3-rc1: WAPT Server for Windows ----------------------- * [FIX] Fix icacls for migrate_pg_db WAPT Agent ---------- * [FIX] start waptservice only if wapt-get.ini config is exists * [FIX] add PYTHONNOUSERSITE=1 to all .sh scripts to avoid spoiling PYTHONPATH with locally installed lib in user home directory * [FIX] remove_file() was unable to remove symlinks * [FIX] waptconsole : fix AV at startup when no server is defined in inifile WAPT Agent for MacOS -------------------- * [FIX] use system_profiler_info for dmi_info on macosx for support for Apple m1 architecture * [FIX] plistlib.readPlistFromBytes deprecation fix * [FIX] core macos: use uuid from system_profiler_info instead of dmidecode * [FIX] change postinst script for launchctl compatibility * [FIX] macos core get_hostname return binary string instead of str -> update_status loop * [IMP] rationalize pkg filename ================================= WAPT-2.2.3.12411-rc1 (2022-09-05) ================================= hash : 29e18f23 This is mainly a bugfix release. Note : * due to EOL and security issue, PostgreSQL database version has been updated on WAPT Server for Windows and Redhat7 from version PostgreSQL 9.6.24 to PostgreSQL 14.5. Upgrade will be automatic on Windows during waptserversetup.exe install, and is done during postconf.sh run on Redhat7. Be sure to run the postconf.sh script after upgrade. WAPT Server ----------- * [UPD] WAPT Server for Redhat7 / Centos7 ! upgrade PostgreSQL version from 9.6 to 14.5 * [UPD] WAPT Server for Windows : upgrade nginx to 1.22.0 * [UPD] WAPT Server for Windows : upgrade vcredist to 2022 * [UPD] WAPT Server for Windows : upgrade PostgreSQL version from 9.6 to 14.5 * [FIX] WAPT Server for Windows : allow install and upgrade with any server admins (does not require to use the local Administrator with RID -500 for install * [UPD] WAPT Server for Windows : waptserversetup: avoid automatic restart when installing msvc 2022 * [FIX] fix upgrade procedure : migrate data text to jsonb only if table hostauditdata in data_type text * [FIX] patch create_default_users when upgrading from 1.8.2 to 2.2 * [FIX] Fix unhandled redirections in TWaptServer wget * [FIX] Add RedirectMax parameter in WaptServer WGet * [UPD] added ubuntu 22.04 in waptagent bundle WAPT Console ------------ * [FIX] host config package are not editable right after creating them. * [FIX] error editing same OU package in one session * [FIX] CleanupPackagesCache proper unlock even if no assigned package WAPT Agent ---------- * [FIX] setuphelpers. reintroduce running_as_system for linux and mac (uid==0) ============================= WAPT-2.2.2.12388 (2022-07-22) ============================= hash : 10e35aa7 This is mainly a bugfix release. Note : * there is a change in the wapt the wapt->glpi sync is working, please refer to documentation for upgrade * Tech preview : new multiserver console support (connect to multiple wapt server using one console) * added support for ubuntu 22.04 amd64 * def update_package() function can now be located in a separate update_package.py file. New package from wapt store will use this format to make setup.py more readable. Older wapt version are not impacted for package import and package install, but may be impacted if one want to update directly from waptconsole using update_package script. WAPT Deployment Server (WADS) ----------------------------- * [NEW] injecting oem key by slmgr command * [FIX] fix tftpserver window size handling (bug on Dell uefi bios) * [FIX] allow djoin with machine in default container CN=computers * [FIX] improve error message when using standard user on MS AD for djoin.exe when >10 machine quota join has been reached * [FIX] allow saving / renaming bundle names and check for empty names * [IMP] add ACL on WADS (before it needed admin level ACL) * [NEW] add post_install script windows * [NEW] add ignore_ipxescript and move conf file and ipxescript * [NEW] Basic Linux OS Deploy support : add Debian ipxe script template * [NEW] add {{server_url}} {{secondary_repo}} and {{hostname}} in get_wads_config * [NEW] add mustach templating in ipxescript * [FIX] waptconsole uploadWinPE : fix regression in upload progress bar and incomplete zip. * [FIX] add a progression form when uploading ISO and winpe * [IMP] add wapttftpserver service shutdown in upgrade sequence (throught net stop, not only taskkill) * [IMP] add tftp firewalld port opening on Redhat WAPT Console ------------ * [NEW] techpreview : waptconsole reporting multiservers * [FIX] check that downloaded waptsetup version is same or newer than server * [NEW] download from wapt.tranquil.it and upload on local waptserver agents for Linux and macOS directly from the console * [NEW] Add a popumenu copy to clipboard as json for audit data. * [NEW] displays audit history audit data explorer (treeview + html template) + allow drag/drop of a audit json value subkey from value tree explorer * [IMP] waptwua : update waptwua status to 'NEED-SCAN' on hosts when download_wsusscan is triggered and wsusscn2.cab file is downloaded * [IMP] package import : Don't take care anymore of maturity for version when it's compared to store version * [FIX] add licence validity check tolerance +1 day * [FIX] trigger downloads when triggering updates from console * [FIX] allow ~ in package names (for spaces in Org units packages) * [UPD] icons on windows update status for WUA * [NEW] new option check_package_version in waptconsole.ini * [FIX] Fix saving empty value in Editor for packages * [UPD] waptconsole reporting: add a quick search filtering zone for the query result * [FIX] Wrong message when no admin rights and waptagent need upgrade or not present * [UPD] When going outside modified rules. A popup will ask to save or not the rules. #4568 * [UPD] Delete host popup * [NEW] add feature to download packages when asking hosts for update * [UPD] trigger_host_update adding possibility to download the package after update * [FIX] Saving language param * [UPD] add a NEED-SCAN waptwua.status, updated when Wapt.update() is called. * [FIX] fix layout on Windows Update part * [NEW] waptconsole: multiserver: manage packages repositories by server * [FIX] waptconsole: re-enable dataexport to csv for grids * [NEW] Explicit hint on number version when the package is not up to date (GridPackages) * [UPD] waptconsole: improved drag drop of columns into GridHosts * [NEW] waptconsole: new Htmlviewer for audit data. Popup menu * waptconsole : Html auditdataview template filename (wapt\templates\) calculated from section and key, or section * [FIX] waptconsole drag/drop audit values * [IMP] waptconsole: Load AD Groups in thread * [FIX] waptserver: improved message when triggering action WAPT Server ----------- * [FIX] glpi sync: simplified glpi_upload_hosts.py script. * [NEW] techpreview waptserver: endpoint update_hosts_audit_data to bulk insert hosts related data (for third party data integration) * [NEW] add multiserver endpoint for multiserver console * [FIX] waptserver update_audit_data fix on_conflicts for value_id * [IMP] waptserversetup: take in account wapt_folder parameter in waptserver.ini when upgrading a setup. * [IMP] use utc time for acls expiration check * [FIX] waptserver unable to delete some hosts when CRL is enabled * [IMP] waptserver db install: try to register jsquery extension to make json query more powerful for reporting. (must this is not yet mandatory) * [IMP] rename waptsetup-tis.exe to waptsetup.exe on server * [IMP] include waptsetup.exe in waptserversetup.exe on windows * [IMP] Download from TIS / upload to wapt server of agent installation packages * [UPD] create a full version 1.2.3.rev-hash into file wapt/version-full * [IMP] add htst header to nginx template * [DEL] Remove direct integration of GLPI sync into WAPT. Now switched to plugin sync * [FIX] added trigger_host_action ACL on /api/v3/connected_wol_relays (used by /api/v3/trigger_wakeonlan) * [IMP) force calc_md5 if new filename in server * [IMP] improve websockets performance and reliability. Now websocket ids are stored in memory instead being written in the database WAPT Agent ---------- * [FIX] fix threading exception in WAPTExit and WAPTTray that could prevent status updates * [NEW] WAPTWUA superseded support. option include_potentially_superseded_updates in config wizard * [NEW] Add snap software inventory * [FIX] waptmessage unable to load sqlite on Linux and macOS * [FIX] custom waptmessage logo linux * [FIX] waptservice configuration: set the configs_dir relative to wapt-get.ini full path. * [FIX] waptservice 'start_waptexit' with arguments * [FIX] bad arguments sent to waptservice triggering upgrades with 'only_priorities' and 'only_if_not_process_running' * [FIX] Wapt.write_audit_data_if_changed: write data if previous data has expired. * [IMP] wapt-get add-config-from-url: provide a meaningful message when hash is not provided * [FIX] update template of dynamic json config packages to match new location and naming of json config related functions. * [IMP] improve dynamic configuration handling for agent * [FIX] waptservice: ensure a random secret_key for local waptservice session * [FIX] wapt-get update-package-sources : handle properly relative path to package sources. * [IMP] wapt-get edit now open changelog.txt, VSCod* now open control file too * [UPD] change default log path to wapt/log if writable. * [IMP] waptservice waptself: localauth with file token (ie. nopassword). Handle local groups * [NEW] use --not-interactive with register if install run in silent mode en not run update if install service * [IMP] waptself, wapt-get, waptexit, wapttray: kill check threads on close, even on linux to speed up application shutdown. * [FIX] linux : waptservice restart Linux: AttributeError: 'WaptServiceRestart' object has no attribute 'logger' * [IMP] macOS : normalize macos wapt install package name format * [FIX] macOS : fix registration failing in some cases * [IMP] macOS : add mpkg support * [FIX] no hash in clipboard, added missing helper for add-config-from-url in wapt-get * [IMP] limit access right to admins to log directory (in case non public stuff get written to log) WAPT Core --------- * [IMP] patch with_md5sum in make_package_filename * [IMP] add options for update-package-sources * [UPD] wapt core : use datetime in UTC for audit_data * [NEW] wapt core: allow usage of an envirnment variable "waptbasedir" to specify the location of root waptbasedir * [FIX] configuration package template setup_package_template_conf.py * [IMP] support for def update_package in file update_package.py instead of setup.py for better readability * [UPG] upgrade openssl to 1.1.1o * [NEW] core: define path Wapt.configs_dir relative to Wapt.config_filename if the dir Wapt.config_filename\..\conf.f exists * [FIX] waptcrypto: cert filename attribute not set when loading a cert chain * [FIX] new option copytree2 replace_at_next_reboot * [FIX] Avoid errors on get_version_from_binary() getting params * [FIX] fix keyword and name with installed_softwares in macos and linux ============================= WAPT-2.2.1.11957 (2022-06-02) ============================= WAPT Deployment Server (WADS) ----------------------------- * [FIX] fix wapttftpserver restart on linux * [IMP] added xml for windows 11 * [FIX] if verify_cert empty so verify_cert=0 WAPT Console ------------ * [FIX] CheckLicence => licence is now valid one day before the real beginning WAPT Agents ------------ * [FIX] fix harakiri on linux ============================= WAPT-2.2.1.11949 (2022-05-18) ============================= hash : 1b2dfbee This is a bugfix release WAPT Deployment Server (WADS) ----------------------------- * [FIX] waptconsole: use ROOT in addition to CA windows system certificates stores when building winpe with verify_cert=1 * [FIX] fix selinux rules for WADS * [FIX] fix non ascii character support in passwords * [IMP] wgetwads: add more logging data (wget). Disable exe signature certificate as this could be blocking if CRL can not be checked in winpe environment for example * [UPD] add a timer to wait for network in WADS * [UPD] Update openssl to 1.1.1n for WADS Other fixes ----------- * [FIX] fix wrong GPO link on waptserver start page * [FIX] fix some translation messages in console * [FIX] wrong element order in message in ACL GUI * [FIX] allow change password if user password has been cleared * [UPD] update mormot2 for bug in TSynDictionary.AddOrUpdate() * [UPD] update mormot statics for sqlite to 3.38.5 (required for mormot compatibility) ============================= WAPT-2.2.1.11932 (2022-05-05) ============================= hash : 6522dccb This is a bugfix release. WAPT Deployment Server (WADS) ----------------------------- * [FIX] wapttftpserver : better handling of UEFI PXE/TFTP boot * [FIX] wads now include non CA certificates for winpe build * [FIX] Not adding "cn" in OU * [FIX] wapttftpserver : add firewalld rule on redhat based server for wapttftpserver * [FIX] WADS : improve feed back on upload WinPE * [FIX] wapttftpserver : kill wapttftpserver and uninstall service before installing it * [IMP] waptserversetup: add wapttftpserver configuration for windows WAPT Server ----------- * [FIX] fix typo for rocky support as server * [FIX] waptservice websocket reconnection: disable by default low level reconnect feature WAPT Console ------------ * [FIX] fix bad port configuration for veyon remote assistance support * [FIX] Define default package prefix when creating empty package * [FIX] patch setup_package_template_cert.py.tmpl * [FIX] waptconsole: fix access violation when access to external repo is blocked or need a proxy. * [IMP] package version in bold red if obsolete version compared to external repo for better accessibility WAPT Agent ---------- * [FIX] waptservice websocket reconnection: disable by default low level reconnect feature * [FIX] add conf.d to rpm agent installers for the new agent configuration management * [FIX] macOS: fix get_file_type in macos * [IMP] macOS: silently attach dmg file * [IMP] waptwua : improve consistancy between WUA history and WUA status * [FIX] waptself: bad char case for png file (issue for linux) * [IMP] add dummy running_on_ac for linux and mac for compatibility * [FIX] waptutils.user_config_directory() did not work under system account. WAPT Core --------- * [IMP] mormot2 static: add 3.38.2 hash * [IMP] sync htmlviewer with latest github commits from https://github.com/BerndGabriel/HtmlViewer/tree/master * [IMP] waptguihelper: improved the design for InputDialog form ============================= WAPT-2.2.1.11899 (2022-04-06) ============================= hash : 2d82654e This is mainly a bugfix release. A new tftpserver has been introduced and it will ease WADS installation and configuration as it will be directly integrated into WAPT. WAPT Deployment Server (WADS) ----------------------------- * [NEW] add a wapttftpserver binary on windows and linux to act as a tftp server for WADS * [FIX] WADS : don't use redirect * [FIX] WADS : be tolerant if sendstatus can not be sent. * [IMP] WADS : handle https for drivers (continued) * [UPD] wads : get windows system certificates for WADS server bundle * [UPD] implement https verifyCert in wads and wgetwads * [IMP] add serial_number arg when calling server get_wads_config in wads * [UPD] waptconsole wads: add audit columns (created/updated) in grids. * [NEW] Add an action to prepare a host package in WADS OS Deploy grid * [NEW] wgetwads : use code signing cert of TIS to check signature of json hashes file if no signer_certificate in json file WAPT Console ------------ * [UPD] OU "All" fixed to not editable on GridOrgUnits * [FIX] waptconsole: wrong client https key password used for task polling thread. * [FIX] waptwua packages : ALLOWED status in winupdates grid is kept between form display. * [FIX] Package creation did not take silent flags in account * [FIX] memory leak when refreshing packages list * [FIX] waptconsole packages list: Showing all versions when "Last version only" is not checked * [FIX] "property not found" in some grids when refreshing data. * [FIX] running plugins on multiple hosts. * [FIX] taking in account the platform when lookig for TIS store package version * [FIX] nested progress notifications in uwaptserverconnection TWaptServer * [FIX] Disabled pysources check at waptconsole startup. * [FIX] external repo ini settings dialog when importing. * [FIX] waptconsole. some ui elements are not disabled when switching to discovery on login. WAPT Server ----------- * [NEW] add support for postgresql 14 on centos7 * [UPD] wapt windows server: update to nginx 1.20.2 * [IMP] server postinstall : put nginx backups in a different dir than nginx config * [FIX] waptserver: fix empty error message when trying to activate an existing licence WAPT Agent ---------- * [NEW] added new waptguihelpers : grid_dialog, filename_dialog, input_dialog, combo_dialog * [FIX] waptdeploy multiple setupargs raise "Invalid variant operation" * [FIX] missing root certificates when exporting system store certificates in lazarus app (GetSystemCABundlePath). Must trust CA + ROOT stores * [FIX] setuphelpers: regression in maintaining backward compatibility for some const which are functions too (programfiles etc..) * [FIX] be tolerant if uuid can not be regenerated (on linux, dmidecode can't be run as normal user in session-setup) * [FIX] fix wget waptdeploy.exe waptagent.exe in wads and detect mismatch drivers config * [FIX] waptagent regression : Revert "[UPD] waptservice : tasks don't notify server by default to avoid too frequent updates of database." * [FIX] wapt-get : try to fix get service password on unix. * [NEW] splitting remove_appx() with new function remove_user_appx() to avoid unexpected behavior * [NEW] Add restart-waptservice action in wapt-get.py * [FIX] fix publisher and version in installed_softwares macos * [FIX] use waptservice to check if is_enterprise in waptexit (avoid direct access to local waptdb) (fix unable to access sqlite db on linux / mac) WAPT to GPLI connector ---------------------- * [FIX] glpi fix install_date * [FIX] regression in glpi export (Softwares) ============================= WAPT-2.2.0.11720 (2022-03-15) ============================= hash : 8e07f388 This is the first release of the 2.2 serie of WAPT. WAPT Core --------- * [NEW] Discovery mode for the WAPT Console * when checking acls, the licencing status is taken in account to enable or not actions. * maximum number of 300 managed hosts in discovery mode. WAPT Deployment Server (WADS) ----------------------------- * [NEW] tech preview Automated Windows OS deployment called WADS |enterprise_feature|: * Using a winpe image (network boot or usb key boot). * Shipping wimboot, ipxe.efi, undionly.kpxe, 7z.dll. * Added openssl win64 binaries for WADS * Added :program:`wads.exe` and :program:`wgetads` custom binaries in distribution. * Added WADS repo option in repo rules. * Added a WAPT Console page to list raw registered hosts, upload winpe images, define default config, uplaod drivers bundles. * On WAPT Server: added :file:`/var/www/wads/` add a non protected :file:`/wads` in :program:`nginx` config. WAPT Console ------------ * [NEW] add columns in private repo to display newest software version (Tranquil IT effort to parse softwares providers download sites) and newest package version (from Tranquil IT store database). * [NEW] Dynamic Agent configuration using :mimetype:`.json` files stored on the WAPT Server: * Added a :code:`last_update_config_fingerprint` local param to keep track of current config. * Added 'configurations' (merged config overview) data when uploading host status to the WAPT Server. * [NEW] Dynamic Agent configuration using config packages: * Added :file:`templates/setup_package_template_conf.py.tmpl` package template. * Added a :file:`wapt/conf.d` directory on the WAPT Agent to hold the installed :mimetype:`.json` configuration files. * [NEW] New in the WAPT Console: added option to show the host WAPT Agent configurations overview. * [NEW] New in the WAPT Console: option to display a graph of host packages dependencies. * [NEW] New in the WAPT Console reporting: tabbed interface to displays multiple query results. * [NEW] New in the WAPT Console: option to filter host inventory based on the result of a SQL query: * In reporting, right click on column which represent a host UUID and "choose as Host UUID" abnd save. * The query is then available in the combobos "Filter hosts on SQL query" in hosts inventory. * [NEW] New in the WAPT Console: add a :guilabel:`Tech preview` Tab for packages development workflow: * Create from template; * Displays :file:`waptdev` directory sources package status; * Basic git commands. * [IMP] Improved the WAPT Console send message : enable use of HTML (copy & paste). HTML Preview. * [IMP] Do not clear selection on mouse right-click when selecting package names in package edits. * [IMP] refactored the WAPT Console code to remove most python calls: * removed :file:`waptdevutils.py`, removed calls to WaptRemoteRepo, replaced by pure fpc code. * [UPD] Updated the WAPT Console: merged selected hosts add/remove depends, add/remove conflicts in a single action/form * [UPD] Updated the WAPT Console update package source: add a checkbox to enable package version increment. * [UPD] Updated the WAPT Console 'plugins' config: warn user if not saved. * [UPD] Updated the WAPT Console: removed obsolete Add ADS Groups to selected host action. * [UPD] Updated the WAPT Console action :guilabel:`Refresh Host Inventory` triggers a :command:`update_server_status` instead of a full computer register. * [UPD] Updated the WAPT Console: host additional tools (rdp, vnc, etc) which requires to look for a connected IP are now run in a thread to avoid freezing the UI. * [UPD] Start of use of mormot2 for X509 and RSA crypto instead of python bindings in the WAPT Console * [FIX] waptconsole : store executable signature with new key name format (xxx.exe keys) * [FIX] duplicated panels in initial configuration package wizard. WAPT Self-Service ----------------- * [IMP] waptself: add logger. WAPT Server ----------- * [IMP] Improved the WAPT Server authentication: try ldap authentication only if :code:`ldap_auth_server` is defined. * [UPD] Updated the WAPT Server licencing: use :program:`waptlicences.pyd` instead of pure python code. * [UPD] Updated the WAPT Server: add config options :code:`wads_folder` and :code:`agent_folder`. * [UPD] Updated the WAPT Server: improve GLPI export, add 'smodel' on GLPI exports and add 'monitors'. * [IMP] force en_US.utf8 locale for linux services. * [IMP] add /api/v3/latest_installed_package_version. * [UPD] upgraded jquery to v3.6.0. WAPT Service ------------ * [NEW] Added :file:`/opt/wapt/wapt-get.bin` to linux distributions. * [NEW] New in the WAPT service: added a *WaptUnregisterComputer* task and :command:`unregister_computer` socketio action. * [IMP] Improved the WAPT service: improved logger. * [IMP] Improved the WAPT service and the WAPT Agent take into account the licencing status: * Added a :code:`licences` local params to store the current registered licences retrieved from the WAPT Server during the last update. * [UPD] :program:`waptcrypto.py`: made optional the joining of signer certificate when signing claims. * [UPD] Updated the WAPT Deployment utility: increased timeout from 4s to 15s when pinging the current http WAPT service. * [UPD] Upgraded :program:`dmidecode` to v3.3 on windows. * [UPD] Updated the WAPT service: do not check battery level for *WaptAuditPackage* task. * [REF] Installers : merged :file:`wapt.iss` and :file:`common.iss`. * [FIX] wapttasks: took in account non default config filename. * [FIX] Fixed the WAPT service: reporting properly the user which created a task (either locally or using websockets). * [FIX] Fixed the WAPT service: fixed icons in package local webpage. wapt-get -------- * [IMP] wapt-get new config actions. Added actions: * :command:`add-config-from-file`; * :command:`add-config-from-base64`; * :command:`add-config-from-url`; with parameters: * :code:`--not-interactive`: Disables dialog to ask credential users (for batch mode); * :code:`--waptbasedir`: Forces a different wapt-base-dir then default dir of :file:`waptutils.py`; * :code:`--devmode`: Enables devmode. dbpath is set to memory and certificate/key paths are in :file:`userappdata`; * :code:`--json-config-name`: The name of the :mimetype:`.json` file given with the action :command:`json-config-from-file/base64/url`; * :code:`--json-config-priority`: The priority of the json file given with the action json-config-from-file/base64/url. * [UPD] Removed :command:`update-packages` action synonym for :command:`scan-packages`. * [IMP] wapt-get added :command:`update-status` action in service mode :command:`wapt-get -S update-status`. * [IMP] Enabled :code:`--CAKeyFilename` and :code:`--CACertFilename` wapt-get options |enterprise_feature| * [IMP] Added logger for waptguihelper pyd module. if :code:`--loglevel` = ``debug`` in commandline, logger is activated. * [IMP] Reporting the :code:`use_repo_rules` flag to the WAPT Server in wapt_status * Report :code:`is_enterprise` flag to the WAPT Server * Report installed antivirus and monitors in host inventory * [IMP] Audit loop granularity based on actual installed packages: * Added :command:`get_next_audit_datetime()` on Wapt class. * :code:`waptaudit_task_period` attribute is now in the Wapt class instead of the WAPT service. * [UPD] Removed the not functional :code:`--dry-run` wapt-get option. * [IMP] Improved :command:`register` computer fallback from kerberos to password based authentication: * Do not send audit data when registering to limit workload. * [IMP] Try registering computer if :command:`update_server_status` fails because of authentication. * [IMP] :program:`waptpython.exe`, :program:`waptpythonw.exe`, and :program:`nssm.exe` are now signed with Tranquil code signing key. * [NEW] added :program:`pylint` and :program:`black` modules. Added black configuration to :program:`vscode` project template. * [NEW] Added :code:`setuphelpers.getscreens`. * [IMP] Improved *SetupHelpers* unzip : new :code:`extract_with_full_paths` argument (default True). * [NEW] New *SetupHelpers* :code:`listening_sockets()`. * [IMP] Added :file:`templates/setup_package_template_portable_exe.py.tmpl` and :file:`templates/setup_package_template_portable_zip.py.tmpl` package templates. Others stuff ------------ * [IMP] Added :code:`windows_version_prettyname` and :code:`windows_version_releaseid` in ``host_info``. * [IMP] Always use :command:`RunAsAdminWait` to copy package certificate to the local WAPT service :file:`wapt\ssl` directory. * [IMP] Improved the WAPT Console config: stores WAPT Server certificate in :file:`AppUser` folder (:file:`roaming\waptconsole\ssl\server`). * [IMP] Reset TLS client key password in the WAPT Console config if connection error. * [UPD] Retire python :code:`GetPrivateKeyPath`, raise exception if :code:`GetPrivateKey` does not succeed. * [FIX] Clear cached TLS client key password when validating the the WAPT Console config dialog. * [IMP] Improve GLPIlpi settings windows. * [IMP] Clean up the html error page from the WAPT Server when checking the WAPT Server and WAPT repository URL. * [FIX] Don't reenter the private key password dialog if already asking the user. This issue can be triggered if several therad are using a key, or if cooperative multitasking like TAction messages (OnUpdate) triggers a Get with client side certificate authentication. * [SEC] Fix :code:`dhparam` on the WAPT Server postconf. * [FIX] Fix failover on file version with :command:`remove_outdated_binaries()`. * [IMP] Add :code:`asset_tag` to sysinfo api. * [FIX] :code:`Get_antivirus_info`: test if timestamp attribute exists. * [IMP] New getscreens function. * [IMP] Added columns *uuid manufacturer* and *product serialnumber* in database. * [UPD] Added :code:`mac_addresses` to ``LocalSysinfo``. * [UPD] Expanded LocalSysinfo with uuid, serial_number and sku_number, fixed keys with underscore. * [IMP] Improved matching of reachable IPs of client using new GetReachableIP from mormot2. * [UPD] GetReachableIP: connection tests are performed in parallel using mormot GetReachableAddr instead of one after the other to reduce delay when launching IP based command to remote hosts from the WAPT Console. * [FIX] Take :code:`--config` ``option`` in account for wapt-get fpc code. * [UPD] waptcrypto: implemented :code:`TX509Certificate.CN`, removed :code:`TX509Certificate.DN`. * [UPD] Updated *SetupHelpers* :command:`need_install`: now comparing software versions with 4 members. Assumes that 1.2 == 1.2.0.0 and 1.2.3.4.5 == 1.2.3.4, :command:`remove_previous_version`: use version with 4 members. ************** WAPT-2.1 Serie ************** ============================= WAPT-2.1.2.10652 (2022-01-10) ============================= hash : 7dd63b61 * [UPD] shorten the default package filename. If :code:`target_os` is alnum, do not include md5sum in the filename. If :code:`target_os` is in tags, do not duplicate it in filename * [FIX] disable debug data for linux * [FIX] try to circumvent issue with Trend antivirus blocking the :program:`WaptTaskManager`. Looks like the issue is with platform.win32_ver using win32api.GetVersionEx... * [FIX] Installed softwares invalid conditions * [FIX] fix local_user and local_group on macOS * [FIX] removed workaround on 60s delay for websocket disconnect * [FIX] use CompressGZip instead of CompressZLib on the WAPT Server, compression is GZip * [FIX] Allow '~' in package filenames * [FIX] try to not update records in database if data has not changed * [FIX] Wake on lan relay now equals is remote repository, close #2940 * [FIX] fix group members * [FIX] return only local and user group (ignore nsswitch) * [FIX] backported the WAPT Exit utility (improved detailed logging) from 2.2 * [FIX] backport waptlicences py module from 2.2 * [SEC] check that hostname matches https certificate in the WAPT Console http client. * [FIX] backport uwaptlicencing: allow empty json licencing data * [FIX] fix WaptHttpPostData * [FIX] check valid uri in wapthttputils waptwget WaptWget_Try * [FIX] init LastModifiedDate to '' if not found in THttpResponse * [FIX] add a 50ms report delay for httpprogressnotification * isolate wapt python engine: PyFlags:= [pfNoUserSiteDirectory, pfIsolatedFlag]; * [FIX] Fixed *SetupHelpers*: backported changes from 2.2 is_linux64 type_rhel fix installed_softwares for type_redhat upd uninstall_apt with autoremove * [FIX] :code:`user_appdata` = ``user_local_appdata`` for unix * [IMP] introduced get_powershell_str, get_default_app remove_appx * [IMP] introduce InitLogger for the WAPT Exit utility * [FIX] Fixed the WAPT Console: generalize the use of a fallback package_uuid in case of old packages without package_uuid field. * [FIX] Fixed the WAPT Console: use editable dropdown in frmpackagedetails for maturity * [FIX] backport issue with inc version of some group packages when importing * [FIX] Disable client side ssl authentication on root WAPT Server url (regression) * [FIX] isolate from user python env when building binary packages * [UPD] improved feedback message for license activation on the WAPT Server. * [UPD] wapt-scanpackages.py: add option -d to disable update of database Packages table. * [FIX] The -b switch is True by defaut, so there were no way to disable update of database table. * [UPD] Updated the WAPT Console: be tolerant for old package without package_uuid * [UPD] strip ending slash in {{data.wapt.hostname}} server template properties to avoid double slashes in templates result * [UPD] backport openssl build parameter from 2.2 * [FIX] Fixed the WAPT Agent url link in the WAPT Server index page. * [FIX] setproctitle only for unix * [FIX] locate packages in host packages grid using package_uuid instead of id, so that refreshing grid works properly with a multiselection of hosts. * [UPG][SEC] upgrade python version from 3.8.11 to 3.8.12 * [FIX] remove python3 dependencie. Now python3 is included in wapt ============================= WAPT-2.1.2.10605 (2021-11-30) ============================= hash : e2a0e2a0 * [FIX] Fixed the WAPT Console: backport edit multiple hosts add/remove depends/conflicts (issue "no password available yet" when kerberos enabled) backport IpExecute from 2.2 * [FIX] unable to edit stripped down package with integrated package editor. (setup.py file hash issue) update package size * [FIX] bad path for nginx dhparam for Windows server * [FIX] upgrade mormot2 * [FIX] waptself local admin NOPASSWORD setting did not work anymore log authentication user when task is triggered from local wapt webservice don ot raise exception in check_auth_groups but return (None, None) instead to avoid Error 500 in browser backport fix for integer attributes in packages index backport fix for loading ssl libraries * [FIX] Update wake on lan with broadcasts * [FIX] Error "Add: Unexpected [%] object property in an array" for old package with empty package uuid * [FIX] Acl handle boolean as global ACL * [FIX][SEC] issue with acls : action is enabled when acl is set to json false ================================= WAPT-2.1.2.10588-rc1 (2021-11-22) ================================= hash : e70d9039 * [FIX] fix installed_softwares for older debian and improve inventory performance * [FIX] fix glpi inventory failure (exception on int conversion) * [SEC] [FIX] invalid condition on package hash check * [SEC] [FIX] cleanup nginx config templates * [NEW] add uwsgi support for Debian server * [FIX] add user information in audit * [FIX] Improve lazarus ini parser to support other values than '1'/'0' as boolean values (True, true, 1, 01, etc. same behavior as python iniparse) * [IMP] support for message previsualisation and templates in waptmessage editor and better multiline support * [UPD] waptsetup : do not use kerberos by default * [NEW] show certificate when double click in acl tab * [IMP] Do not propose to start the WAPT Console after install (due to different user context) ============================= WAPT-2.1.1.10568 (2021-11-08) ============================= hash : 978c00ae This is a bugfix version with some small improvements. The main fix is for websocket issue. * [IMP] Prevent multiple websockets connections from same host uuid on the WAPT Server (bugged wapt clients can maintain multiple websockets, which leads to a lack of avalable connections on the WAPT Server) * [FIX] Fixed restart of the WAPT service with exit code 10 (managed by the nssm service manager) * [FIX] Fixed case on the WAPT service where different threads access simultaneously to a shared Wapt instance * [IMP] Introduced some randomness when the WAPT service reconnects its websocket. * [IMP] Checking more cases to determine if token for websocket has to be updated. * [IMP] Introducted a wait in the socket client until it is actually disconnected before trying to reconnect to avoid multiple websocket threads from same client. * [IMP] Do not re-create a new SocketIOClient at each reconnection, but reuse existing one to minimize risk of multiple connections. * [FIX] Do not consider '%' char as unsafe in filenames * [IMP] Improved logging of the WAPT service (logger wapttasks report main actions triggered by the service in :file:`wapt\log\waptservice.log`). Removed 'flask.app' logger config. * [IMP] Remove the WAPT packages's persistent directory on the WAPT client when a WAPT package is forgotten * [IMP] Added :code:`ignore_empty_names` argument to *SetupHelpers*.installed_softwares * [IMP] Improved display of :code:`package_uuid` with command wapt-get list * [IMP] Added *redhat_based* tag for WAPT package operating system tags * [FIX] Fixed :code:`decrypt_fernet` / :code:`fernet_encrypt` functions * [IMP] Improved the reporting of key as name in softwares inventory for softwares without a descriptive name * [FIX] The ``server_uuid`` column in hosts database updates properly. * [FIX] Fixed the removal of packages when :code:`only_if_not_process_running` = ``True``. Known issues: * When the websocket is reconnecting, if the IP adrress has changed, the main IP adrress is not updated in IP adrress column in the WAPT Console. ============================= WAPT-2.1.0.10550 (2021-10-08) ============================= hash : 953c9552 This is a bugfix version with some small improvements. * [FIX] Fixed mass add / remove on multiple host at once. * [FIX] Fixed issue when editing a package without a "description_en" attribute in control file. * [FIX] Fixed drag drop when editing *selfservice* package. * [IMP] Improved feedback when uploading WAPT packages. * [IMP] Improved handling of the list of wakeonlan relay. * [IMP] Improved remote repository is now by default a wakeonlan relay. * [FIX] Fixed access violation error when viewing certificate list. * [FIX] Fixed do not enable verbose logging by default on the WAPT Console, the WAPT Exit utility and waptselfservice (might fill up %APPDATA% ...). * [FIX] Fixed use :file:`templates/wapt-logo.png` in the WAPT Exit utility if it exists. * [IMP] Improved login error message. ============================= WAPT-2.1.0.10517 (2021-09-30) ============================= hash : fa2af298 This is the first release of the 2.1 branch. It is mainly a incremental improvement with many small but worthy fixes on the 2.0 branch. **The WAPT service** * [IMP] During upgrade, :command:`wapt-get session_setup` is not run if no userspace configuration is defined for the installed WAPT packages. **The WAPT Deployment utility** * [IMP] Improved automatic proxy detection and configuration possible with the new :code:`--http_proxy` = ``True`` / ``False`` parameter or explicit url command line parameter. * [IMP] Disabled https verification when downloading :program:`waptagent.exe` if a fingerprint is provided (allows installation with on out-of-date computer with expired certificate store). * [IMP] Do nothing if no --waptsetupurl argument is provided (it reduces the probability of false positive on antivirus check). * [IMP] Double check WAPT installed version after install and report error message if it does not match (allow detection of installation that have been blocked by a misconfigured antivirus for example). **The WAPT Console** * [NEW] tech preview: new tab to provide basic package editing functionnality directly in the WAPT Console without having to open :program:`Pyscripter` or :program:`VSCode`. * [NEW] New tech preview: new tab to browse the developement directory directly from the WAPT console. * [NEW] Single Sign On with Kerberos authentication (if :code:`service_auth_type` = ``waptserver-ldap`` and :code:`use_kerberos` = ``True``). * [NEW] New button to display WAPT packages that have a specific WAPT package as a dependency in the private repository tab. * [NEW] New message box to decrypt message sent by the WAPT Agents (using :code:`encrypted_data_str` / :code:`print_encrypted_data` in waptcrypto). This allows an admin to upload sensitive information from desktop that will be asymetrically signed by the Administrator's public key. * [NEW] New set of icons and many small visual improvments. * [NEW] New software inventory tab to display installed software (not packages) and see which hosts have that specific software. * [NEW] New button to delete Windows Update KB files that are not used anymore by any computers. This allows to keep the Windows Update storage volume under control. * [NEW] New tab to have a user-friendly display of the certificates that are deployed on a specific host. * [NEW] New tab to display the certificates that are available on a WAPT repository. * [NEW] New warning icons on the hosts tab when the computer needs a restart (after a windows update for example). * [NEW] New filter by OS option. * [NEW] New icons in the :abbr:`OU (Organizational Unit)` tree view if a OU package exists for that Organizational Unit. * [NEW] New information message about the choice of maturity when creating new WAPT Agent and by default uploading in DEV maturity (to avoid being directly deployed to all client computers, this allow to test the new WAP Agent on a subset of computer before full scale deployment). * [IMP] Made GLPI export configuration more intuitive. * [IMP] Improved the WAPT Console plugin versatility. All inventory attribute can now be used in command lines (it use the "mustache" template syntax, eg. {{ main_ip }} {{ computer_fqdn }} {{ host_capabilities.os_version }} "{{#host_capabilities.tags}}{{.}},{{/host_capabilities.tags}}" etc. * [IMP] Allow non standard port in the WAPT Console configuration. waptself * [NEW] allow custom logo in waptselfservice * [NEW] Single Sign On using Kerberos (:code:`needs service_auth_type` = ``waptserver-ldap`` and :code:`use_kerberos` = ``True``) * [IMP] allow customisation of package details view using template engine **WAPT Exit utility** * [IMP] allow custom logo (on Windows, Linux and macOS) wapt-get * [NEW] better handling of licence information. Now the licence is uploaded on the WAPT Server and it is not necessary to install it on every admin WAPT Console computer * [IMP] propagate ExitCode from Python calls for better error handling * [IMP] better handling of websocket reconnection (check of socket status every 120s) * [IMP] periodic check of the UUID and the current certificate of the WAPT Agent for consistency between the WAPT Agent and the client computer * [NEW] waptsetup et waptserversetup new parameters: :code:`set_verify_cert` and :code:`set_kerberos` ************** WAPT-2.0 Serie ************** ============================ WAPT-2.0.0.9470 (2021-10-07) ============================ hash : 5065cb57 This is a security release with a few related bugfixes. All Wapt 2.0 version below 2.0.0.9467 are affected. * [SEC] fix for vuln in urllib3 CVE-2021-33503 (CVSS Score: 7.5 High, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). * [SEC] Sanitize filename used when downloading files on local client. (CVSS Score : 7.5 High, CVSS;3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C). Enforced on wget and local filenames for downloaded packages (chars '\\' '..' @ | ( ) : / , \ [ ] < > * ? ; ` \n are removed or replaced). * [SEC] Do not use PackageEntry filename attribute to build target package filename as it is not signed. * [UPD] :command:`wapt-get remove`: reraise exception if there is exception in uninstall script return traceback in 'errors' key return code 3 if there are errors when removing packages in :command:`wapt-get remove`. * [FIX] handles wildcards in certificates in the WAPT Console config and create waptsetup update UI in external repositories config when setting CA bundle. * [FIX] use PackageEntry.localpath only for local status of a package. * [UPD] split PackageEntry non_control_attributes into *repo_attributes* and *local_attributes*. *local_attributes* are not put into Packages index as they are not relevant for remote access. * [UPD] update python modules requirements following urllib3 upgrade idna==3.2 (from 2.10) certifi==2021.5.30 (from 2020.12.5) requests==2.26.0 (from 2.25) urllib3==1.26.6 (from 1.26.5) ============================ WAPT-2.0.0.9450 (2021-08-10) ============================ hash : 7bc6920c This is a security fix version affected by `CVE-2021-38608 `_. Please visit the :ref:`security bulletin ` to learn more. ============================ WAPT-2.0.0.9449 (2021-06-22) ============================ hash : 70283a14 This is a bugfix version with some small improvements. **WAPT Agent** * [FIX] Fixed Windows Update fix in the progress bar. * [IMP] Allow the WAPT Agent to upgrade even when on batteries. **The WAPT Server** * [IMP] Many fixes in GLPI sync. * [FIX] Better handling of service_delete exception cases. * [FIX] Fixed database migration handling with :code:`create_defaults_users` procedure. * [FIX] Fixed on windows skip the WAPT Agent build if there is no available certificate for signing. **The WAPT Core** * [IMP] Improved the compatibility of :file:`Packages` file for easing upgrade from WAPT 1.8.2. * [IMP] Improved the WAPT Deployment utility: behavior to avoid wrong red flag from AV softwares. Caveat ------ For macOS support one should use the WAPT Agent 2.1 version available in nightly channel. ============================ WAPT-2.0.0.9428 (2021-05-06) ============================ hash : 4b33cf96 This is a bugfix version with many small improvements. WAPT Console: * [IMP] Improve :guilabel:`CreateWaptSetup` form layout. * [IMP] Restore focused column visibility when refreshing grid data. * [FIX] Fix wrong path for wapt-get.py in vscode project. * [UPD] Update No fallback in rules to true by default. * [FIX] :code:`enable-check-certificate` with wildcard. * [FIX] take into account the :code:`use_http_proxy_for_repo` ini setting (if not present, assume ``False``). * [FIX] Fix :file:`setup_package_template_msu.py.tmpl` for package Wizard. * [IMP] Add new template for creating package with certificate. * [IMP] Add option to check downloaded package with VirusTotal in package import GUI. * [IMP] Add update-package source action directly in Private repository in the WAPT Console. WAPT Agent: * [IMP] Use task queue for the forced installs instead of running them inline. * [FIX] Database not opened when we check Hosts who are secondary repositories. * [IMP] Restart partial download of Windows Update files. * [IMP] Improved icons handling in :program:`WaptSelfService`. * [IMP] On macOS use host certificate store by default for https certificate validation. * [IMP] :code:`reload_config_if_updated` now reload config if :code:`public_certs_dir` has changed. * [FIX] WUA: better handling of return code "does not apply to this computer". WAPT Server: * [FIX] Fixed bad migration of PGSQL databse server side. * [FIX] Improved database upgrade in corner cases. **SetupHelpers** * [FIX] Fixed :code:`register_windows_uninstall` calculation and using correct x86_64 environment with :command:`register_uninstall` and :command:`unregister_uninstall`. * [IMP] Improved inline function description for documentation. ============================ WAPT-2.0.0.9343 (2021-04-08) ============================ hash : 117d62b8 This is mainly a bugfix release after the initial 2.0.0 release. WAPT Console: * [IMP] Show an explicit message if the user can not build a customized WAPT Agent. * [IMP] Enabled remote repo sync if there are repo configured (making :code:`remove_repo_support` parameter obsolete). * [IMP] Better filtering on :code:`maturities`. * [FIX] Fixed templates for vscode WAPT Server: * [IMP] Include certificates from WaptUsers table in result of /api/v3/known_signers_certificates. WAPT ACL handling: * [UPD] ACL: added an action to show the user certificate. * [UPD] Creates default (empty) WaptUserAcls record on user login even for non ldap logins. * [IMP] Better naming for ACL domains. **SetupHelpers** * [FIX] Fixed :code:`register_uninstall`. * [FIX] Do not change silently ``maturity`` and ``locale`` in :code:`check_package_attributes`. * [FIX] Fixed regression in wget resume. Other technical stuff: * [IMP] Added support for installation on OracleLinux. * [FIX] Tightened files ACLs on Linux + fixes + SELinux fixes in postconf. * [IMP] Introduced :program:`mORMot2` framework in Lazarus code. * [FIX] Fixed datetime conversion in the WAPT Console. ============================ WAPT-2.0.0.9300 (2021-03-30) ============================ hash : 018b8b57 This is the first release of the 2.0 series. After one year in development and more than 1600 commits it brings a bunch of new features and enhancement to the last major update of WAPT 1.8.2. On the technical side WAPT 2.0 now embed Python3 and now support 8 new platforms (some of them backported to 1.8.2). The switch to Python3 may require minor adjustment to the existing package that may have been development in-house (refer to the corresponding doc page). The packages offered by Tranquil IT through the WAPT Store are already compatible with WAPT 2.0. From a sysadmin point of view ----------------------------- * [NEW] :abbr:`ACLs (Access Control Lists)`. * [IMP] WAPT Server side ACLs in addition to certificate validation. * [IMP] User management interface with certificate listing. * WAPT Console: * [IMP] gui: change maturity directly from the WAPT Console. * [IMP] gui: all WAPT package types are grouped in one tab. * [IMP] helpers: build and upload locally development package from the WAPT Console. * [IMP] helpers: import default reporting queries from internet. * [IMP] helpers: restart the WAPT Agent and restart client computer from the WAPT Console. * [IMP] Package wizard: support for RPM/DEB/PKG/DMG. * [IMP] Remote repositories: status bar for progression of creation/ update of :file:`sync.json` for repo sync. * [IMP] Windows Updates: new search bar, view host with specific KB. * [IMP] Faster import and resigning of package, change of maturity, etc. * [IMP] :program:`waptmessage`: better handling of user oriented notification. * [IMP] Better logging of WAPT Console actions and WAPT Agent activity. * Performance improvements for larger installations: * [IMP] Better handling of insert / update of inventory. * [IMP] Better handling of websocket updates. * [IMP] GLPI integration: synchronize WAPT inventory to GLPI server. * Better OS integration: * [IMP] TLS certificate handling: :program:`certifi` uses local OS certificate store instead of Python :program:`certifi` integrated certificate store. * [IMP] Increased the number of supported platform, improved packaging for Linux (deb and rpm) with support for a WAPT Agent running on arm64 and macOS BigSur 64bit. * Package development: * [IMP] Improved package wizard. * [IMP] Many small fixes and improvements to *SetupHelpers* and better support for Linux and macOS. * [IMP] Improve os targeting now you can specify targeted OS and specific version of OS : eg. Debian(>=9,<=10). From a technical point of view ------------------------------ * Python: switch from Python2.7 to Python3: * Linux: use of venv by default with distrib python 3 version. * Windows: switch python3 install to embedded edition 3.8.7. * Different installer for WinXP / WinVista / Win2k3r2 / win2k8 (nonr2) (recent CPython version does not support older Windows systems anymore). * Better handling of passwords with special chars. * Upgraded WAPT core libs and scripting environment. * Upgraded to Python3 and Python libraries, changed kerberos and websocket libraries. * Upgraded to Lazarus 3.0.10 and FPC 3.2. Caveat ------ * Support for non supported Windows version (WinXP, WinVista, Win2k8 (non-R2) and Win2k3) is still baking in the oven and should be ready shortly after the 2.0 release date. * Redhat8 and derivative distributions: for upgrade it is necessary to remove WAPT SELinux rules before using postconf again. ************** WAPT 1.8 Serie ************** ============================ WAPT-1.8.2.7393 (2021-11-16) ============================ hash : 75a5de09 This is a security release. **All WAPT 1.8 version below 1.8.2.7393 are vulnerable**. * [SEC] Upgraded babel python module from 2.5.1 to 2.9.1. * [UPD] Updated python lib upgrades urllib3, and requests: chardet==4.0.0 requests==2.26.0 urllib3==1.26.7 ============================ WAPT-1.8.2.7388 (2021-10-07) ============================ This is a security release. **All Wapt 1.8 version below 1.8.2.7388 are vulnerable**. Security changelog wapt-1.8.2.7388* * [SEC] Fixed for vuln in urllib3 CVE-2021-33503 (CVSS Score: 7.5 High, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). * [SEC] Sanitized filename used when downloading files on local client (CVSS Score: 7.5 High, CVSS;3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O RC:C). Enforced on wget and local filenames for downloaded packages (chars '\\' '..' @ | ( ) : / , \ [ ] < > * ? ; ` \n are removed or replaced). * [SEC] Do not use PackageEntry filename attribute to build target package filename as it is not signed. * [FIX] Fixed the WAPT Console config: when retrieving WAPT Server side https certificate, do not write UTF16 strings in waptconfig. Removed wildcards from CN of certificate to compose certificate filename. * [UPD] Updated python modules requirements following urllib3 upgrade certifi==2021.5.30 chardet==3.0.2 idna==2.8 requests==2.21.0 urllib3==1.24.3 ============================ WAPT-1.8.2.7373 (2021-08-10) ============================ hash : e96e569c This is a security fix version affected by `CVE-2021-38608 `_. Please visit the :ref:`security bulletin ` to learn more. ============================ WAPT-1.8.2.7372 (2021-06-21) ============================ **WAPT Agent** * [FIX] Fixed regression on macOS build after dependency upgrade. * [FIX] Fixed :code:`_update_db`: error in for the calculation of :code:`next_update_on` for WAPT package attributes :code:`valid_until` and :code:`forced_install_on`. * [IMP] Be sure to not use waptguihelper when running as system user. * [UPD] Added :code:`--use-gui` for :program:`vscode` / :program:`pyscripter` build-upload of a WAPT package. **The WAPT Server** * [FIX] Fixed regression on proxy setting for the WAPT Server. **SetupHelpers** * [IMP] Added the function :code:`split_arg_string` to split a command line into executable / args list. ============================ WAPT-1.8.2.7357 (2021-02-09) ============================ WAPT Core: * [FIX] Be tolerant with :code:`target_os` = ``all`` in windows. * [FIX] Fixed :code:`installed_softwares`, ignore error when key can not be opened because of encoding issues (:code:`_winreg` does not handle unicode, but ansi). * [IMP] show '' instead of None in wapt-get tables. * [FIX] Updated timestamping of the WAPT Server and openssl hash: http://timestamp.globalsign.com/scripts/timestamp.dll. * [FIX] Be tolerant if no 'id' attribute in installed packages report. * [FIX] Match properly packages with :code:`target_os` = ``all``. * [IMP] Prepared :code:`installed_packages` for upgrade to wapt 1.9. * [IMP] Added :code:`Timeit` class for test purposes. * [IMP] Disabled sending unused data :code:`waptwua_rules_packages`. * [FIX] Fixed waptupgrade: regression Bug introduced in revision 85686e4d631adb6e13b25146f3a81f3c09ca082d. * [FIX] Fixed CA certificate PEM string stored as utf16 in certificate chain when creating a certificate signed by a CA (**enterprise**). WAPT Console: * [IMP] Increased width of AD-Site combobox. * [IMP] Report packages install_id in the WAPT Console. WAPT Agent: * [IMP] wapt-get: add :code:`--newest-only` for search. * [IMP] Improved the WAPT Exit utility: add ExceptionLogger. Change the way exceptions are handled in threads to try to fix issues when the WAPT Exit utility hangs and can not be closed. WAPT Server: * [FIX] Do not actually update the listening websocket session ID if it is already set in hosts table. * [IMP] wapttasks: force remove tasks locks at service startup. ============================ WAPT-1.8.2.7334 (2020-12-03) ============================ hash : 2d15afd9 This is a bugfix release. Ubuntu 16.0.4 amd64 and Debian 10 armhf clients are now supported. Fixes and enhancements ---------------------- * [FIX] Fixed base proxy string "" when editing a *profile* package. * [FIX] Fixed "Unable to create file" when editing a *profile* package. * [FIX] Do not allow to save a *self-service* rules packages without a name. * [FIX] Fixed Access violation when importing from file. * [FIX] Fixed issue with download_icons. * [FIX] Improved search in the WAPT Console (search on concatenation of software name and software version). * [FIX] Fixed extract CN from ssl client certificate authentication for :code:`get_auth_token` when windows client computer has an organization (in this case client csr/certificate has a CN=,O= subject). * [FIX] Fixed regression on wakeonlan introduced by backported code from 1.9. * [FIX] PostgreSQL database not correctly migrating from some 1.8.1.X. * [IMP] Added key param for :code:`install_msi_if_needed` in :program:`setuphelpers_windows.py`. * [FIX] Fixed :code:`no_fallback` in repositories rules. * [FIX] Soupsieve python lib is set to 1.9.6 in requirements because later version are Python3 only. * [FIX] Patch for :program:`SocketIO` with proxy. * [FIX] Fixed triggers for repository sync in PostgreSQL who were not correctly migrated (**Enterprise**). * [IMP] Two new builders for both the WAPT Server and WAPT Agents: Ubuntu 16.0.4 LTS / ARM x86 Debian 10 (**Enterprise**). * [IMP] Revert dhparam bits size to 1024 bits in Windows WAPT Server because it took too much time to generate. It can be generated afterward. * [IMP] Increase default clockskew for signed action to 6 hours (before it was only 1 hour). * [FIX] Fixed security in waptcrypto: prevent infinite loop in SSLCABundle.:code:`certificate_chain` if issuer certificate and signed certificate have the same subject but one has no :code:`authority_key_identifier`. * [FIX] waptcrypto: fixed :code:`revoke_cert`, handle list of DNS names for certificates, fixed :code:`AuthorityKeyIdentifier` when regenerating certificate from CSR. * [FIX] Fixed the WAPT service for :code:`verify_cert_ldap` in the WAPT Agent. * [FIX] Patched :program:`pltis_utils` to display properly long integer in WAPTWUA. The :file:`wsusscn2.cab` file may report KBs with incorrect huge download size up to 1TB. * [FIX] On a fresh install the admin ACL rights were not properly set up which required a service restart to get them fixed. * [FIX] Force admin password change on upgrade if the old hash is SHA-1. * [FIX] Minor fixes for :program:`uWSGI` support. * [FIX] Fixed temporary directories not removed after package import or edit. * [FIX] Fixed duplicated :program:`auth_module_ad.py` module in bad waptwaptenterprise directory on a windows WAPT Server. * [IMP] Warning of WAPT licence expiration message changed from 14 days to 60 days before expiration. * [FIX] Fixed broadcast for wakeonlan. * [FIX] Fixed additional WAPT Server password issues when non ascii character. Library changes --------------- * [UPD] Update OpenSSL binary from 1.0.2r to 1.0.2u. * [UPD] Update Python4Delphi lib to 20201020 release. * [UPD] Build now with Lazarus 2.0.8 and FPC 3.0.4. ============================ WAPT-1.8.2.7269 (2020-06-16) ============================ hash : 757cdc76 * [FIX] Fixed database schema upgrade script for upgrade from WAPT version 1.8.1-6742. Fresh 1.8.2 installation or upgrade from 1.7 or from 1.8.0 or 1.8.1-6758 should not have the issue. * [IMP] Add key for :code:`install_msi_if_needed`. * [FIX] Fixed for :code:`no_fallback` for waptwua (**Enterprise**). ============================ WAPT-1.8.2.7267 (2020-06-12) ============================ hash : 46f40312 * [FIX] Fixed database schema upgrade script for upgrade from WAPT version 1.8.1-6742. Fresh 1.8.2 installation or upgrade from 1.7 or from 1.8.0 or 1.8.1-6758 should not have the issue. ============================ WAPT-1.8.2.7265 (2020-06-11) ============================ hash : 339f1996 This is mostly a bugfix release. Support for Linux and macOS clients has also been greatly improved. Notable enhancements -------------------- * [IMP] Improved support for the WAPT Agent running on Linux and macOS. Now the support is almost identical on Windows, Linux and MacOS (all versions): * [IMP] The WAPT Agent installs as a service with kerberos registration. * [IMP] the WAPT Self-service gui available on the 3 platforms (note: support for the latest version of macOS, Catalina, is expected for 1.8.3). * [IMP] Improved the WAPT Exit utility (on Linux and macOS it is not yet started on system shutdown, it can be triggered by a scheduled task). * [IMP] :code:`session-setup` for configuring user sessions. * [IMP] Send message to users and propose upgrades (**Enterprise** only). * [IMP] :abbr:`OU (Organizational Unit)` handling (**Enterprise** only). * [IMP] The WAPT Self-service authentication can be delegated to the WAPT Server (**Enterprise** only). * better *SetupHelpers* coverage. * [IMP] New supported platforms. Now WAPT for linux (WAPT Server and Agent) and macOS (WAPT Agent only) supports: * Ubuntu 18.04 and 20.04; * Debian 8, 9 and 10; * Centos7 (CentOS 8 as a preview); * MacOS Sierra, HighSierra, Mojave (note: support for MacOS Catalina expected for WAPT 1.8.3). * [IMP] Streamlining of development environment for packaging on Linux using VSCode. * [FIX] Better handling of websocket cleanup when a host is not properly registered. Should improve stability on large WAPT installations. * [IMP] The selfservice can now be configured for external authentication for desktops that are not in an Active Directory Domain. * [IMP] The selfservice users can now authenticate on the WAPT Server even when out of the corporate network. * [IMP] The session setup in run for all packages immediately after :command:`wapt-get upgrade` or :command:`wapt-get install`, so that new packages are already configured in the context of each logged in users (no need to logout / login) (**Enterprise** only). * [IMP] If secondary repositories are defined in :file:`waptconsole.ini`, additional packages can be selected when editing hosts, groups or self-service packages. * [IMP] When editing group or self-service packages, one can define the Target OS of the package. * [IMP] Remote message to logged in users is using the same custom dialog box for Windows, Linux and macOS. * [IMP] Remote message to logged in users can display the same custom logo as self-service (**Enterprise** only). * [IMP] The IP/Subnet match in repository access rules is based on the "main IP" of the host (source IP from which the host is reaching the WAPT Server, if the WAPT Server is public, this is usually the external IP of the router) (**Enterprise** only). * [IMP] Added Remote host Shutdown and remote host Reboot from the WAPT Console if enabled in :file:`wapt-get.ini` (:code:`allow_remote_shutdown` and :code:`allow_remote_reboot`) (**Enterprise** only). * [IMP] Added a :guilabel:`no fallback` checkbox in repositories access rule to prevent host using main repository in case secondary ones are not reachable (when main repository bandwidth is limited, having all hosts reaching the main repository can slow down access to the main site) (**Enterprise** only). * [FIX] Make sure the WUA install task are executed after packages are installed (**Enterprise** only). Other enhancements ------------------ * [IMP] The :program:`Cmd` console is hidden when :command:`wapt-get session-setup` is running, to limit annoyance for users. * [IMP] Improved WUA direct download option in the WAPT Console (**Enterprise** only). * [IMP] Can now use Microsoft url for WUA in rules (**Enterprise** only). * [FIX] Improved background icons loading in WAPT Self-service. * [FIX] Better inventory of :code:`lastboottime` and :code:`get_domain_info`. * [FIX] Better handling of other local install of Python on client computer (eg. conflict with local Anaconda Python installation). * [IMP] Allows to have multiple private repo content displayed in the WAPT Console. * [IMP] Remote repository: it is now possible to prevent a fallback. * [FIX] Better handling of icons in the WAPT Self-service. * [IMP] Improved support for :program:`VSCode`. * [FIX] Better handling of ipv6 in the WAPT Console and the inventory. * [IMP] :code:`wapt_admin_filter`: local admininistrators can be filtered out like normal user in the WAPT Self-service. * [IMP] Larger support for *SetupHelpers* on macOS. * [FIX] The WAPT Server logs are properly redirected to :file:`/var/log/waptserver.log`. * [FIX] Fixed package caching: packages are deleted after each successful installation (rather than at the end of the whole upgrade) to better preserve local disk space. * [IMP] Allow usage of url for changelog in control file. * [IMP] Better support for Windows Update download directly from Microsoft if the WAPT Server is not reachable. * [FIX] Better handling of upgrade from Community version to Enterprise version. * [IMP] Improved local store skin and translations. * [FIX] Bugfixes and minor GUI improvements. Library changes in WAPT-1.8.2.7265 ---------------------------------- * [CHANGE] Replaced :program:`python-ldap` with :program:`ldap3`. * [FIX] Upgraded :program:`ujson` on the WAPT Server and the WAPT Agent running on Linux. Removed features with WAPT-1.8.2.7265 ------------------------------------- * [REMOVED] Autoconfiguration of repositories based on SRV DNS fields (it was not working anymore anyway). Caveats when using WAPT-1.8.2.7265 ---------------------------------- * [CAV] :program:`waptexit` is not run automatically on shutdown on Linux or macOS (current issue with :program:`systemd` / launched integration). * [CAV] :program:`wapttray` is not yet available on Linux and macOS. * [CAV] MacOS Catalina is supported by the WAPT Agent, however :program:`WAPTSelfService` and :program:`waptexit` are not yet supported. ================================ WAPT-1.8.2.7265 RC2 (2020-05-29) ================================ hash git : 339f1996 .. warning:: This is a Release Candidate version for testing and evaluation only and should not be installed on production system. This is mostly a bugfix release. Support for Linux and macOS clients has greatly improved. Notable enhancements over 1.8.2 RC1 ----------------------------------- * [IMP] Improved the session setup in run for all packages immediately after :command:`` or install, so that new packages are already configured in the context of each logged in users (no need to logout / login) (**Enterprise** only). * [IMP] If secondary repositories are defined in :file:`waptconsole.ini`, additional packages can be selected when editing hosts, groups or self-service packages. * [IMP] When editing group or self-service packages, one can define the target OS of the package. * [IMP] Remote message to logged in users is using the same custom dialog box for windows, linux and macOS. * [IMP] Remote message to logged in users can display the same custom logo as self-service (**Enterprise** only). * [IMP] The IP / Subnet match in repository access rules is based on the *main IP* of the host (source IP from which the host is reaching the WAPT Server, if the WAPT Server is public, this is usually the external IP of the router) (**Enterprise** only). * [IMP] Added remote host shutdown and remote host reboot from the WAPT Console if enabled in wapt-get.ini (:code:`allow_remote_shutdown` and :code:`allow_remote_reboot`) (**Enterprise** only). * [IMP] Added a :guilabel:`no fallback` checkbox in repositories access rule to prevent hosts using main repository in case secondary repositories are not reachable (when main repository bandwidth is limited, having all hosts reaching the main repository can slow down access to the main site) (**Enterprise** only). * [FIX] Make sure WUA install task are executed after packages install (**Enterprise** only). Other enhancements over 1.8.2 RC1 --------------------------------- * [IMP] the :program:`cmd` console is hidden when session-setup is running, to limit annoyance for users. * [IMP] WUA direct download option in the WAPT Console (**Enterprise** only). * [IMP] Can now use Microsoft url for WUA in rules (**Enterprise** only). * [IMP] Improved background icons loading in self-service. Removed features ---------------- None Caveats ------- Same as RC1 ================================ WAPT-1.8.2.7165 RC1 (2020-05-29) ================================ hash git : 1387b38f .. warning:: This is a Release Candidate version for testing and evaluation only and should not be installed on production system. This is mostly a bugfix release. Support for Linux and macOS clients has greatly improved. Notable enhancements in WAPT-1.8.2.7165 RC1 ------------------------------------------- * [IMP] improve support for the WAPT Agent on Linux and macOS. Now the support is almost identical on Windows, Linux and macOS (all versions): * [IMP] The WAPT Agent installs as a service with kerberos registration. * [IMP] waptselfservice gui available on the 3 platforms (note: support for the lastest version of MacOS, Catalina, is expected for 1.8.3). * [IMP] Improved the WAPT Exit utility (on Linux an macOS it is not yet started on system shutdown, it can be triggered by a scheduled task). * [IMP] session-setup for configuring user sessions. * [IMP] send messagebox to users and propose upgrades (**Enterprise** only). * [IMP] OU handling (**Enterprise** only). * [IMP] waptselfservice authentication can be delegated to the WAPT Server (**Enterprise** only). * [IMP] Better *SetupHelpers* coverage. * [IMP] add new supported platform. Now WAPT for linux (WAPT Server and Agent) and MacOS (WAPT Agent only) supports: - Ubuntu 18.04 and 20.04; - Debian 8, 9 and 10; - Centos7 (CentOS 8 as a preview); - MacOS Sierra, HighSierra, Mojave (note: support for MacOS Catalina expected for WAPT 1.8.3). * [IMP] streamlining of development environment for packaging on Linux using VSCode. * [FIX] better handling of websocket cleanup when a host is not properly registered. Should improve stability on large WAPT installation. * [IMP] selfservice can now be configured for external authentication for desktops that are not in an Active Directory Domain. * [IMP] selfservice users can now authenticate on selfserver even when out of the corporate network. Other enhancements in WAPT-1.8.2.7165 RC1 ----------------------------------------- * [FIX] Better inventory of :code:`lastboottime` and :code:`get_domain_info`. * [FIX] Better handling of other local install of Python on client computer (eg. conflict with local Anaconda Python installation). * [IMP] Allow to have multiple private repo content displayed in the WAPT Console. * [IMP] Improved remote repository to make possible to prevent a fallback. * [FIX] Better handling of icons in selfservice. * [IMP] Improved support for VSCode. * [FIX] Better handling of ipv6 in the WAPT Console and inventory. * [IMP] :code:`wapt_admin_filter`: local admin can be filtered out like normal user in selfservice. * [IMP] Added a larger support for *SetupHelpers* on macOS. * [FIX] WAPT Server logs are properly redirected to :file:`/var/log/waptserver.log`. * [FIX] Better support for package caching: packages are deleted after each successful installation (rather than at the end of the whole upgrade) to better keep local disk space. * [IMP] Allow usage of url for changelog in control file. * [IMP] Better support for Windows Update download directly from Microsoft if the WAPT Server is not reachable. * [FIX] Better handling of upgrade from Community version to Enterprise version. * [IMP] Improved local store skin and translation. * [FIX] Bugfixes and minor gui improvements. Library changes in WAPT-1.8.2.7165 RC1 -------------------------------------- * [REF] replaced :program:`python-ldap` with :program:`ldap3`. * [FIX] upgraded :program:`ujson` on the WAPT Agent and Server on Linux. Removed featured with WAPT-1.8.2.7165 RC1 ----------------------------------------- * autoconfiguration of repositories based on SRV DNS fields (it was not working anymore anyway). Caveats when using WAPT-1.8.2.7165 RC1 -------------------------------------- * [CAV] The WAPT Exit utility is not run automatically on shutdown on Linux or MacOS (current issue with systemd / launched integration). * [CAV] the WAPT System Tray utility is not yet available on Linux and macOS. * [CAV] MacOS Catalina is supported by the the WAPT Agent, however WAPTSelfService and the WAPT Exit utility are not yet supported. ============================ WAPT-1.8.1-6758 (2020-03-06) ============================ (hash bb93ce41) WAPT Server: * [REF] Refactoring in :program:`postconf.py` to remove old migration scripts from MongoDB. * [REF] Refactoring for :program:`winsetup.py` to create now a ``dhparam`` for :program:`nginx` on Windows. * [REF] Refactoring for repositories: changed :code:`repo_diff` to :code:`remote_repo_diff` and added the parameter :code:`remote_repo_websockets` (default ``True``) to the WAPT Server. * [IMP] disable cache on :program:`nginx` for Windows and Linux on wapt packages / exe. WAPT Agents: * [REF] Changed the parameter :code:`waptservice_admin_auth_allow` to :code:`waptservice_admin_filter`. * [REF] Deleted resync functions for remote repo. * [IMP] Improved the default parameter :code:`local_repo_sync_task_period` to ``2h``. * [FIX] Fixed wapt-get / WAPT service debug when downloading a WAPT package on Linux while not using a sudo account. * [FIX] Fixed :program:`plist` in macOS. * [IMP] Can now have relative path for WAPT packages / directories in :program:`wapt-get`. * [IMP] Templates have by default setup_uninstall / update etc... * [IMP] Improved templates for :program:`vscode`. **The WAPT Console** * [IMP] Added possibility of template packages for :mimetype:`.deb` / :mimetype:`.rpm` / :mimetype:`.pkg`. * [FIX] Fixed error with :mimetype:`.msi`, :mimetype:`.exe`, etc in PackageWizard explorer. * [IMP] Can now choose :code:`editor_for_packages` directly in the WAPT Console configuration file. * [UPD] Some cosmetic / translations improvements for GUI to deploy the WAPT Agent. ============================ WAPT-1.8.1-6756 (2020-02-17) ============================ (hash 43394f3b) Bug fixes and small improvements * [IMP] Improved the WAPT Console: improve the refresh of hosts grid when a lot of hosts are selected (improved by a factor of around 5). * [FIX] Fixed the WAPT Server Database connections management: do not close the database on teardown as it should not occur, and seems to trigger some issue when triggering a lot of tasks on remote hosts (error "database is closed"). * [FIX] Fixed the WAPT Console: Do not "force" install when triggering the upgrade on remote hosts, to avoid reinstalling softwares when already up to date. * [IMP] use *ldap authentication* only if session and admin fail (avoid waiting for timeout when ldap is not available but one wants to login with plain admin user). * [FIX] wapt-get upload: encode user and password in :code:`http_upload_package` to allow non ascii in admin password. * [IMP] Improved the WAPT Console: Disable auto search on keywords. * [IMP] Use DMI :code:`System_Information.Serial_Number` information for serialnr Host field instead of :code:`Chassis_Information.Serial_Number` because System_Information is more often properly defined. * [ADD] Added ``uuid`` to the list of searched fields when only 'host' is checked in filters in the WAPT Console. * [IMP] Improved :program:`Nginx` config: disable caching. * [IMP] Fixed :program:`vscode` project template. ============================ WAPT-1.8.1-6742 (2020-02-12) ============================ (hash 80dbdbe7) Major changes ------------- * [ADD] In the WAPT Console, added a page to show packages install status summary (merge) of all selected hosts, grouped by ``package``, ``version``, ``install status``, with count of hosts; Context menu allow to apply selectively the pending actions. On enterprise, one can apply safely the updates (only packages for which there is no running process on client side). * [IMP] Prevent users from saving a host package if targeted host(s) do not accept their personal certificate. (Checked on the WAPT Console when editing / mass updating host packages, and on the WAPT Server when uploding packages). The personal certificate file :mimetype:`.crt` **MUST** contain at first the personal certificate, followed by the issuer CA certificates, so that WAPT can rebuild the certificate chain and check intersection with host's trusted certificates. Important note about SSL client side authentication --------------------------------------------------- In the :program:`Nginx` configuration, be sure to reset the headers ``X-Ssl-Authenticated`` and ``X-Ssl-Client-DN`` as the WAPT Server **trusts** these headers if the SSL cient side authentication is enabled in :file:`waptserver.ini`. If SSL client side authentication is setup these headers can be populated by :code:`proxy_set_header` with result of :code:`ssl_verify_client` as explained in ./wapt-security/security-configuration-certificate-authentication.html#enabling-client-side-certificate-authentication. Fixes and detailed changelog ---------------------------- * [FIX] Fixed security and updated :program:`waitress` module to 1.4.3 (`CVE-2020-5236 `_). * [FIX] Fixed security with blank ``X-Ssl*`` headers in default :program:`nginx` templates. * [FIX] Fixed regression in :command:`kerberos register_host` did not work anymore. * [IMP] On the WAPT Server, :file:`/wapt/ssl` dir is moved automatically on winsetup / postconf to (per default) :file:`/ssl`, a :file:`/ssl` location is added. This :file:`/ssl` should be accessible from clients at the location specified by the WAPT Server parameter :code:`clients_signing_crl_url` (in :file:`waptserver.ini`). * [IMP] Improved logs readability. Log count of used database connections from pool on the WAPT Server to troubleshoot database connection issues. Log level can be specified by subcomponent with :code:`loglevel_waptcore`, :code:`loglevel_waptserver`, :code:`loglevel_waptserver.app`, :code:`loglevel_waptws`, :code:`loglevel_waptdatabase` defined in :file:`waptserver.ini`; * [IMP] Reworked explicit database Open/close on the WAPT Server to not get a database connection from pool if not useful. It prevents exhaustion of database connections; * [IMP] waptwinsetup: do not create unused directories :file:`wapt-group` and :file:`waptserver\log`; * [ADD] Added :mimetype:`.msu` and :mimetype:`.msix` extensions for Package wizard setup file dialog; * [ADD] Fallback with os._exit(10) for the WAPT service restart. Added a handler in :program:`nssm.exe` configuration to honor the restart; * [IMP] Increased waitress threads to 10 on the WAPT service; * [IMP] Lowered the default number of pooled database connections (:code:`db_max_connections`) to 90, to be lower than postgresql default of 100; * [IMP] Improved the WAPT Server: allow kerberos or ssl authentication check in the WAPT Server only if enabled in :file:`waptserver.ini` config file; * [IMP] Improved the WAPT Console: Allow update of host package only if user certificate is actually allowed on the host (based on last update of host status in database); * [ADD] Added in the WAPT Console / build of the WAPT Agent: added checkbox to specify to include or not non certificate authority certificates in build. The normal setup would be to uncheck this, to not deploy non CA certificates, on wapt root CA; * [IMP] Add and option to disable automatic hiding of panels... * [IMP] Add explicit :code:`AllowUnauthenticatedRegistration` task to the Windows waptserversetup. * [IMP] waptsetup: Remove explicit VCRedistNeedsInstall task. Use :code:`/VCRedistInstall` = ``True`` / ``False`` if you need to force install or force not install vcredist VC_2008_SP1_MFC_SEC_UPD_REDIST_X86. * [FIX] :program:`wapt-get.exe`: use wapt-get.ini for :command:`wapt-get scan-packages` and :command:`wapt-get update-packages`' actions. * [FIX] :command:`wapt-get`: authentication asked when checking if the WAPT Server is available (ping) and client ssl authentication is enabled. * [IMP] WAPT client: if client ssl authentication failed with http error 400, retry without ssl authentication to be able to ask for new certificate signing. * [FIX] Fixed the WAPT Server register behavior: revert over rev 6641: sign host certificate if an authenticated user is provided or data is signed with a key which can be verified by existing certificate in database for this host uuid. * [IMP] Improved the WAPT Server register behavior: when receiving 401 from the WAPT Server when registering, retry registering without ssl authentication. * [IMP] wapt client: be sure to have proper host private key saved on disk when receiving signed certificate from the WAPT Server. * [IMP] Improved the WAPT Console: advanced filters for selected host packages status. Filter on *Install status* and *Section + keyword*. :guilabel:`Pending` button to show only pending installations / removes. * [ADD] :command:`wapt-get make-template / edit package`: Add :file:`.vscode` directory. Add template project for vscode; * [FIX] Fixed the WAPT Console: ssl authentication for mass package dependencies / conflicts updates; * [FIX] Fixed the WAPT Console: import packages from external repos with ssl authentication. * [IMP] Backports from master: - target OS in import packages; - choose editor for packages in linux in cmdline. * [IMP] backports from master: - Refactoring for :code:`HostCapabilities.waptos`; - Added new :code:`target_os` unix for mac and linux so :code:`target_os` = ``windows``, ``darwin`` (for mac), ``linux`` or ``unix``. * [FIX] :code:`WAPT.wapt_base_dir`. * [FIX] :code:`makepath` in Linux / macOS. * [IMP] Refactoring / fixes for *SetupHelpers*. * [FIX] Fixed :code:`rights_to_check` in repo-sync client. * [FIX] for repo-sync: - [ADD] Added two *SetupHelpers* for linux: :code:`type_debian` and :code:`type_redhat`. - [IMP] Indent the local :file:`sync.json`. * [IMP] Use :code:`get_os_version` and :code:`windows_version_from_registry` instead of :code:`windows_version`. * [IMP] Improved :code:`windows_version_registry` for :code:`get_os_version` on windows. * [IMP] Backported :code:`host_capabilities.os` from master. * [FIX] Fixed :command:`make-template` for malformed :mimetype:`.exe` installer. * [ADD] Added automatic maintenance of a :abbr:`CSR (Certificate Revocation List)` for client authentication certificates signed by the WAPT Server: * Default :abbr:`CSR (Certificate Revocation List)` lifetime to 30 days. * Check renewal of client certificate :abbr:`CSR (Certificate Revocation List)` every hour. * [ADD] Added a parameter for the next update time of CRL. * [ADD] Added :code:`clients_signing_crl_url`, :code:`clients_signing_crl_days`, :code:`known_certificates_folder` to the parameters of the WAPT Server. * [ADD] Added a :file:`/ssl` location in nginx templates. * [ADD] Added :code:`crl_urls` in client authentication signed certificates. * [ADD] Added a scheduled task to renew the WAPT Server side CRL. * [ADD] Added :code:`clients_signing_crl` WAPT Server parameter to add the WAPT client certificate to the WAPT Server's :abbr:`CRL (Certificate Revocation List)` when host is unregistered. * [ADD] Added :command:`revoke_cert` method to :code:`SSLCRL` class. * [ADD] Added a :code:`authorityKeyIdentifier` to the client authentication :abbr:`CSR (Certificate Revocation List)`. * [IMP] Force restart if Windows task is broken. * [FIX] Fixed the WAPT service: use ``sys._exit(10)`` to ask :program:`nssm` to restart service in case of unhandled exception in the WAPT service (loops, etc.). * [FIX] Fixed the WAPT Agent: do not log / store into database Wapt.runstatus if not changed. * [FIX] Fixed the WAPT Server postconf for rights on some wapt directories. * [ADD] Added mutual conflicts to deb/rpm packages for the WAPT Agent and the WAPT Server to avoid simultaneous install. ============================ WAPT-1.8.0-6641 (2020-01-24) ============================ (hash 3dbb3de8) Major changes ------------- * [ADD] Added WAPT Agent for Linux Debian 8, 9 , 10, Linux Centos 7, Ubuntu 18, 19 and MacOS. The packages are named :file:`wapt-agent` and available in https://wapt.tranquil.it/wapt/releases/latest/. * [IMP] Improved the repository access rules defined in the WAPT Console. Depending of client IP, site, computername, one can define which secondary repository URL to use (**Enterprise** only). **As a consequence, the DNS query method (with SRV records) is no more supported for repositories** * [IMP] The package and signature process has been changed to be compatible with :program:`python3`. Serialization of dict is now sorted by key alphabetically to be deterministic across python versions. The WAPT Agents prior to version 1.7.1 will not be able to use new packages. (see git hash SHA-1: f571e55594617b43ed83003faeef4911474a84db). * [NEW] A WAPT Agent can now be declared as a secondary remote repository. Integrated syncing with main WAPT Server repository is handled automatically. (**Enterprise** only) * [NEW] The WAPT Console can now run without elevated privileges. The build of :file:`waptagent` / :file:`waptupgrade` package are done in a temporary directory. **When editing a package from the WAPT Console, :program:`PyScripter`should be launched with elevated privileges**. .. note:: One could deploy the WAPT Agent with GPO without actually rebuilding a :file:`waptagent`. Command line options are available on stock waptsetup-tis.exe to configure repo url (:code:`/repo_url =`), WAPT Server url (:code:`/wapt_server =`), WAPT Server certificate bundle location (:code:`/CopyServersTrustedCA =`), packages certificates checking (:code:`/CopyPackagesTrustedCA =`), :code:`/use_random_uuid`, :code:`/StartPackages`, :code:`/append_host_profiles`, :code:`/DisableHiberBoot`, :code:`/waptaudit_task_period`. Some options are still missing and may be added in a future release. * [IMP] package filename now includes a hash of package content to make it easier to check if download is complete and if package has been scanned (improved speed for large number of packages). * [SEC] the WAPT admin password **MUST** be regenerated (with postconf); if it is not *pbkdf2* based. See in your :file:`waptserver.ini` file, ``wapt_password`` **MUST** start with **$pbkdf2-**. Fixes and detailed changelog ---------------------------- * [SEC] The WAPT Agent can optionally be digitally signed, if (1) Microsoft :program:`signtool.exe` is present in :file:`\utils\` and (2) if there is a pkcs#12 :mimetype:`.p12` file with the same name as the personal certificate :mimetype:`.crt` file, and (3) the certificate is encrypted with the same password; * [IMP] wapt-get.py can be run on linux and macos in addition to windows; * [IMP] Improved the WAPT Console host's packages status reporting: now displays current version with *NEED-UPGRADE*, *NEED-REMOVE*, *ERROR* status and future version with *NEED-INSTALL* status; The status is stored in the WAPT Server's database ``HostPackagesStatus`` so it can be queried for reporting; * [IMP] Improved *SetupHelpers*: there now different *SetupHelpers* for each operating system family; * [ADD] Added in the WAPT Console: action to safely trigger upgrades on remote hosts only if associated processes (:code:`impacted_process` control attribute) are not running, to avoid disturbing users (**Enterprise** only); * [ADD] :command:`wapt-get --service upgrade`: added handling of :code:`--force`, :code:`--notify_server_on_start` = ``0/1``, :code:`notify_server_on_finish`= ``0/1`` switches; * [IMP] package signature's date is now taken in account when comparing packages; * [ADD] :code:`host_ad_site` key in ``[global]`` in :file:`wapt-get.ini` to define a *fake* Active Directory site for the host; * [ADD] Added in the WAPT Console / packages grid: if multiple packages are selected, the associated :guilabel:`show clients` grid shows the status of packages for all selected clients (**Enterprise** only); * [ADD] :file:`waptagent` build: added checkbox to enable repository rules lookup when installing The WAPT Agent (**Enterprise** only); * [ADD] Added in the WAPT Console / import packages: do not reimport existing dependencies. Checkbox to disable import of dependencies; * [IMP] wapt-scanpackages speed optimizations: do not re-extract certificates and icon for skipped package entries. use md5 from filename if supplied when scanning. * [FIX] Fixed arguments in the WAPT Exit utility for :code:`only_if_not_process_running` and :code:`install_wua_updates` (bool); * [FIX] Fixed the WAPT Agent / WAPT WUA enabled setting reset to *False* when upgrading with :file:`waptagent` and enabled; * [FIX] Fixed the WAPT Server / waptwua repository: all cabs files are now in root directory instead of microsoft original file tree. The files are moved when upgrading to 1.8; * [IMP] waptupgrade package: increment build number if building a new WAPT Agent of the same main wapt version; * [NEW] New WAPT Server parameter :code:`trusted_signers_certificates_folder`: Path to trusted signers certificate directory. If defined, only packages signed by this trusted CA are accepted on the WAPT Server when uploading through the WAPT Server; * [NEW] New WAPT Server parameter :code:`remote_repo_support`: if true, a task is scheduled to scan repositories (``wapt``, ``waptwua``, ``wapt-hosts``) that creates a :file:`sync.json` file for remote secondary repositories; * [IMP] when building the WAPT Agent, do not include non CA packages certificates by default in the WAPT Agent. A checkbox is available to still enable non CA certificates to be scanned and added; * [IMP] when building the WAPT Agent, one can add or remove certificates in the grid with :kbd:`Ctrl+Del` or drag and drop; * [FIX] Fixed the WAPT Console / host packages status grid: fixed :kbd:`F5` refresh; * [IMP] Improved the WAPT Console / build of the WAPT Agent: build an Enterprise WAPT Agent even if no valid licence (**Enterprise** only); * [FIX] :code:`forced_update_on` control attribute: do not take into account for :code:`next_update_on` if in the past; * [IMP] Improved the WAPT Console: try to accept the WAPT Server password with non ASCII characters; * [REMOVED] waptstarter: remove *socle* from default host profile; * [IMP] :file:`waptagent` build: rework of the WAPT Server certificate path relocation when building / installing; * [SEC] do not sign the WAPT Agent certificate if no valid human authentication (admin, passwd or ldap) or kerberos authentication has been provided: * be explicit on authentication methods; * store registration authentication method in database only if valid human authentication or kerberos authentication has been provided; * when registering, be sure we trust an already signed certificate with CN matching the host; * store the signed host certificate in the WAPT Server database on proper registration; * [IMP] some syntax preparation work for future python3; * [IMP] some preparation work for detailed ACL handling (**Enterprise** only); * [FIX] Do not enable client ssl authentication by default in the WAPT Server as nginx reverse proxy server is perhaps misconfigured; Python libraries / modules updates ---------------------------------- * use :program:`waitress` for the WAPT service wsgi server instead of unmaintained :program:`Rocket``; * :program:`Flask-SocketIO 3.0.1` --> :program:`Flask-SocketIO 4.2.1`; * :program:`MarkupSafe 1.0` --> :program:`MarkupSafe 1.1.1`; * :program:`python_ldap-2.4.44` --> :program:`python_ldap-3.2.0`; ****************** WAPT 1.7 and older ****************** ============================ WAPT-1.7.4-6237 (2019-11-18) ============================ (hash 1c00cefd) * [FIX] Fixed the WAPT Server: add fix to workaround `flask-socketio bug `_ (AttributeError: 'Request' object has no attribute 'sid'); * [IMP] Improved the WAPT Server: be sure the database is closed before trying to open it (for dev mode); * [IMP] Improved the WAPT Server: add logs messages when an exception message is sent back to the user; ============================ WAPT-1.7.4-6234 (2019-11-14) ============================ (hash ad237eee) * [IMP] Improved the WAPT Server: upgrade :program:`peewee` database python module to 3.11.2. Explicit connection handling to database to track potential limbo connections (which could lead to database pool exhaustion); * [FIX] waptwua: trap exception when pushing WU to Windows cache to allow valid updates to be installed even if some could not be verified properly; ============================ WAPT-1.7.4-6232 (2019-10-31) ============================ (hash2090b0e6d52cecfb04f8fa4c279e7c0a0252d6e2 * [FIX] :command:`wapt-get session-setup`: fix bad print in :command:`session_setup`. Regression introduced in b30b1b1a550a4 (1.7.4.6229); =========================================== WAPT-1.7.4-6230 (2019-10-23) (not released) =========================================== (hash 391d382f) * [IMP] return the WAPT Server git hash version and edition in ping and :code:`usage_statistics`; * [IMP] be sure to have :code:`server_uuid` on windows when during setup; * [FIX] :mimetype:`.git` partially included in built package :file:`manifest`; ============================ WAPT-1.7.4-6229 (2019-10-23) ============================ (hash b30b1b1a) * [FIX] 100% cpu load on one core on the WAPT Server even when Idle; * :program:`python-engineio` upgrade to 3.10.0; * :program:`python-socketio` upgraded to 4.3.1; * [IMP] Do not try run :command:`session_setup` on packages which do not have one defined; * [IMP] limit text output on the WAPT Console (for faster output); ============================ WAPT-1.7.4-6223 (2019-10-15) ============================ (hash 86ddeaa2d) * [FIX] Newlines in packages installs logged output; * [FIX] Allow nonascii utf8 encoded user and password for the WAPT Server basic authentication; * [UPD] Updated the WAPT Console: Default package filtering to x64 and the WAPT Console locale to avoid mistakes when importing; * [IMP] Improved the WAPT Console: increase default Port Socket listening test timeout (for rdp, remote service access etc..) to 3s instead of 200ms; * [IMP] Improved the WAPT Console: sort :abbr:`OU (Organizational Unit)` by description in treeview: Right click changes current row selection in :abbr:`OU (Organizational Unit)` treeview; * [NEW] option to set :code:`waptservice_password` = ``NOPASSWORD`` in waptstarter installer; * [FIX] grid sorting for package / version / size of packages; * [FIX] Do not create the WAPT Console link for starter; * [NEW] :command:`wapt-scanpackages`: add an option to update the local packages database table from :file:`Packages` file index; * [FIX] regression introduced in previous build: :code:`maturities` = ``PROD`` and :code:`maturities` = ``''`` are equivalent when filtering allowed packages; * [FIX] Fixed the WAPT Console: grid headers too small for highdpi; * [UPD] waptupgrade package filename: keep old naming without *all* arch (for backward compatibility); * [IMP] :code:`waptservice_timeout` = ``20`` seconds now; * [FIX] Active Directory authentication for the WAPT Console with non ASCII chars; * [IMP] missing french translations for columns in :guilabel:`Import packages` grid; * [FIX] be sure to terminate output threads in waptwinutils.run; * [IMP] avoid showOnTop flickering for VisLoading; * [IMP] :code:`setuphelpers.run_powershell`: added :code:`$ProgressPreference` = ``SilentlyContinue`` prefix command; * [SEC] Secured the WAPT service: protect test of ``host_cert`` date if file is deleted outside of service scope; * [IMP] WaptBaseRepo class: * packages cache handling when repo parameters (filters...) are changed; * allow direct setting of cabundle for WaptBaseRepo; * keep a fingerprint of input config parameters; * [UPD] set a fallback calculated ``package_uuid`` value in database for compatibility with old package status reports; ============================ WAPT-1.7.4-6196 (2019-09-27) ============================ (hash f9cb3ebd) * [IMP] revert package naming of waptupgrade to previous one to ease upgrade from previous wapt; * [IMP] increase :code:`waptservice_timeout` to 20 seconds per default; * [FIX] Active Directory authentication when there are non ascii chars (encoding); * [FIX] missing french translations for columns in Import packages grid; * [IMP] set a fallback calculated :code:`package_uuid` in database for old package without :code:`package_uuid` attribute in database status report; * [NEW] :command:`wapt-scanpackages`: add an option to update the local Packages database table from Packages file index; * [NEW] option to filters :code:`maturities`; ============================ WAPT-1.7.4-6192 (2019-09-17) ============================ (hash 3e00ac6688) * [SEC] update python modules :program:`python-engineio` and :program:`werkzeug` to fix vulnerability `CVE-2019-14806 `_ GHSA-j3jp-gvr5-7hwq * [UPD] Python modules: - :program:`eventlet 0.24.1` --> :program:`eventlet 0.25.1`; - :program:`flask 1.0.2` --> :program:`flask 1.1.1`; - :program:`greenlet 0.4.13` --> :program:`greenlet 0.4.15`; - :program:`itsdangerous 0.24` --> :program:`itsdangerous 1.1.0`; - :program:`peewee 3.6.4` --> :program:`peewee 3.10`; - :program:`python-socketio 1.9.0` --> :program:`python-socketio 4.3.1`; - :program:`python-engineio 3.8.1` --> :program:`python-engineio 3.9.3`; - :program:`websocket-client 0.50` --> :program:`websocket-client 0.56`; * [UPD] default ``request_timeout`` = **15s** for client websockets; * [FIX] when building packages, excluded directories (for example :mimetype:`.git` or :mimetype:`.svn`) were still included in :file:`manifest` file; * [UPD] Do not canonicalize package filenames by default when scanning The WAPT Server repository to ease migration from previous buggy wapt; * [FIX] package filename not rewritten in :file:`Packages` when renaming package; * [NEW] :command:`wapt-scanpackages`: added explicit option to trigger rename of packages filenames which do not comply with canonic form; * [NEW] :command:`wapt-scanpackages`: added option to provide proxy; * [UPD] return **OK** by default in package's audit skeleton; * [IMP] Improved the WAPT Console cosmetic: minheight 18 pixels for grid headers * [FIX] Fixed the WAPT Server database model: bad default datatype in :file:`model.py` for ``created_by`` and ``updated_by`` (were not used until now); * [FIX] :code:`ensure_unicode` for :mimetype:`.msi` output: try *cp850* before *utf16* to avoid Chinese garbage in run output; * [NEW] added :code:`connected_users` to :code:`hosts_for_package` provider; * [FIX] use :program:`win32api` to get local connected IPV4 IP address instead of socket module. In some cases, socket can not retrieve the IP; * [FIX] :command:`wapt-get unregister` command not working properly; * [NEW] Waptselfservice: added option in :file:`wapt-get.ini` to disable unfiltered packages view of local admin; * [IMP] Waptselfservice: 4K improvements; * [FIX] Waptselfservice: - packages *restricted* were shown in selfservice / now corrected; - if the repo have no packages segmentation error / now corrected; - if the repo have changed segmentation error / now corrected; ============================ WAPT-1.7.4.6165 (2019-08-02) ============================ (hash f153fab4) Improvements ------------ * [NEW] added :command:`unregister` action to wapt-get; * [UPD] improvements with the alt logo in the self-service; Changes ------- * [UPD] use version to build the package name of unit, groups and profile type package, like for base packages; * [UPD] added logs to :program:`uwsgi`; Fixes ----- * [FIX] bugfixes with the icons of the app self-service; * [FIX] bugfixes with the logos in the self-service; * [UPD] Updated the WAPT Exit utility: do not cancel tasks on CloseQuery; * [UPD] patch :file:`server.py` earlier to avoid *execute cannot be used while an asynchronous query is underway*; * [FIX] Fixed the WAPT Exit utility doing nothing if :code:`allow_cancel_upgrade` = ``False`` and :code:`waptexit_disable_upgrade` = ``False``; * [FIX] fix issue with merge of wsus rules (can cause memory errors if more than one wsus package is applied on a host) (**Enterprise** only); * [FIX] fix wua auto :code:`install_scheduling` issue; * [FIX] Fixed the WAPT Exit utility: add a watchdog to workaround some cases where it hangs (threading issue??); ============================ WAPT-1.7.4.6143 (2019-06-25) ============================ (hash da870a2c) Improvements ------------ * [IMP] wapt self service application is now fully usable. It is available in :file:`\waptself.exe`; * [ADD] option to set a random UUID instead of BIOS UUID at setup. This is to workaround for bugged BIOS with duplicated ids; * [IMP] better Sphinxdocs for WAPT Libraries; Changes ------- * [UPD] behavior change: Use computer FQDN from tcpip registry entry (first NV Hostname key) then fixed domain then DHCP; * [FIX] inverted Zip and signature steps in package build operations to workaround issue with Bad Magic Number when signing already zipped big packages; * [NEW] Add :code:`use_ad_groups` wapt-get ``[global]`` parameter to activate groups from AD (this is a time consuming task, so better not activate it...); Fixes ----- * [FIX] appendprofile infinite loop during setup; * [FIX] read forced uuid from :file:`wapt-get.ini` earlier to avoid loading a bad host certificate in memory if changing from bios uuid to forced uuid; * [FIX] setting :code:`use_random_uuid` in :file:`waptagent.iss`; * [FIX] waptstarter setup: force deactivate the WAPT Server, hostpackages; * [FIX] include waptself in waptstarter, do not include innosetup in waptstarter; * [FIX] :code:`ensure_unicode`: add *utf16* decoding test before *cp850*; * [FIX] add :code:`ensure_unicode` for tasks logs to avoid unicode decode errors in :command:`get_tasks_status` callback; * [NEW] host status: add :code:`boot_count` attribute; * [FIX] fix potential float / unicode error when scanning windows updates (**Enterprise** only); * [FIX] handles properly excluded files in package signatures; * [FIX] Fixed the WAPT Exit utility: avoid some work after checking if the WAPT service is running if it is not running; * [FIX] a case where WAPTLocalJsonGet could loop forever if authentication fails; * [FIX] :file:`setup.pyc` in :file:`manifest` but not in zipped package: * exclude exactly [':mimetype:`.svn`',':mimetype:`.git`', ':mimetype:`.gitignore`',':file:`setup.pyc`'] when signing and zipping; * :command:`inc_build` before signing; * [UPD] add :code:`use_ad_groups` setting in the WAPT Agent build. Default to *False* (**Enterprise** only); * [FIX] better detection of :file:`waptbasedir` for :file:`python27.dll` loading; * [FIX] allow to sign source package directory to workaround a bug in python zipfile (bad magic number); * [NEW] added a :file:`htpasswd` password file method for restricted access to only :command:`add_host` method: allows :command:`add_host` if provided host certificate is already signed by the WAPT Server and content can be verified; * [FIX] :program:`wapt-get.exe` crash with "can not load... " when python 3.7 is installed from MS store; * [FIX] load :code:`private_dir` conf parameter earlier; * [UPD] put a *rnd-* in front of randomly generated uuid; added a checkbox to use random uuid (if not already defined in :file:`wapt-get.ini`); * [UPD] SSL CA certifi library; * [IMP] utf8 decode user /password in localservice authentication; * [UPD] allow authentication on the local WAPT service with token; * [NEW] filter packages on hosts based on the :code:`valid_from` and :code:`valid_until` control attributes; force update sooner if :code:`valid_from` or :code:`valid_until` or :code:`forced_install_on` is sooner than regular planned :code:`update_period`; * [FIX] events reporting from service tasks; * [FIX] Fixed the WAPT Exit utility: :program:`waptexit` not closing of writing for running tasks but auto upgrade has been disabled; * [ADD] added :code:`waptexit_disable_upgrade` option to :program:`waptexit` to remove the triggering of upgrade from the WAPT Exit utility, but keep the waiting for pending and running tasks: - 'running_tasks' key in the WAPT service checkupgrades.json. Was not reflecting an up to date state. * [NEW] add new packages attributes: :code:`name`, :code:`valid_from`, :code:`valid_until`, :code:`forced_install_on`; * [FIX] regression on *profile* packages not taken in account; ============================ WAPT-1.7.4.6082 (2019-05-20) ============================ (hash 38e08433) Fixes ----- * [FIX] :program:`waptexit` not closing if waiting for running tasks but auto upgrade has been disabled; * [FIX] events reporting from service's tasks; Updated ------- * [ADD]] new packages attributes: :code:`name`, :code:`valid_from`, :code:`valid_until`, :code:`forced_install_on`; * [ADD] :code:`waptexit_disable_upgrade` option to :program:`waptexit` to remove the triggering of upgrade from the WAPT Exit utility, but keep the waiting for pending and running tasks; * [IMP] added :code:`running_tasks` key in the WAPT service heckupgrades.json. Was not reflecting an up to date state. * [IMP] waptself: - early support of high DPI; - loading of icons in the background; ============================ WAPT-1.7.4.6078 (2019-05-17) ============================ (hash 5b6851ae) Fixes ----- * [FIX] takes *profile* packages (AD based groups) into account (**Enterprise** only) ============================ WAPT-1.7.4.6077 (2019-05-15) ============================ (hash 4be40c534c4627) Fixes ----- * [FIX] Fixed regression on the WAPT Deployment utility unable to read current :code:`waptversion` from registry; * [FIX] be more tolerant to broken or inexistent *wmi* layer (for the WAPT Console on :program:`wine` for example); ============================ WAPT-1.7.4.6074 (2019-05-09) ============================ (hash 95a146c002) Fixes and improvements over RC2 ------------------------------- * [IMP] :program:`waptself.exe` preview application updated. Loads icons in the background. Known issues: - does not work with repositories behind proxies and client side authentication; - WAPT https Server certificate is not checked when downloading icons); - High DPI not handled properly; - Cosmetic and ergonomic improvements still to come; * [IMP] Improved the WAPT Server setup on windows: opened port 80 on firewall in addition to 443; * [IMP] Improved the WAPT Server on Debian: added *www-data* group to *wapt* user even if user *wapt* already exists; * [IMP] Improved the WAPT Server on CentOS: added *waptwua* directory to SELinux :code:`httpd_sys_content_t` context; * [FIX] Improved the WAPT Server client authentication: commented out :code:`ssl_client_certificate` and :code:`ssl_verify_client`; By default because old client's certificate does not have proper :code:`clientAuth` attribute (error http 400); * [FIX] problem accessing to 32bit uninstall registry view from 32bit wapt on Windows server 2003 x64 and Windows server 2008 x64: it looks like it is not advisable to try to access the virtual Wow6432Node virtual node with disabled redirection; * [FIX] Fixed *SetupHelpers* :code:`installed_softwares` regular expression search on name; https://github.com/tranquilit/WAPT/issues/7 * [IMP] Improved the WAPT service: for planned periodic upgrade, use single WaptUpgrade task like the one used in websocket; * [IMP] Improved the WAPT Exit utility: cancel all tasks if closing the form; * [FIX] wapt-get: wapt-get service mode with events: refactor using uWAPTPollThreads; * [FIX] :program:`veyon` cli executable name updated; * [IMP] wapt-get: check *CN* and *subjectAltNames* in lowercase for :command:`enable-check-certificate` action; ============================ WAPT-1.7.4 RC2 (2019-04-30) ============================ (hash 5ef3487) Security -------- * upgrade :program:`urllib3` to 1.24.2 for `CVE-2019-11324 `_ (high severity); * upgrade :program:`jinja2` to 2.10.1 for `CVE-2019-10906 `_; New --- * [NEW] Wapt self service application preview; Improvements ------------ * [IMP] propose to copy the newly created CA certificate to ssl local service dir, and restart the WAPT service. Useful for first time use; Fixes ----- * [FIX] ``sign_needed`` for wapt-signpackages.py; * [FIX] missing *StoreDownload* table create; * [FIX] bug in fallback ``package_uuid`` calculation. It didn't include the version; =========================== WAPT-1.7.4 RC1 (2019-04-16) =========================== (hash 4cdcaa06c83b) Changes ------- * [UPD] handling of *subjectAltName* attribute for the WAPT https Server certificates checks in the WAPT Console (useful when certificate is a multi hostname commercial certificate). Before, only CN was checked against host's name; * [UPD] client certificate authentication for the WAPT Console; * [UPD] versioning of wapt includes now the Git revision count; Details ------- * [FIX] replace openssl command line call with waptcrypto call to create tls certificate on linux server WAPT install; * [FIX] Added dnsname *subjectAltName* extension to self signed certificate of the WAPT Server on linux wapt nginx server configuration; * [FIX] pkcs12 export; * [NEW] handling of *SubjectAlternativeName* in certificates for the WAPT Server X509 certificate check in addition to CN: Added a *SubjectAltName* when creating self signed certificate on linux wapt nginx server in postconf; For old installation, the certificate is not updated. It should be done manually; * [FIX] fix :command:`check_install` returning additional packages to install which are already installed (when private repository is using :code:`locale` or :code:`maturities`): Added missing attributes in waptdb.installed_matching; * [NEW] added client certificate path and client private key path for the WAPT Console access to client side ssl authentication protected servers; * [FIX] fix regression with :command:`wapt-get edit `: made :code:`filter_on_host_cap` a global property of Wapt class instead of a function parameter; * [FIX] regression if there are spaces in :abbr:`OU (Organizational Unit)` name. The WAPT Console was stripping space for https://roundup.tranquil.it/wapt/issue911and https://roundup.tranquil.it/wapt/issue908; * [IMP] allow '0'..'9', 'A'..'Z', 'a'..'z', '-','_','=','~','.' in package names for :abbr:`OU (Organizational Unit)` packages. Replaces space with ~ in package names and ',' with '_'; * [IMP] make sure we have a proper package name in packages edit dialogs; * [IMP] Improved the WAPT service config: allow :code:`waptupdate_task_period` to be empty in :file:`wapt-get.ini` to disable it in the WAPT service; * [FIX] waptutils: fix regression on wget() if *user-agent* is overridden; * [FIX] waptwua: fix an error in install progress % reporting for wua updates; * [IMP] Refactored the WAPT System Tray utility for consistency. Makes use of *uwaptpollthreads* classes; * [IMP] Improved the WAPT Exit utility: some changes to try to fix cases when it does not close automatically; * [IMP] build: add git Revcount (commit count) to exe metadata. * [FIX] Fixed the WAPT Console: hosts for package grid not refreshed if not focused. * [FIX] internal: use synapse httpsend for the WAPT Exit utility / wapt-get / the WAPT System Tray utility local service http queries to workaround authentication retry problems with :program:`indy`. * [ADD] :program:`wapt-get.exe`: added ``--locales`` to override temporarily locales form :file:`wapt-get.ini`. * [ADD] Added :code:`WaptServiceUser` and :code:`WaptServicePassword` / :code:`WaptServicePassword64` command line parameters in :program:`wapt-get.exe`. * [FIX] Fixed timeout checking in :code:`checkopenport`. * [ADD] core: Added logs for WAPT Self-service authentication. * [ADD] Added to the WAPT service: :file:`keywords.json` service action. * [ADD] Added to the WAPT service: filter keywords (:mimetype:`.csv`) on :file:`packages.json` provider. * [IMP] Improved the WAPT Console: replace tri-state checkbox by a radio group for wua enabled setting in the :guilabel:`Create teh WAPT Agent` dialog. * [IMP] Improved the WAPT service local webservice: temporary workaround to avoid costly icons retrieval in local service. * [FIX] Simplified :code:`installed_wapt_version` in waptupgrade package to avoid potential install issues. * [IMP] Improved the WAPT Console layout: anchors for running task memo. * [FIX] Makefullyvisible for main form to avoid forms outside the visible area when disconnecting a second display. * [FIX] Fixed layout of tasks panel for Windows 10. * [FIX] Added :code:`token_lifetime` to the WAPT Server side (instead of using clockskew for token duration). * [UPD] Updated default unit **days** instead of **minutes** for wua scan download install and install_delay. * [ADD] Added optional export of key and certificate as :file:`PKCS12` file in :guilabel:`create key` dialog. (to check SSL client authentication in browsers...). * [FIX] Fixed :program:`winsetup.py` for backslashes in :program:`nginx`. * [FIX] Fixed :command:`wapt-get` json output / flush error. * [IMP] Improved the cache :code:`host_certificate_fingerprint` and issuer id in local database so that we do not need to read private directory to get :code:`host_capabilities`. It allows to use :command:`wapt-get list-upgrade` as normal user. * [UPD] Do not make DNS query in the WAPT Console Login / waptconfig to avoid DNS timeout if domain DNS server is not reachable. * [FIX] Fixed warning message introduced in previous revision when adding a new ini config on login (**Enterprise** only). * [FIX] Fixed waptwua to handle redirect for wsusscn2 head request (**Enterprise** only). * [UPD] Report only 3 members on the :code:`wapt_version` capability attribute. * [IMP] Improved WAPT core: refactor WaptUpgrade task: check task to append and then append them to tasks queue in WaptUpgrade.run instead of doing it in caller code. Avoid timeout when upgrading; * [IMP] Improved WAPT core: self service rules refactoring; * [IMP] Improved WAPT core: notify the WAPT Server when audit on waptupgrade; * [IMP] Improved WAPT core: fix :code:`update_status` not working when old packages have no ``persistent_dir`` in the database; * [IMP] Improved core: tasks, events action in the WAPT service: timeout in milliseconds instead of seconds for consistency; ========================== WAPT-1.7.3.11 (2019-03-25) ========================== (hash 92ccb177d5c) * [FIX] Fixed the WAPT Console: use repo specific ca bundle to check remote WAPT repo Server certificate (different from main wapt repo); * [FIX] Fixed the WAPT Console / hosts for packages: fixed :kbd:`F5` to do a local refresh; * [FIX] Improved update performance with repositories with a lot of packages; * [FIX] Improved the WAPT System Tray utility reporting: - fix faulty inverted logic for :code:`notify_user` parameter; * [FIX] Fixed the WAPT Console: bad filtering of hosts for package (**Enterprise** only); * [FIX] Fixed the WAPT Exit utility to close even if Running task if no pending task / no pending updates; * [FIX] Fixed the WAPT Exit utility: fixed potential case where the WAPT Exit utility remains running with high cpu load; * [FIX] Fixed the WAPT Console: fixed HostsForPackage grid not filtered properly (was unproperly using Search expr from first page); * [FIX] Fixed the WAPT service: None has no :code:`check_install_is_running` error on startup of the WAPT service; * [FIX] Fixed WAPT core: set :code:`persistent_dir` and :code:`persistent_source_dir` attributes on setup module for install_wapt; * [FIX] Fixed WAPT core: fixed bug in guessed :code:`persistent_dir` for dev mode; * [FIX] Fixed WAPT core: fixed error resetting status of stuck processes in local database (check_install_running); * [FIX] Fixed the WAPT service: trap error setting runstatus in database in tasks manager loop: - Do not send runstatus to the WAPT Server each time it is set; * [UPD] Updated WAPT core: define explicitly the :code:`private_dir` of Wapt object; * [UPD] WAPT Server: do not refuse to provide authtoken if :abbr:`FQDN (Fully Qualified Domaine Name)` has changed (this does not introduce specific risk as request is signed against :abbr:`UUID (Universally unique IDentifier)`); * [UPD] Updated WAPT core: if :code:`package_uuid` attribute is not set in package's :file:`control` (old wapt), it is set to a reproductible hash when package is appended to local waptdb so we can use it to lookup packages faster (dict); * [NEW] New in the WAPT Console: added audit scheduling setup in the WAPT Agent dialog (**Enterprise** only): - added :code:`set_waptaudit_task_period` in innosetup installers; * [IMP] Improved *SetupHelpers*: add win32_displays to default wmi keys for report; * [IMP] Improved WAPT Server setup: create X509 certificate / RSA key for hosts ssl certificate signing and authentication during setup of the WAPT Server; * [IMP] Improved the WAPT Exit utility: added sizeable border and icons; * [IMP] Improved showing the progress of long tasks; * [IMP] Improved the WAPT service: process update of WAPT packages as a task instead of waiting for its completion when upgrading (to avoid timeout when running upgrade the WAPT service task): - added :code:`update_packages` optional (default ``True``) parameter for upgrade the WAPT service action; * [NEW] Added audit scheduling setup in the WAPT Agent compilation dialog (**Enterprise** only); * [NEW] New in *SetupHelpers*: added :code:`setuphelpers.get_local_profiles`; * [IMP] Improved the WAPT Server: do not refuse to provide authentication token for websockets authentication if :abbr:`FQDN (Fully Qualified Domain Name)` has changed; * [IMP] Flush *stdout* before sending status to the WAPT Server; * [IMP] Improved waptcrypto handling alternative object names in :abbr:`CSR (Certificate Signing Request)` build; * [IMP] Improved wapt-get: :code:`--force` option on :program:`wapt-get.exe` service mode; * [NEW] Use client side authentication for waptwua too; * [CHANGE] WAPT Server setup: nginx windows config: relocate logs and pid; * [ADD] Added conditional client side ssl authentication in nginx config; * [CHANGE] In the WAPT Console: refactored wget, wgets for the WaptRemoteRepo and the WAPT Server to use requests.Session object to handle specific ssl client authentication and proxies: **Be sure to set privateKey password dialog callback to decrypt client side ssl authentication key**; * [IMP] Improved waptcrypto: added waptcrypto.is_pem_key_encrypted; * [IMP] Improved the WAPT Console: make sure the WAPT Agent window is fully visible; * [IMP] Improved the WAPT Console: make sure Right click select row on all grids; * [ADD] Aded in the WAPT Console: import from remote repo: add certificate and key for client side authentication; ========================== WAPT-1.7.3.10 (2019-03-06) ========================== (hash ec8aa25ef) Security -------- * [UPD] upgraded :program:`OpenSSL` dlls to 1.0.2r for https://www.cert.ssi.gouv.fr/avis/CERTFR-2019-AVI-080/ (moderate risk); New --- * [IMP] much reworked wizard pages embedded in :program:`waptserversetup.exe` windows server installer. Install of the WAPT Server on Windows is easy again: - register server as a client of the WAPT Server; - create new key / certificate pair; - build :program:`waptagent.exe` and :program:`waptupgrade.exe` package; - configure package prefix; * [NEW] if client certificate signing is enabled on the WAPT Server (:file:`waptserver.ini` config), the WAPT Server will sign a :abbr:`CSR (Certificate Signing Request)` for the client when the client is first registered. See :ref:`client_side_certificate_authentication`. * [NEW] wapt-get: added new command :code:`create-keycert` to create a pair of RSA key / x509 certificate in batch mode. Self signed or signed with a CA key/certificate: **(options are case sensitive...)** - option :code:`/CommonName`: CN to embed in certificate; - options :code:`/Email`, :code:`/Country`, :code:`/Locality`, :code:`/Organization`, :code:`/OrgUnit`: additional attributes to embed in certificate; - option :code:`/PrivateKeyPassword`: specify the password for private key in clear text form; - option :code:`/PrivateKeyPassword64`: specify the password for private key in base64 encoding form; - option :code:`/NoPrivateKeyPassword`: ask to create or use an unencrypted RSA private key; - option :code:`/CA` = ``True`` (or False)): create a certification authority certificate if True (default to True); - option :code:`/CodeSigning` = ``True`` (or False) ): create a code signing certificate if True (default to True); - option :code:`/ClientAuth` = ``True`` (or False): create a certificate for authenticating a client on the WAPT https Server with ssl authentication. (default to True); - option :code:`/CAKeyFilename`: path to CA private key to use for signing the new certificate (defaults to :file:`%LOCALAPPDATA%\waptconsole\waptconsole.ini` ``[global]`` :code:`default_ca_key_path` setting); - option :code:`/CACertFilename`: path to CA certificate to use for signing the new certificate (defaults to :file:`%LOCALAPPDATA%\waptconsole\waptconsole.ini` ``[global]`` :code:`default_ca_cert_path` setting); - option :code:`/CAKeyPassword`: specify the password for CA private key in clear text form to use for signing the new certificate (no default); - option :code:`/CAKeyPassword64`: specify the password for CA private key in base64 encoding form to use for signing the new certificate (no default); - option :code:`/NoCAKeyPassword`: specify that the CA private to use for signing the new certificate is unencrypted; - option :code:`/EnrollNewCert`: copy the newly created certificate in :file:`\ssl` to be taken in account as an authorized packages signer certificate; - option :code:`/SetAsDefaultPersonalCert`: set :code:`personal_certificate_path` in configuration inifile ``[global]`` section (default :file:`%LOCALAPPDATA%\waptconsole\waptconsole.ini`); * [NEW] wapt-get: added new commands :command:`build-waptagent` to compile a customized WAPT Agent in batch mode: - copy :program:`waptagent.exe` and pre-waptupgrade locally (if not :code:`/DeployWaptAgentLocally`, upload to the WAPT Server with https); - option :code:`/DeployWaptAgentLocally`: copy the newly built :program:`waptagent.exe` and prefix-waptupgrade_xxx.wapt to local WAPT Server repository directory :file:`.\\waptserver\\repository\\wapt\\`; * [NEW] :command:`wapt-get register`: added options for easy configuration of wapt when registering: - :code:`--pin-server-cert`: pin the WAPT Server certificate. (check that CN of certificate matches hostname of WAPT Server and WAPT repo); - :code:`--wapt-server-url`: set :code:`wapt_server` setting in :file:`wapt-get.ini`; - :code:`--wapt-repo-url`: set :code:`repo_url` setting in :file:`wapt-get.ini`. (if not provided, and there is not :code:`repo_url` set in :file:`wapt-get.ini`, extrapolate :code:`repo_url` from the WAPT Server url); * [NEW] wapt-get: added check-valid-codesigning-cert / CheckPersonalCertificateIsCodeSigning action; Improvements and fixes ---------------------- * python libraries updates - :program:`cryptography from 2.3.1` --> :program:`cryptography 2.5.0`; - :program:`pyOpenSSL 18.0.0` --> :program:`pyOpenSSL 19.0.0`; * [FIX] Do not reset host.server_uuid in the WAPT Server database when host disconnect from websocket. Set :code:`host.server_uuid` in the WAPT Server database when host gets a token; * [FIX] modify isAdminLoggedIn to try to fix cases when we are admin but function return false; * [FIX] ensure valid package name in package wizard (issue959); * [FIX] regression when using python cryptography 2.4.2 openssl bindings for windows XP WAPT Agent (openssl bindings of the python cryptopgraphy default WHL >= 2.5 does not work on Windows XP); * [FIX] trap exception when creating database tables from scratch fails, allowing upgrade of structure; * [FIX] reduce the risk of *database is locked* error; * [FIX] deprecation warning for verifier and signer when checking crl signature; * [FIX] :code:`persistent_dir` calculation in package's call_setup_hook when package_uuid is None in local wapt database (for clients migrated from pre 1.7 wapt, error None has no len() in audit log); * [FIX] regression: do not try to use host_certificate / key for client side ssl authentication if they are not accessible; * [IMP] define proxies for crl download in :command:`wapt-get scan-packages`; * [IMP] fixed bad normalization action icon; * [IMP] paste from clipboard action available in most packages editing grid; * [IMP] propose to define package root dev path, package prefix, the WAPT Agent or new private key / certificate when launching the WAPT Console; * [IMP] remove the need to define waptdev directory when editing *groups* / *profiles* / *wua packages* / *self-service* packages; * [IMP] grid columns translations in French; * [IMP] Improved the WAPT Exit utility responsiveness improvements. Events check thread and tasks check thread are now separated. * [NEW] added ClientAuth checkbox when building certificate in the WAPT Console; * [NEW] added :code:`--quiet` :code:`-q` option to :file:`postconf.py` * [MISC] add an example of client side certificate authentication * [ADD] added clientAuth extended usage to x509 certificates (default True) for https client authentication using personal certificate; * [NEW] use of ssl client certificate and key in the WAPT Console for authenticating with the WAPT Server; * [FIX] ssl client certificate authentication not taken in account for the WAPT Server api and host repository; * [ADD] added :code:`is_client_auth` property for certificates; - default *None* for :code:`is_client_auth` certificate / :abbr:`CSR (Certificate Signing Request)` build; - do not fallback to host's client certificate authentication if it is not clientAuth capable (if so, http error 400); * [MISC] waptcrypto: added SSLPKCS12 to encapsulate pcks#12 key / certificate in certificate store; * [MISC] added splitter for log memo in Packages for hosts panel; * [FIX] store fixes; * [FIX] be tolerant when no :code:`persistent_dir` in *waptwua* packages; - min wapt version 1.7.3 for self service packages and *waptwua* packages, * [FIX] WsusUpdates has no attribute :code:`downloaded`; ========================= WAPT-1.7.3.7 (2019-02-19) ========================= (hash 373f7d92) Bug fixes --------- * [FIX]] softs normalization dialog closed when typing F key (**Enterprise** only); * [IMP] include waptwua in the WAPT :program:`Nginx` Server windows locations (**Enterprise** only); * [FIX] force option from service or websockets not being taken in account in :command:`install_msi_if_needed` or :command:`install_exe_if_needed`; * [IMP] improved win updates reporting (uninstall behavior) (**Enterprise** only); * [ADD] added uninstall action for winupdates in the WAPT Console (**Enterprise** only); * [FIX] reporting from dmi "size type" fields with non integer content (**Enterprise** only); Improvements ------------ * [IMP] Improved the WAPT Exit utility: allow minimize button; * [IMP] Improved the WAPT Exit utility: layout changes; * [IMP] AD authentication: less restrictive on user name sanity check (**Enterprise** only); * [IMP] handling of updates of data for winupdates with additional download urls (**Enterprise** only); * [ADD] added some additional info fields to WsusUpdates table (**Enterprise** only); * [ADD] added filename to Packages table for reporting and store usage (**Enterprise** only); * [ADD] added uninstall win updates to the WAPT Console (**Enterprise** only); * [ADD] added windows updates uninstall task capabilities (**Enterprise** only); * [ADD] added filename to Packages table; * [IMP] increased default clockskew tolerance for client socket io; ========================== WAPT-1.7.3.5 (2019-02-13) ========================== Bug fixes --------- * [FIX] regression in package filenames (missing _); * [FIX] Fixed mismatch for the WAPT Console ``[global]`` :code:`waptwua_enabled` setting; * [FIX] Fixed default in the WAPT Console :guilabel:`EnableWaptWUAFeatures` to True; ========================= WAPT-1.7.3.4 (2019-02-13) ========================= Bug fixes --------- * [FIX] Fixed the WAPT Exit utility: install of and empty list of Windows Updates (**Enterprise** only); * [FIX] wapt-get.exe WaptWUA commands: fixed import of waptwua client module for waptwua-scan download install (**Enterprise** only); * [FIX] :code:`install_delay` for Windows Updates stored as a time_delta in waptdb (**Enterprise** only); Improvements ------------ * [ADD] versioning on group packages filenames; * [ADD] button to create AD Host profiles (package automatically installed/removed based on AD Grouo memberships) * [IMP] reduce the WAPT System Tray utility notifications occurrences. :code:`notify_user` = ``False`` per default * [FIX] Fixed the WAPT Exit utility: details panel does not show the pending packages to install; * [FIX] always install the missing dependencies in install (even if upgrade action should have queued dependencies installs before) for some corner known cases; * [FIX] get the WAPT Server certificate chain popup action when building the WAPT Agent; * [ADD] action to create a key / certificate in the WAPT Console conf; * [IMP] hide inactive / disabled WaptWUA actions in Host popup menu; * [ADD] checkbox to display newest only for groups; * [ADD] Added in the WAPT Console the config parameter :code:`licences_directory` to specify the location (directory) of licenses (**Enterprise** only); * [IMP] Improved the WAPT Agent build dialog: Removed the :guilabel:`Append host's profiles` option; * [IMP] remove waptenterprise directory if waptsetup community is deployed over a waptenterprise edition; ========================= WAPT-1.7.3.3 (2019-02-11) ========================= * [IMP] Core: - better support for :code:`locales`, :code:`maturities` and :code:`architecture` packages filtering; * [NEW] Self service rule packages (**Enterprise** only): - Package to define which packages can be installed / remove for groups of users; - WAPT Windows Updates rules packages (**Enterprise** only); * [NEW] package to define which Windows Updates are allowed / forbidden to be deployed by Wapt WUA Agents; * **WAPT Agent** build: - [ADD] Added the option for :code:`use_fqdn_as_uuid` when building :program:`waptagent.exe`; - [ADD] Added the option to define the profile package to be deployed upon WAPT install on hosts; - [ADD] Added the options to enable WaptWUA (Windows updates with Wapt) (**Enterprise** only); * Host Profile packages (**Enterprise** only): - [IMP] specific packages (like Group packages) which are installed or removed depending of :file:`wapt-get.ini` ``[global]`` :code:`host_profiles` ini key; - [NEW] if a *profile* package name matches Computer's AD Groups, it is deployed automatically; * Reporting (**Enterprise** only): - [NEW] import / export queries as json files; - [IMP] softwares names normalization as a separate dialog; * **WAPT Exit utility**: - [IMP] reworked to make it more robust; - [IMP] takes in account packages to remove; - [IMP] takes in account Wapt WUA Updates (**Enterprise** only): - command line switch: /install_wua_updates; - wapt-get.ini setting: [waptwua] :code:`install_at_shutdown` = ``True``; - checkbox in the WAPT Exit utility to skip install of Windows Updates; * **WAPT Console** Custom commands: - [NEW] ability to define custom popupmenu commands which are launched for the selection of hosts. Custom variables {uid}; * Other improvements: - [IMP] French translations fixes; =============== Changelog 1.7.2 =============== * [NEW] Reporting (**Enterprise** only): - basic SQL reporting capability; - duplicate action / copy paste for reporting queries; * [ADD] *SetupHelpers*: added *SetupHelpers* :code:`processes_for_file` and :code:`get_computer_domain`; Libraries updates ----------------- * :program:`python 2.7.15` on Windows; * :program:`openssl-1.0.2p`; * upgraded to :program:`python-requests 2.20.0` (Security Fix); Improvements ------------ * [IMP] Do not refresh GridHostsForPackage if not needed (**Enterprise** only); * [IMP] Do not add a newline to log text output for LogOutput; * [IMP] Improved handling of update_host_data hashes to reduce amount of data sent to the WAPT Server on each :command:`update_server_status`; * [IMP] Set python27.dll path in wapt-get and :program:`waptconsole.exe` (fix cases with multiple python installations); * [FIX] Removal of packages when upgrading host via websockets; * [IMP] Do not get host capabilities if not needed when updating; * [IMP] Do not check package control signatures in wapt-get when loading list of packages for development tasks; * [IMP] Moved static WAPT Server assets to a /static root split base.html and index.html templates for blueprints; * [FIX] Fixed selective pending wua install or downloads (**Enterprise** only); * [FIX] Fixed WUA updates filter logic (**Enterprise** only); * [IMP] Improved uninstall *host* packages if :code:`use_hostpackages` is set to false: - add a forced update in the task loop when host capabilities have been changed; - include :code:`use_host_packages` and :code:`host_profiles` in host's capabilities. * [FIX] Fixed regression not removing implicit packages. * [IMP] More tolerant to unicode errors in :command:`update_host_data` to avoid hiding actual exception behind an encoding exception. * [FIX] Fixed order of columns not kept when exporting reports (**Enterprise** only) * [IMP] Improved :code:`install_msi_if_needed`, :code:`install_exe_if_needed`: check if :code:`killbefore` is not empty or None * [IMP] Changed tasks's progress and runstatus to property * [FIX] Fixed audit aborted due to exception: 'NoneType' object is not iterable (**Enterprise** only) * [ADD] *SetupHelpers*: Added :code:`setuphelpers.get_app_path` and :code:`setuphelpers.get_app_install_location`: - add fix_wmi procedure to re-register WMI on broken hosts; - some wmi fallbacks to avoid unregistered hosts when WMI is broken on them. * [ADD] Added online wua scans (**Enterprise** only) * [ADD] Added random :code:`package_uuid` when signing a package metadata which could be used later as a primary key: - creates a random :code:`package_uuid` when installing in DEV mode; - creates a random :code:`package_uuid` when installing a package without :code:`package_uuid`. * [IMP] Moved and renamed :code:`EnsureWUAUServRunning` to *SetupHelpers*; * [ADD] Added :code:`pending_reboot_reasons` to inventory; * [IMP] Improved the display of WAPT package versions for missing packages; * [ADD] :command:`wapt-get sign-packages`: added setting :code:`maturity` and inc version in sign-packages action; * [ADD] Added :guilabel:`WindowsUpdates's host History` grid below :guilabel:`WindowsUpdate` grid (**Enterprise** only); * [IMP] Improved storing of Host Windows update history in the WAPT Server database (**Enterprise** only); * [IMP] keep selected or focused rows in grids; * [IMP] Improved updates Packages table when uploading a Package / Group. This table is meant mainly for reporting purpose; * [IMP] Disables indexes for some BinaryJson fields; * [FIX] Fixed Windows Updates :code:`install_date` reporting (**Enterprise** only); * [ADD] Added a checkbox to enable :code:`use_fqdn_as_uuid` when building :program:`waptagent.exe`; * [IMP] Changed default value for :code:`upgrade_only_if_not_process_running`; * [IMP] Changed naming of organizational *unit* packages to remove ambiguity with comma in package name and comma to describe the list of WAPT packages :code:`depends` / :code:`conflicts`: - Replace ',' with '_' when editing package (**Enterprise** only); * [ADD] Added to the WAPT Exit utility: priorities and :code:`only_if_not_process_running` command line switches; * [IMP] Improved waptupgrade: changed :code:`windows_version` and Version; * [ADD] Added *SetupHelpers* :code:`setuphelpers.windows_version`: added :code:`setuphelpers.members_count`; * [IMP] Improved waptutils.Version: strip members to :code:`members_count` if not *None*; * [ADD] Added control attributes editor keywords license homepage :code:`package_uuid` to the local WAPT service database; * [ADD] Added short fingerprint to repr of SSLCertificate; * [IMP] Be sure password gui is visible even if parent window is not; * [ADD] Added gui for private key password dialog if :code:`--use-gui`; * [ADD] Added :code:`--use-gui` to :program:`wapt-get.exe` command line argument to force the use of waptguihelper for the WAPT Server credentials when registering; ========================= WAPT-1.6.2.7 (2018-10-02) ========================= This is a bugfix release for 1.6.2.5: * [FIX] Fixed the WAPT Exit utility: changed the default value of :code:`upgrade_only_if_not_process_running` parameter to *False* instead of *True*: if :code:`upgrade_only_if_not_process_running` is *True*, the install tasks for packages with running processes (*impacted_process*) are skipped; if :code:`upgrade_only_if_not_process_running` is *False*, the install tasks for packages with running processes may impact the user if the installer kills the running processes; * [FIX] *waptwua*: take in account Windows Updates *RevisionNumber* attribute to identify uniquely an Update in addition to UpdateID field (**Enterprise** only). This fixes the 404 error when downloading missing windows updates on a client. ========================= WAPT-1.6.2.6 (2018-09-26) ========================= This is a bugfix release for 1.6.2.5: * [FIX] Fixed the WAPT Server Enterprise on Windows: added proper upgrade path from :program:`PostgreSQL 9.4` (used in WAPT 1.5) to :program:`PostgreSQL 9.6` which is required for WAPT-Windows Update: * new database binary and data directory path are suffixed with -9.6; * old data is suffixed with -old after migration; * [FIX] upgrade script for :program:`MongoDB` upgrade (WAPT 1.3) to :program:`PostgreSQL` used since WAPT 1.5; * [FIX] regression on WMI / DMI inventory which may be not properly sent back to the WAPT Server; ========================= WAPT-1.6.2.5 (2018-09-14) ========================= [NEW] Main new features if you are coming from 1.5: * per package *Audit* feature (**Enterprise** only); * *WAPT managed Windows Updates* tech preview (**Enterprise** only); * wizards to guide post configuration of Windows server and first use of :program:`waptconsole`; * :program:`waptconsole`/ private repo page: added a grid which shows the computers where the selected package is installed; It includes numerous changes over the 1.5.1.26 version. New --- * [NEW] per package audit feature: - def audit() hook function to add into package's :file:`setup.py`. By default, check *uninstall key* presence in registry: - :command:`wapt-get audit`; - :command:`wapt-get -S audit`; - :command:`wapt-get audit `; - right click in the WAPT Console on hosts or installed packages/ Audit package; - synthetic audit status for each host; - for each installed package: *last_audit_status*, *last_audit_on*, *last_audit_output*, *next_audit_on*; - scheduled globally with :file:`wapt-get.ini` parameter ``[global]``: .. code-block:: ini waptaudit_task_period = 4h or in package's :file:`control` file: .. code-block:: ini audit_schedule = 1d - audit log displayed in :program:`waptconsole` below installed package grid if :guilabel:`Audit Status` column is focused; * [UPD] updated python modules * [IMP] build with :program:`Lazarus 1.8.2` instead of :program:`CodeTyphon 2.8` for the Windows executables: * better strings encoding handling and easier to setup for the development; Known issues ------------ * :program:`PostgreSQL 9.6` is required for WAPT WUA tech preview (Debian Jessie not supported); * WAPT 1.6 includes one more security layer in the WAPT Agent to WAPT Server connection. After the WAPT Server upgrade, the client desktops will not be able to connect to the WAPT Server as long as they have not been upgraded themselves. If you require to be able to remotely manage the WAPT agent while the agent has not yet been upgraded, it is necessary to set :code:`allow_unauthenticated_connect` to *True* in :file:`waptserver.ini`; Fixes ----- * [FIX] add AD Groups as Hosts dependencies in :program:`waptconsole`; * [FIX] remove image on reachable column if no status has been sent yet; * [FIX] Organizational Units WAPT packages not being installed when there are spaces in DN; * [FIX] Operational error when host are trying to reconnect but are not registered; * [FIX] fill in *created_on* database fields on win updates data; * [IMP] debian server postinst: remove old :file:`pyc` files; Changes ------- * [IMP] Improved WAPT Console setup Wizard; * [ADD] *allow_unauthenticated_connect* defaults to *allow_unauthenticated_registration* if it is not explicitly set in :file:`waptserver.ini` file (This will ease migration from 1.5 to 1.6); * [IMP] :kbd:`Escape` key on password edit of login moves focus to configuration combo; * [IMP] PackageEntry.asrequirement(): removed space between package name and version specification; * [IMP] missing *install_date* in *insert_many* for some updates; * [ADD] add force argument for WAPTUpdateServerStatus action; * [IMP] Do not includes :file:`setup.py` in initial host's packages inventory, and full inventory; * [IMP] allow to use installed :program:`waptdeploy.exe` without retry/ignore dialog; * [IMP] be sure error is reported properly in :program:`socketio`; * [IMP] added *package_uuid* and homepage package attributes; * [IMP] added installed on columns for host wsus updates; * [FIX] WUA grid layout saving; ========================= WAPT-1.6.2.2 (2018-07-16) ========================= Known issues ------------ * :program:`PostgreSQL 9.6` is required for WAPT WUA tech preview (Debian Jessie not supported); * the authentication of client connections to the WAPT websockets server is not compatible with pre-1.6.2 wapt clients. During migration, if you want to keep the connection with clients, you have to disable the authentication with the parameter: :code:`allow_unauthenticated_connect` = ``False`` in the WAPT Server's configuration file :file:`waptserver.ini`. When all clients have migrated, this can be removed; New --- * [NEW] wizard for the initial configuration of :program:`waptserver` on Windows; * [ADD] wizard for the initial configuration of :program:`waptconsole` connection parameters; * [ADD] **Enterprise only**: waptconsole/ private repo page: added a grid which shows the computers where the selected package is installed; * [NEW] **Enterprise only**: WAPT WUA Windows Updates management technical preview: - activate with :code:`waptwua_enabled` = ``True`` in :file:`wapt-get.ini` file on the client; - scan of updates on Windows clients with the IUpdateSearcher Windows API and the :file:`wsusscan2` cab file from Microsoft; - additional page in the WAPT Console host inventory for Windows updates status reported (HostWsus model); - additional page in the WAPT Console for the consolidated view of all updates reported by hosts (WsusUpdates model); - periodic task on the WAPT Server to check and download newer version of :file:`wsusscan2` cab file from Microsoft (daemon/ service wapttasks); - periodic Task on the WAPT Server to download missing windows updates files as reported by Windows client after scan: * missing files are downloaded if one of the client should install it and has not yet a copy in its local windows update cache; * downloads are logged in *WsusDownloadTasks* model; Changes ------- * [ADD] field in hosts table to keep the hashes of sent host data, so that clients can send only what needs to be updated; * [ADD] :code:`db_port` WAPT Serverconfig parameter if :program:`posgresql` server is not running on standard port 5432; * [ADD] editor optional attribute for package control, used in *register_windows_uninstall* helper if supplied; * [IMP] websocket authentication with a timestamped token obtained from the WAPT Server with client SSL certificate on the WAPT Server with client SSL certificate; * [IMP] json responses from :program:`waptserver` are gzipped; Fixes ----- * [IMP] forced host uuid; * [IMP] forced computer AD Organizational unit; * [IMP] public certs dir; * [FIX] caching of negative result for certs chain validation; * [IMP] refactoring of the WAPT Server python modules (*config*, *utils*, *auth*, *app*, *common*, *decorators*, *model*, *server*) for the enterprise modularity; * [FIX] timezone file timestamp handling for http download; Python modules updates ---------------------- * upgrade to :program:`peewee 3.4`; * upgrade to :program:`eventlet==0.23.0`; * upgrade to :program:`huey 1.9.1`; * :program:`eventlet 0.20.1` --> :program:`eventlet 0.22.1`; 0.22.1: * [IMP] event: Event.wait() timeout=None argument to be compatible with upstream CPython; * [IMP] greendns: Treat /etc/hosts entries case-insensitive. Thanks to Ralf Haferkamp; 0.22.0: * [IMP] dns: reading /etc/hosts raised DeprecationWarning for universal lines on Python 3.4+. Thanks to Chris Kerr; * [IMP] green.openssl: Drop OpenSSL.rand support. Thanks to Haikel Guemar; * [IMP] green.subprocess: keep CalledProcessError identity. Thanks to Linbing@github; * [IMP] greendns: be explicit about expecting bytes from sock.recv. Thanks to Matt Bennett; * [IMP] greendns: early socket.timeout was breaking IO retry loops; * [IMP] GreenSocket.accept does not notify_open. Thanks to orishoshan; * [IMP] patcher: set locked RLocks' owner only when patching existing locks. Thanks to Quan Tian; * [IMP] patcher: workaround for monotonic "no suitable implementation". Thanks to Geoffrey Thomas; * [IMP] queue: empty except was catching too much; * [IMP] socket: context manager support. Thanks to Miguel Grinberg; * [IMP] support: update :program:`monotonic 1.3` (5c0322dc559bf); * [IMP] support: upgrade bundled to :program:`dnspython 1.16.0` (22e9de1d7957e) https://github.com/eventlet/eventlet/issues/427; * [FIX] websocket leak when client did not close connection properly. Thanks to Konstantin Enchant; * [IMP] websocket: support permessage-deflate extension. Thanks to Costas Christofi and Peter Kovary; * [IMP] wsgi: close idle connections (also applies to websockets); * [IMP] wsgi: deprecated options are one step closer to removal; * [IMP] wsgi: handle remote connection resets. Thanks to Stefan Nica; 0.21.0 * [IMP] new timeout error API: .is_timeout=True on exception object. It's now easy to test if network error is transient and retry is appropriate. Please spread the word and invite other libraries to support this interface; * [IMP] hubs: use monotonic clock by default (bundled package); Thanks to Roman Podoliaka and Victor Stinner * [IMP] dns: EVENTLET_NO_GREENDNS option is back, green is still default; * [IMP] dns: hosts file was consulted after nameservers; * [IMP] wsgi: log_output=False was not disabling startup and accepted messages; * [IMP] greenio: Fixed OSError: [WinError 10038] Socket operation on nonsocket; * [IMP] dns: EAI_NODATA was removed from RFC3493 and FreeBSD; * [IMP] green.select: fix mark_as_closed() wrong number of args; * [NEW] added zipkin tracing to eventlet; * [IMP] db_pool: proxy Connection.set_isolation_level(); * :program:`Flask-socketio 2.9.2` --> :program:`Flask-socketio 3.0.1`; * :program:`python-engineio 2.0.1` --> :program:`python-engineio 2.0.4`; * :program:`python-socketio 1.8.3` --> :program:`python-socketio 1.9.0`; * upgrade to :program:`websocket-client 0.47`; ========================= WAPT-1.6.2.1 (2018-07-04) ========================= New features ------------ * [ADD] def audit() optional hook in package is called periodically to check compliance. Log and status is reported in the WAPT Server database and displayed in the WAPT Console (**Enterprise**). * [ADD] WSUS tech preview: based on local Windows update engine and :file:`WSUSSCAN2` cab Microsoft file. WAPT Server act as a caching proxy for updates. Scanning for, downloading and applying Windows updates can be triggered from the WAPT Console on workstations (**Enterprise**). A new wapttasks process is launched on the WAPT Server to download updates and wsusscan cab from Internet. Changes / Improvements ---------------------- * [IMP] better utf8 handling; * [IMP] :command:`wapt-get make-template` from a directory creates a basic installer for portable apps; * [IMP] Improved wapt-get, the WAPT Exit utility: Removed ZeroMQ message queue on the client, replaced by simple http long polling to monitor tasks status; * [IMP] Improved the WAPT Console: Replaced blocking timer based http polling for tasks status by threaded http long polling; * [IMP] Improved the WAPT Console: Filter hosts on whether current personal certificate signature is authorized for remote tasks (**Enterprise**). If the same WAPT Server is used for several organizations, it allows to focus on own hosts. This supposes that different CA certificates are deployed depending on the client host's organization. In this release, the filtering is not enforced and not cryptographically authenticated; * [CHANGE] renamed :program:`waptservice.py` to :program:`service.py` and :program:`waptserver.py` to :program:`server.py`, activated absolute import for all python sourced absolute import for all python sources; * [REMOVED] *use_http_proxy_for_template* parameter (setting is now in ``[wapt-templates]`` repo); **The WAPT service** * [ADD] handling of WUA tasks (Scan, download, apply updates) (**Enterprise**); * [ADD] handling of auditing tasks; **The WAPT Server** * [ADD] tasks queue (:program:`Huey`) for the WSUS background tasks (**Enterprise**); * [IMP] gzip compression activated on the :program:`nginx` configuration; **The WAPT System Tray utility** * [ADD] option in :file:`wapt-get.ini` to hide some items: * :code:`hidden_wapttray_actions`: comma separated list of: :guilabel:`LaunchWAPTConsole`, :guilabel:`register`, :guilabel:`serviceenable`, :guilabel:`reloadconfig`, :guilabel:`cancelrunningtask`, :guilabel:`cancelalltasks`, :guilabel:`showtasks`, :guilabel:`sessionsetup`, :guilabel:`forceregister`, :guilabel:`localinfo`, :guilabel:`configure`; * [CHANGE] use long polling instead of :program:`zmq`; * [IMP] stop/ start/ query the WAPT service using a thread to avoid gui freeze; Fixes ----- * [FIX] waptguihelper: be sure to load the proper python27.dll; * [FIX] core: forward *force* argument from the WAPT Console to :file:`setup.py` install() hook; * [FIX] overwrite :file:`psproj` package file when editing a package to fix path to WAPT python virtualenv and add new debug actions; Modules updates --------------- * [UPD] GUI Binaries are built with :program:`Lazarus 1.8.2` / :program:`fpc 3.0.4` instead of :program:`CodeTyphon 2.8`; * [UPD] :program:`peewee 3.0.4`; * [UPD] :program:`eventlet 0.23.0`; * [UPD] :program:`huey 1.9.1`; * [UPD] :program:`pywin32` rev 223; * [UPD] :program:`Flask-socketio 2.9.6`; * [UPD] :program:`engineio.socket 2.0.4`; * [UPD] :program:`websocket-client 0.47`; * [UPD] :program:`pyOpenSSL 17.5.0`; * [UPD] :program:`request 2.19.1`; Known issues ------------ * *unit* type of packages (with AD DN style names) are not well handled by local WAPT self service, because of commas in name. ========================= WAPT-1.6.1.0 (2018-06-21) ========================= Fixes ----- * [FIX] Fixed av potential cause in the WAPT System Tray utility; * [IMP] Improved buffer LogOuput; * [FIX] Fixed wait task result loop in the WAPT Server; * [FIX] Fixed bad acl on the WAPT service; * [FIX] Fixed repo timeout not taken in account; * [FIX] Fixed bad parameter for :code:`repo_url` and ``[wapt-host]`` section; * [FIX] Fixed potential cause for anti-virus flagging the WAPT Exit utility; * [FIX] Fixed make isAdmin non blocking as a workaround for false positive checks; * [FIX] Fixed use timeout parameter when importing external package; * [FIX] Fixed pass timeout parameter when importing; * [FIX] Fixed bad :code:`repo_url` config naming; * [FIX] Fixed calc hash when compiling if file does not exist; * [FIX] Fixed repo timeout is float; * [FIX] Fixed custom zip corruption when signing a package with non ascii filenames; * [FIX] Fixed check wapt_db is assigned when rollbacking; * [IMP] Improved logging in events; * [FIX] Fixed installed packages section is incorrectly reported as *base* instead of *unit* or *host* in the WAPT Console; * [IMP] ensure manual service wua is running when using command line; * [UPG] Python modules updates: - upgrade to :program:`peewee 3.4`; - upgrade to :program:`eventlet==0.23.0`; - upgrade to :program:`huey 1.9.1`. * [CHANGE] Replaced eventprintinfo with LogOutput; * [ADD] Added :code:`waptwua_enabled` config parameter; * [IMP] Improved missing :code:`ensure_list` waptwua_enabled config parameter; * [IMP] default *waptwua_enabled* to None to avoid wuauserv service configuration change; * [ADD] Added missing columns for window updates; * [ADD] Added action in the WAPT Console to show help on KB; * [IMP] Improved the WAPT System Tray utility cosmetic: hide duplicated separators in tray popup menu when some actions are hidden; * [ADD] Added http_proxy ini setting for the WAPT Server external download operations; * [IMP] Improved the WAPT System Tray utility: Start and stop the WAPT service using a thread to avoid gui freeze; * [IMP] Switched to pure FPC PBKDF2 password hash calc for postconf; * [IMP] Refactored WAPT Server code to share app and socketio instances; * [FIX] Fixed forward the "force" argument (command line and through the websockets) to the install() setup.py hook; * [FIX] Fixed to not display all missed events at tray startup in the WAPT System Tray utility; * [FIX] Fixed no default :code:`audit_period`; * [REMOVED] :program:`zeromq`, replaced by long http polling between the WAPT System Tray utility, wapt-get and the WAPT service; ========================== WAPT 1.5.1.26 (2018-07-12) ========================== Bug fixes --------- * [IMP] revert monkey_patch for the WAPT Server on windows. No reason to exclude thread; * [ADD] :code:`allow_unauthenticated_connect` config (default *false*) on the WAPT Server; * [FIX] CRITICAL update_host failed UnboundLocalError("local variable 'result' referenced before assignment",); * [FIX] https://roundup.tranquil.it/wapt/issue951; * [FIX] https://forum.tranquil.it/viewtopic.php?f=13&t=1160ix; * [FIX] https://forum.tranquil.it/viewtopic.php?f=13&t=1160; * [FIX] :file:`init_workdir.bat`; * [FIX] returns a token when updating host data for websocket authentication; * [IMP] rewrite package psproj when editing (to fix wapt basedir paths); * [FIX] %s -> %d format string for expiration warning message; * [FIX] host_certificate not found for waptstarter; * [ADD] some dev build scripts; ========================== WAPT-1.5.1.24 (2018-07-04) ========================== Bug fixes --------- * [FIX] Fixed zipfile python library bug for packages which contains files with non-ascii filenames. Signed WAPT packages were corrupted in this case; * [FIX] Fixed deadlocks on the WAPT Server database when simultaneous database connections is larger than 100 (default maximum connections configured by default on postgresql); * [FIX] Fixed crash of the WAPT Console on warning message when license is about to expire (**Enterprise** only); * [FIX] Fixed %s --> %d format string for expiration warning message; * [FIX] Fixed :code:`host_certificate` not found for waptstarter; * [FIX] Fixed :file:`waptserversetup.iss` to include enterprise modules (**Enterprise**); * [FIX] Fixed download link to waptsetup and the WAPT Deployment utility on the WAPT Server index page for Windows; Modules updates --------------- * :program:`requests 2.19.1`; * :program:`Rocket 1.2.8` - Don't try to resurrect connections that timeout. Increase the timeout ... to decrease the likelihood: - handle PyPi only supports HTTPS/TLS downloads now; - fix the problem that when body is empty no terminating; chunk is sent for chunked encoding. - avoid sending the terminating chunk in case it is a HEAD request; - fix the problem that when body is empty no terminating chunk is sent for chunked encoding; - explicitly set the log level to warning; - fix bug "Threadpool grows by negative amount when max_threads = 0"; - do not try to resurrect connections that timeout. Increase the timeout to decrease the likelihood; ========================== WAPT-1.5.1.23 (2018-03-28) ========================== Changes ------- * [IMP] Improved the WAPT Exit utility: display a custom PNG logo if one is created in :file:`%WAPT_HOME%\\templates\\waptexit-logo.png`; * [IMP] nssm.exe is signed with Tranquil IT code signing key; * [ADD] Added in the WAPT Console: locale and maturity columns in packages status grid; * [IMP] Improved in the WAPT Console the WAPT Agent wizard; be sure to get a relative path when checking certificate validity; * [ADD] Added to waptsetup :code:`/CopyPackagesTrustedCA` and /:code:`CopyServersTrustedCA` command line parameters to allow deployment of wapt with specific certificates with GPO for wapt without recompiling waptsetup; Example: :code:`C:\tmp\waptdeploy --hash=e17c4eddd45d34000df0cfe64af594438b0c3e1ee9791812516f116d4f4b9fa9 --minversion=1.5.1.23 --waptsetupurl=http://buildbot/~tisadmin/wapt/latest/waptsetup.exe --setupargs=/CopyPackagesTrustedCA=c:\tmp\tranquilit.crt --setupargs=/CopyServersTrustedCA=c:\tmp\srvwapt.mydomain.lan.crt --setupargs=/verify_cert=ssl\server\srvwapt.mydomain.lan.crt --setupargs=/repo_url=https://srvwapt.mydomain.lan/wapt --setupargs=/waptserver=https://srvwapt.mydomain.lan --setupargs=/DIR=c:\wapt` Bug fixes --------- * [FIX] Fixed the WAPT Console: regression introduced in 1.5.1.22. Unable to login if the WAPT Server does not have a :abbr:`FQDN (Fully Qualified Domain Name)`; * [FIX] *SetupHelpers*: winstartup_info fallback when :file:`COMMON_STARTUP` folder does not exist, preventing a client to register properly; * [FIX] version/ revision in the WAPT System Tray utility dispkay the git hash instead of old svn revision number; * [FIX] Fixed the WAPT Console: update French translation for certs bundle hint; * [FIX] Fixed the WAPT Console: compare properly packages when number of version members differs 1.3 -<> 1.3.1 for example; ========================== WAPT-1.5.1.22 (2018-03-27) ========================== Bug fixes --------- * [FIX] add Active Directory groups; * [FIX] newest only with :code:`locale`, :code:`architecture` and :code:`maturity`; * [FIX] Import from external repository with mixed :code:`locale`, :code:`architecture` and :code:`maturity`; * [ADD] :code:`--setupargs` to :program:`waptdeploy`; * [FIX] RPM; * [FIX] Enterprise build (**Enterprise** only); * [IMP] different icons for WAPT Community and Enterprise editions; * [IMP] switch to Community features when no licence instead of aborting (**Enterprise**); * some up to date Installed Packages marked as upgradable because of bad comparison :code:`maturity` None/ maturity; * [IMP] :code:`depends` and :code:`conflicts` fields of HostsPackagesStatus table limited to 800 chars --> type changed to ArrayField to handle unlimited number of dependencies; * [NEW] git python module added as part of WAPT libraries; * [IMP] list organizational *unit* packages in group package table (**Enterprise**); * [FIX] MongoDB to PostgreSQL database upgrade script; * [FIX] licence/ hosts count/ expiry check (**Enterprise**); * [FIX] relative path for *verify_cert*; Known issues ------------ * When the WAPT Server is searched with DNS SRV query (dnsdomain param), kerberos register authentication is not working. ========================== WAPT-1.5.1.21 (2018-03-13) ========================== Global architecture ------------------- * [IMP] multiple languages for description of packages. English, French, German, Spanish, Polish are handled as a start point. More to be added in the future; * [IMP] the description columns in the WAPT Console displays either languages depending on :code:`language` setting in :file:`waptconsole.ini`. In packages, :code:`description_fr`, :code:`description_en`, etc... have been added; * [IMP] when renaming hosts, old host package (matching previous host uuid) is now "removed" instead of forgotten; * [NEW] Handle AD organizational unit packages (**Enterprise** only;) * [NEW] package attributes: * :code:`locale` attribute: A computer can be configured to accept only packages with a specific locale; * :code:`maturity` attribute: stores status like *DEV*, *PREPROD*, *PROD* to describe the level of completion of the package. Computers can be configured to accept packages with specified maturities. Default packages maturity of computer is both the empty one and *PROD*; * :code:`impacted_process` attribute: csv list of process names which would be killed before install (:command:`install_msi_if_needed`, :command:`install_exe_if_needed`) and uninstall (by the mean of uninstallkey list). Could be used too in the future for "soft" upgrade remote action which upgrade softwares while they are not running; Setup/ WAPT upgrades -------------------- **WAPTupgrade package** * [IMP] increased lifetime for upgrade task windows scheduler trigger for computers which are down for many days when upgrading; * [ADD] trigger at start of the computer; **The WAPT Console** * [IMP] display of the list of embedded trusted packages certificates when building the custom WAPT Agent installer; **Bug fixes** * [FIX] handle unicode filepaths for Packages Wizard; * [IMP] work in progress improvement of unicode handling globally in the WAPT Console; * [FIX] use proxy if needed for "download and edit" from external repo; **SetupHelpers** * [FIX] Fixed bug in :command:`create_programs_menu_shortcut` and :command:`create_user_programs_menu_shortcut`. Shortcuts were created in :file:`startup` and not :file:`startup/programs`. ============================== WAPT-1.5.1.19 rc1 (2018-03-08) ============================== Global architecture ------------------- There is now some additional support for packages localization. In Package :file:`control` file, the *description_fr*, *description_en*, *description_de*, *description_pl*, *description_es* can be used to give description in respective french, english, german, polish languages. If not set, the base description is used. WAPT Console ------------ ============================== WAPT-1.5.1.18 rc1 (2018-02-27) ============================== Global architecture ------------------- There is a significant internal change on how python libraries are managed inside WAPT. This has implications on the way python scripts are launched. This change is only relevant for peoples launching WAPT processes manually. We have removed the (not clean) sys.path manipulations inside wapt python scripts sources. The consequence is that all python scripts **MUST** be run with prior setting ``PYTHONHOME`` and ``PYTHONPATH`` pointing to WAPT home directory (:file:`/opt/wapt` on Linux). Failing to do so results in scripts claiming that libraries are missing. On the WAPT Server running on Linux, libs are now in the default :file:`/opt/wapt/lib/python2.7` location instead of using non standard former one. * [IMP] WAPT has its own full python environment for libraries, even when debugging. Before, system wide python27 installation was needed for :program:`PyScripter` to run. Now, :program:`PyScripter` can be started with a special batch file :file:`waptpyscripter.bat` which sets the environment variables for python (``PYTHONHOME`` and ``PYTHONPATH``) and run :program:`PyScripter` with python dll path set to wapt own copy. * [NEW] Command line scripts with proper environment: * *wapt-serverpostconf* on Linux server to start the WAPT Server postconf.py * *wapt-scanpackages* * *wapt-signpackages* * [NEW] debugging commandline tools which setup python environment properly before running the python script.py before running the python script: * to debug the WAPT service, launch in cmd as admin: :command:`runwaptservice.bat`; * to debug the WAPT Server, launch in cmd: :command:`runwaptservice.bat` or under linux: :command:`runwaptserver.sh`; * to launch :program:`PyScripter` without the need for local system wide python27 install, run :program:`waptpyscripter.bat`; WAPT client ----------- * [IMP] Add local wapt-get.ini settings *packages_whitelist* and *packages_blacklist* to restrict accepted packages from repository based on their package's name; * [IMP] More detailed reporting off host's repositories configuration (now includes dnsdomain, proxy, and list of trusted certificates); * [FIX] fixed display in the Windows task bar of the login window (to allow in particular the autofill of the password by password managers); the WAPT Agent failing to compile if keys/ certificates already exist but the certificate had been removed from :file:`C:\\wapt\\ssl`; * [NEW] Handle AD organizational unit packages (Enterprise edition) * [IMP] Fallback to basic authentication when a host is registering on the WAPT Server if kerberos is enabled but authentication fails. * [IMP] Improved :program:`wapt-get.exe`, allow to designate configuration :file:`wapt-get.ini` file with *--config* option with base name of user :file:`waptconsole.ini` file (without ini extension) instead of full path. Handy when switching between several configurations. Same behavior as for the WAPT Console. Example: :code:`wapt-get -c site3 build-upload c:\\waptdev\\test-7zip-wapt`; * [FIX] Be sure to not loop for ever in websockets retry loop if something is wrong in the WAPT Server or websocket configuration. * [FIX] Update PyScripter project template to use project directory as parameter for debug actions, and use relative paths for filenames. * [FIX] incorrect package version comparison. Return True when comparing 1.2-1 to 1.2.1-3 (note: this is not homogeneous with the Version() class behavior. todo: merge both); * [FIX] waptsetup: register and update **MUST** be launched with elevated privileges. So remove *runasoriginaluser* option. * [NEW] Introduced attributes target_os and impacted_process for package's :file:`control` file. They are not yet taken in account. * [NEW] Introduced method to handle X509 client certificates authentication for repositories and the WAPT Server (specially for public WAPT Servers); * [NEW] Introduced classes to generate X509 :abbr:`CRL (Certificate Revocation List)`; **Setuphelpers** * [UPD] :code:`setuphelpers.removetree`: Try to remove readonly flag when :code:`remove_tree` reaches an Access Denied error; * [FIX] Fixed unicode handling in shell startup shortcuts; * [IMP] :code:`waptutils.wget` can check sha1 or sh256 hashes in addition to md5, and can cache and resume partial downloads; WAPT Console ------------ * [NEW] action in the WAPT Console to plan in near future a restart of the WAPT service on selected hosts; * [IMP] mass host update/upgrade in the WAPT Console actions are now launched in single shot instead of one host at a time; * [NEW] allow to force a host_dn in :file:`wapt-get.ini` when host is not in a domain (**Enterprise** only); * [NEW] *SetupHelpers*: added timeout parameter for :code:`setuphelpers.service_start`, :code:`setuphelpers.service_stop` and :code:`setuphelpers.service_restart`; * [IMP] :guilabel:`group filter list` box is now editable, and one can type a partial group match and press enter to filter on all matching groups. Separator is comma (*,*). Handle * at the end of search to find all occurrences even if one group matches exactly; WAPT Server ----------- * [ADD] bat script migrate-hosts.bat to set environment for :file:`migrate-hosts.py`; * [ADD] trigger_action.py script to trigger action on pre 1.5 hosts with reachable 8088 port from 1.5 WAPT Server; * [FIX] :code:`registration_auth_user` reset to None when reusing host certificate for re-register; * [IMP] removed unnecessary dependencies krb5-user, msktutil, python-psutil for the WAPT Server package; * [IMP] increase client_max_body_size for http post on nginx for large update/ upgrade trigger: * fix :code:`signature_clockskew` parameter not taken in account in the WAPT Server configuration; * unified loggers for the WAPT Server; * have the WAPT Server ask WAPT clients to update status using websockets if websocket connection is up but database is not aware of given SID (case where the WAPT Server is restarted but :program:`nginx` is kept up, and restart of the WAPT Server service is fast enough to not trigger a reconnection of the clients); * [FIX] disable proxy for migrate-hosts; Known issues ------------ * WAPT service: if a system account level http proxy is defined in registry on the windows host, websocket client library tries to use it and fails to connect to the WAPT Server. Workaround: make an exception for the WAPT Server; * In the WAPT Console: if a http proxy is defined in :file:`waptconsole.ini`, section ``[global]``, key *http_proxy*, it is used by the WAPT Console even if setting :code:`use_proxy_for_xxx` is False Workround: set :code:`http_proxy` to an empty string in :file:`waptconsole.ini`; * when using a not self-signed personal certificate, depending of th issuer, the certificate file :file:`\mine_cert.crt` can contain the full chain (own certificate, intermediate CA, and root CA). When the WAPT Console asks if the certificate should be put in authorized client certificate directory (:file:`\ssl`), the full :file:`crt` file is copied as this. This means that all certificates in :file:`crt` file are authorized, and not only the personal one. This is perhaps not desired; Workaround: check if the personal pem encoded :file:`crt` file contains the full certificates chain. If this is the case, copy in :file:`\ssl` only the parts of the PEM file matching the certificates you want to trust; * SNI is not properly handled by the WAPT Console code, leading to incorrect error about certificate validation on WAPT https Server with virtual hosts; * Certificates :abbr:`CSR (Certificate Revocation List)` updates (periodical signature, ...) must be managed manually using tools like easy-rsa. Only :abbr:`CSR (Certificate Revocation List)` accessible by a URL are supported; * proxies are not supported on the WAPT Server, so :abbr:`CRL (Certificate Revocation List)` can not be updated properly (as far as Distribution Point is defined in certificates) if the WAPT Server has no direct http access to the distribution points; * https certificates are verified on the clients using the bundle defined by the :code:`verify_cert` ini settings. If this setting is simply *True*, the bundle supplied with python libraries is used to check issuers. This bundle is not updated unless WAPT is upgraded, so new issuers or no more trusted issuers are taken in account only at this point. So it is better to deploy your own CA bundle along with wapt and define the :code:`verify_cert` path. * for 1.5.1.18 rc1, on the linux server, there are broken symbolic links in :file:`lib/python2.7` folder. Next RC does not exhibit this problem; ========================== WAPT-1.5.1.14 (2018-01-09) ========================== * [NEW] Historize in *wapt_localstatus* PostgreSQL table the dependencies and conflicts of installed packages (to provide an easy way to warn when conflicting package will be installed or should be removed); * [FIX] load fill certificate chain from host packages to check :file:`control` (as it is the case for other types of packages); * [SEC] regression: check host package control signature right after downloading (it is checked too when starting install); * [FIX] regression: do not install host package if version is lower than installed one; * [FIX] Do not raise an exception during session-setup if package has no :file:`setup.py`; **The WAPT Agent** * [FIX] intermediate CA pinning: Allow to deploy intermediate CA as authorized package CA without root CA (segragation of rules between entities); * [FIX] old style print statement (without parentheses) raising an error in *setup-session* or *uninstall* :program:`setup.py` functions; **SetupHelpers** * [IMP] Added :code:`setuphelpers.cache_dir` parameter to :program:`wget` function; * [IMP] renamed *cabundle* parameter to *trusted_bundle*; * [NEW] Add python methods to create certificate from :abbr:`CSR (Certificate Signing Request)`; **The WAPT Console** * [ADD] Added a checkbox in the WAPT Agent builder to sign with sha1 in addition to sha256 for old wapt client upgrades; * [IMP] force host package version to be at least equal to already installed host package (when host package is deleted, version was starting again at 0); * [FIX] regression: check existing host package signature before editing it; **The WAPT Server** * [FIX] Force the WAPT Server database structure upgrade at each WAPT Server startup; * [ADD] :code:`db_connect_timeout` parameter for pool of the WAPT Server database connections; * [NEW] Store :code:`depends` and :code:`conflicts` attributes in the WAPT Server *HostPackagesStatus* PotsgreSQL table; Known issues ------------ * SNI is not properly handled by the WAPT Console code, leading to incorrect error about certificate validation on the WAPT https Server with virtual hosts; * certificates :abbr:`CSR (Certificate Revocation List)` updates (periodical signature, ...) must be managed manually using tools like easy-rsa. Only :abbr:`CSR (Certificate Revocation List)` accessible by a URL are supported; ========================== WAPT-1.5.1.13 (2018-01-03) ========================== * Quelques fallback pour permettre l'utilisation de la Console WAPT sous Wine. * Ebauche architecture plugins dans la Console WAPT. * Interface GUI pour entrer les mots de passe dans :program:`PyScripter`. * Action :command:`wapt-get make-template` dans installeur crée un paquet vide. * Inclusion de la chaine de certificats du signataire dans le paquet au lieu du seul certificat final. * IMPROVE: gestion des certificats signés par une autorité intermédiaire pour les actions de la Console WAPT. * Ajout option pour spécifier fichier de configuration pour la Console WAPT. * [FIX] SNI pour la récupération de la chaine de certificats dans la Console WAPT. * [ADD] added actions to launch mass updates/ upgrades, offer updates to the users (WAPT Enterprise). * :kbd:`F5` rafraîchit la liste des paquets. * Changement à distance de la description de l'ordinateur. * Possibilité de configurer plusieurs instances de serveurs Wapt sur un serveur/ VM. * chunked http upload pour pouvoir uploader des gros paquets sans passer par un :program:`scp`. * Ajout installation forcée d'un paquet sur un poste dans la la Console WAPT. * Ajout option pour masquer les actions avancées (simplication affichage de la Console WAPT). * CN du Certificat / clé host sont nommés comme l'UUID. * Si une ou plusieurs dépendances d'un paquet ne peuvent pas être installées, le paquet parent n'est pas installé et est marqué en erreur. * Memory leak sur le serveur? * Gestion timezone pour validité de certificats. * [SECURITY] prend tous les fichiers en compte dans la vérification des hashes, pas seulement ceux dans le répertoire racine (régression apparue en 1.5 mais non présente en 1.3). ========================= WAPT-1.5.1.5 (2017-11-16) ========================= Architecture globale -------------------- * [NEW] the host packages are now named with the BIOS :term:`UUID` of the host instead of the :term:`FQDN` (it is possible to use the FQDN as the UUID with the parameter *use_fqdn_as_uuid* but it may create duplicates in the WAPT Console); * le service :program:`the WAPT service` écoute sur l'adresse de loopback, port 8088 et non plus sur toutes les interfaces. Cela réduit la surface d'attaque potentielle si un attaquant spoofe l'adresse IP du serveur WAPT; * le service :program:`the WAPT service` crée au démarrage une connexion Websockets (Socket.IO) vers le serveur pour permettre à la Console WAPT de déclencher les Update/ Upgrade / Install/ Remove ; On ne pass plus par le port 8088 du service; * [NEW] the Websocket requests from the WAPT Console to the WAPT agents are now signed with the key of the :term:`Administrator`. Before, security relied on source IP restriction and the validation of the Administrator's login/ password; * la base de données d'inventaire est maintenant une base PostgreSQL en remplacement de MongoDB. Cela facilite le requêtage pour un reporting personnalisé, le langage SQL étant mieux connu des administrateurs système; * l'affichage dans la Console WAPT d'un grand nombre de machines a été amélioré. L'affichage de plusieurs milliers de machines n'est plus un problème; * modifier la configuration d'un grand nombre de machines a été rendu largement plus performant; * la reprise d'un téléchargement partiel de paquet est maintenant possible (interruption lors de l'arrêt ...); * les clés privées doivent maintenant obligatoirement être protégées avec un mot de passe; Console WAPT ------------ * passage en Websockets; * gestion des écrans de haute résolution (ex: écrans 4k); * modernisation des jeux d'icônes dans la Console WAPT; * changement à la volée de la description du poste; * option pour changer le mot de passe d'une clé; Format des paquets ------------------ * la présence du fichier :file:`setup.py` est optionnelle (plus particulièrement, il n'est pas nécessaire pour les paquets groupes et machines qui ne contiennent que des dépendances); * [NEW] if the package contains a :file:`setup.py` file, it MUST be signed with a **Code Signing** certificate, otherwise the package WILL NOT be installed. The roles are now differenciated between the role of the :term:`Package Deployer` (allowed to sign group and host packages) and the role of :term:`Package Developer` (allowed to sign group, host AND base packages); * lors de la signature du paquet, le certificat du signataire est ajouté dans le paquet (:file:`WAPT/certificate.crt`); * le fichier :file:`manifest` est renommé :file:`manifest.sha256` au lieu de :file:`manifest.sha1` et :file:`signature.sha256` au lieu de :file:`signature`; * ajout des attributs suivants au fichier :file:`control`: * :code:`signed_attributes`: pour la fiabilité de la vérification; * :code:`min_wapt_version`: le paquet est ignoré (et ne s'installe pas) si wapt n'est pas au moins à cette version; * :code:`installed_size`: le paquet ne s'installe pas s'il n'y a pas au moins cet espace disponible sur le disque système; * :code:`max_os_version`: le paquet est ignoré si Windows a une version supérieure à cet attribut; * :code:`min_os_version`: le paquet est ignoré si Windows a une version inférieure à cet attribut; * :code:`maturity`: ``PROD``, ``PREPROD``, ``TEST``; * :code:`locale`: ``fr``, ``en``, etc ; Configuration générale des agents --------------------------------- * section explicite ``[wapt-host]`` pour le dépôt des paquets machines sinon l'url est déduite de +'-host'; * section explicite ``[wapt]`` pour le dépôt principal, sinon est pris en compte; * vérification des certificats activée par défaut pour toutes les connexions https; * signature avec du sha256 au lieu de sha1; * prise en compte de paquets signés avec des certificats délivrés par une autorité, déploiement uniquement du certificat de l'autorité; * utilisation de l'UUID du client pour le nom des paquets host au lieu du FQDN; * possibilité d'utiliser le FQDN comme UUID au lieu de l'UUID du Bios. (paramètre :code:`use_fqdn_as_uuid`) (ou uuid forcé: paramètre :code:`forced_uuid`); * lorsqu'on signe, on désigne le signataire par son certificat et non sa clé privée. La clé privée est recherchée par wapt dans le même répertoire que le certificat personnel. On incite à avoir un certificat par personne agissant sur WAPT; * possibilité de prendre en compte la révocation de certificats (la :abbr:`CSR (Certificate Revocation List)` est fournie aux poste lors de l'update, dans le fichier Packages); * re-signature possible sous Linux avec la commande :program:`wapt-signpackage.py`; * installation dans :file:`Program Files(x86)` par défaut; **SetupHelpers** * :code:`setuphelpers.running_as_admin`, :code:`setuphelpers.running_as_system`; * correctif sur :code:`add_shutdown_script`; * ajout paramètre *remove_old_version* pour :code:`setuphelpers.install_msi_if_needed` et :code:`setuphelpers.install_exe_if_needed`; wapt-get -------- * ajout fonction :command:`update-package-sources` qui lance la fonction optionnelle :command:`update_package()` du paquet; * remplacement de l'option *--private-key* par l'option *--certificate* pour désigner le certificat à utiliser pour signer le paquet. La clé privée est recherchée dans le même répertoire que le certificat; * remplacement du fichier :file:`WAPT/wapt.psproj` à chaque édition d'un paquet (pour mettre à jour le chemin vers les modules WAPT suivant l'installation dans :file:`C:\\wapt` ou :file:`C:\\Program Files (x86)\\wapt`); * vérification du certificat serveur lors du :command:`enable-check-certificate` pour éviter de mauvaises configurations; wapt-signpackages ----------------- * ajout options .. code-block:: bash --if-needed --message-digest --scan-packages --message-digest .. code-block:: bash Usage: wapt-signpackages -c crtfile package1 package2 Re-sign a list of packages Options: -h, --help show this help message and exit -c PUBLIC_KEY, --certificate=PUBLIC_KEY Path to the PEM RSA certificate to embed identitiy in control. (default: ) -k PRIVATE_KEY, --private-key=PRIVATE_KEY Path to the PEM RSA private key to sign packages. (default: ) -l LOGLEVEL, --loglevel=LOGLEVEL Loglevel (default: warning) -i, --if-needed Re-sign package only if needed (default: warning) -m MD, --message-digest=MD Message digest type for signatures. (default: sha256) -s, --scan-packages Rescan packages and update local Packages index after signing. (default: False) Console WAPT ------------ * [NEW] all actions sent to the hosts are signed with the Administrator's key; * [NEW] generation of a key / certificate pair signed by a Certificate Authority (WAPT Enterprise); * option de créer un certificat **Code Signing** ou non (version Enterprise); * option pour changer le mot de passe d'une clé RSA; * option de vérification des certificats lors de la création du :program:`waptagent`; * lancement TISHelp (version Enterprise); * limitation du nombre de machines retournées dans la Console WAPT; * ajout filtre :guilabel:`reachable` = poste connecté au serveur WAPT; * possibilité de changer la description du poste **The WAPT Server** * authentification sur une base LDAP (version Enterprise); * utilisation des Websockets pour les actions; **The WAPT service** * le Webservice http de :program:`waptservice` écoute uniquement sur la loopback 127.0.0.1 (donc plus de vérification si port 8088 ouvert sur firewall..); * le :program:`waptservice` se connecte en websocket au serveur WAPT si le paramètre :code:`waptserver` est présent dans :file:`wapt-get.ini`; * le paramètre *websockets_verify_cert* active la vérification SSL du certificat pour la connexion websockets; * affichage de liste des certificats / CA autorisés pour les paquets; * affichage signataire paquet; * [NEW] *allow_user_service_restart* parameter allows a standard user to restart the WAPT service on her computer; * lancement de :program:`tishelp` en mode service par URL /tishelp; Installeur waptagent -------------------- * suppression installation :program:`msvcrt`; * restent uniquement 2 options: installer le service et lancer :guilabel:`wapttray`; * options pour une installation silencieuse: * *dnsdomain* pour la recherche auto wapt et the Serveur WAPT * *wapt_server* * *repo_url* * :program:`waptupgrade` fait systématiquement une installation complète (pas d'installation incrémentale); Improvements 1.5.0.12-amo --> 1.5.0.16 -------------------------------------- * :file:`setup.py` pas obligatoire pour uninstall; * chemin unicode pour édition de paquets; * corrigé la recherche de dépots en s'appuyant sur les DNS; * corrigé \\0000 pour PostgreSQL; * introduit une option pour avoir une double signature sha1 et sha256; * vérification https pour upload :program:`waptagent`; * option *--if-needed* dans :command:`wapt-signpackages`; * fix proxy dans import paquets; * gestion des révocations de certificats (:abbr:`CSR (Certificate Revocation List)`); * fix attributs requis dans signature actions; * *max_clients*; * fix option sans serveur (:program:`waptstarter`); * ajout lancement :program:`tishelp`; * force update à l'installation; ======================= WAPT-1.4.0 (2017-05-05) ======================= * pas de release officielle; * [NEW] migration sur la base PostgreSQL à la place de MongoDB; ======================== WAPT-1.3.13 (2017-07-25) ======================== Security fix ------------ * régression: Package files content check was skipped if signature of :file:`manifest` and :file:`Packages` index file checksum was ok. This regression affects all 1.3.12 releases, but not WAPT <= 1.3.9 and >= upcoming 1.5. In order to exploit this bug, one would need to tamper the :file:`Packages` files either through a MITM (if you do not have valid https certificate check) or a root access on the WAPT Server. Other changes ------------- * compatibility with packages signed with upcoming WAPT 1.5. With WAPT 1.5, package are signed with sha256 hashes. An option allows to sign them with sha1 too so that they can be used with WAPT 1.3 without signing them again. * new package certificate for Tranquil IT packages. previous certificate for package on store.wapt.fr has expired. all packages on store.wapt.fr has been signed again with new key / certificate with both sha1 and sha256 hashes, and WAPT 1.5 signature style (control data is signed as well as files) * fix for local GPO add_shutdown_script() function (thanks jf-guillou!) * fix for :program:`waptsetup.exe` postinstall actions (:command:`update` / :command:`register`) when running :program:`waptsetup.exe` installer without elevated privileges: added *runascurrentuser* flag * remove needless python libraries to make install package slimmer =========================== WAPT 1.3.12.13 (2017-06-26) =========================== Console WAPT ------------ * [NEW] Assistant de création de paquets à partir d'un fichier :file:`MSI` ou d'un :file:`Exe`; * [NEW] Option dans le menu :guilabel:`Outils` ou par drag drop dans l'onglet dépôt privé; * [NEW] Découverte des options silencieuses; * [NEW] Utilisation des fonctions :command:`install_exe_if_needed` et :command:`install_msi_if_needed` au lieu d'un simple :command:`run()` pour les exes et les MSI (plusieurs templates de :file:`setup.py` dans :file:`C:\\wapt\\templates`); * [NEW] Amélioration significative de la vitesse de modification en masse des paquets machines; * [NEW] Vérification optionnelle de la signature des paquets que l'on importe d'un dépôt extérieur. La liste des certificats autorisés se trouve par défaut dans :file:`%APPDATA%\\waptconsole\\ssl` et peut-être précisée dans les paramètres de la :program:`waptconsole`. Le paramètre ini se nomme :code:`authorized_certs_dir`. Sinon, les certificats autorisés sont ceux dans :file:`C:\\wapt\\ssl`; * [NEW] Vérification optionnelle du certificat https pour les dépôts extérieurs dans la Console WAPT; * [NEW] Vérification de la signature des paquets machines, groupes et logiciels avant leur modification dans la Console WAPT ou dans :program:`PyScripter`; * [NEW] Lors de l'import d'un dépôt extérieur, possibilité d'éditer le paquet pour inspection plutôt que de le charger directement sur le dépôt de production; * [NEW] Changement des URL relatives à la documentation. https://www.wapt.fr/en/doc/; * [NEW] Possibilité d'actualiser le certificat sans recréer la paire de clés RSA (en particulier pour préciser un Common Name correct, qui apparaît comme le signataire des paquets); * [NEW] HTTPS par défaut pour les URL de dépot. Autres correctifs ----------------- * [FIX] Paramètre :code:`AppNoConsole` : ``1`` pour NSSM (:program:`waptservice` / :program:`waptserver`) pour permettre le fonctionnement sur Windows 10 Creators Updates; * [FIX] Problème de fichier Zip qui restent verrouillés si une erreur est déclenchée; * [FIX] Suppression répertoire temporaire lors de l'annulation d'édition d'un groupe; * [FIX] Gestion espace dans les fichiers de projet PyScripter; * [FIX] Gestion utf8 / unicode pour certaines fonctions; * [FIX] Fix gestion encoding quand :command:`run_not_fatal()` renvoie une errreur; * [FIX] remplacement librairie mongo.bson par json natif de python , * [FIX] bug dans la synchro des groupes AD avec les paquets WAPT; * [FIX] bug "La clé privée n'existe pas" la première fois qu'elle est renseignée si on ne redémarre pas la Console WAPT; * [FIX] bug "redémarrage service wapt" (merci à QGull); * [FIX] possibilité d'avoir des majuscules dans les noms de paquet (toutefois pas recommandé, les noms des paquets sont sensibles à la casse); * [FIX] quelques actualisation des exemples de configuration :file:`wapt-get.ini.tmpl` * [FIX] la compilation du :program:`waptagent` échoue si les clés / certificats existent déjà mais que le certificat a été supprimé de :file:`C:\\wapt\\ssl`; * [FIX] affichage dans la barre des tâches de la fenêtre de login (pour permettre en particulier l'autofill par des gestionnaires de mot de passe); ========================= WAPT 1.3.9.3 (2017-04-11) ========================= * [FIX] Argument *shell* = *True* was not explicitly passed to the underlying function as it occurred on previous versions. ======================= WAPT 1.3.9 (2017-03-03) ======================= Fixes ----- * [FIX] update code to follow more PEP8 recommandations; * [FIX] upgradedb locks sqlite database issue; * [FIX] Fix broken DNS SRV record discovery; * [FIX] Fix unicode handling of signer / CN / organization in certificates; * [FIX] Unzipped netifaces module; wapt-get -------- * [NEW] Expands wildcards args for :command:`wapt-get install`, :command:`wapt-get show`, :command:`wapt-get build-package`, :command:`wapt-get sign-package`; * [FIX] Fix :command:`wapt-get show-params`; * [FIX] Fix :command:`wapt-get register` with description not working on some computers; * [FIX] Fix broken *-c* *--config* option; **SetupHelpers** * [NEW] :code:`setuphelpers.reg_key_exists`; * [NEW] :code:`setuphelpers.reg_value_exists`; * [NEW] :code:`setuphelpers.run_powershell`; * [NEW] :code:`setuphelpers.remove_metroapp`; * [NEW] :code:`setuphelpers.local_users_profiles`; * [NEW] :code:`setuphelpers.get_profiles_users`; * [NEW] :code:`setuphelpers.get_last_logged_on_user`; * [NEW] :code:`setuphelpers.get_user_from_sid`; * [NEW] :code:`setuphelpers.get_profile_path`; * [NEW] :code:`setuphelpers.wua_agent_version`; * [NEW] :code:`setuphelpers.local_admins`; * [NEW] :code:`setuphelpers.local_group_memberships`; * [NEW] :code:`setuphelpers.local_group_members`; * [IMP] command:`run`: explicit default values for :code:`setuphelpers.run` command help in :program:`PyScripter`. Added *return_stderr argument* (overloaded str object); * [FIX] :code:`setuphelpers.run_notfatal`: fix unicode issue in use wmi module for :code:`setuphelpers.wmi_info_basic` instead of :code:`setuphelpers.wmic` shell command; * [IMP] :code:`setuphelpers.make_path`: improved when first argument is a drive. Be smart if an argument is a callable; * [FIX] :code:`setuphelpers.CalledProcessError`: restored code:`setuphelpers.CalledProcessError` alias. * [ADD] :code:`setuphelpers.host_infos`: added *profiles_users*, *last_logged_on_user*, *local_administrators*, *wua_agent_version* attributes; * [IMP] :code:`setuphelpers.ensure_unicode`: return None if None, for bytes strings, try utf8 decoding before system locale decoding; **The WAPT Console** * [FIX] restore allowed lowercase/uppercase package naming; * [ADD] 4 host popup menu actions: * :guilabel:`Computer Mgmt`; * :guilabel:`Computer Users`; * :guilabel:`Computer Services`; * :guilabel:`RemoteAssist`; * [FIX] fixed other issues in the WAPT Console: * Don't search host while typing; * utf8 search (accents...); * utf8 compare; * try to get localized versions of special folders; Setup ----- * [ADD] :program:`waptpythonw.exe` binary in distribution for the WAPT Console less python scripts (to avoid having :program:`cmd.exe` windows poping up when invoking a python script); * [FIX] change default wapt templates URL to https://store.wapt.fr/wapt; * [FIX] when upgrading, (full :program:`waptagent.exe` install) remove stalled :program:`waptagent.exe` installs; ========================= WAPT 1.3.8.2 (2016-11-18) ========================= Security -------- * [SEC] Fix inheritance of rights on wapt root folder for Windows 10 during setup when installed in :file:`C:\\wapt`. On Windows 10, :program:`cacls.exe` does not work and does not remove "Authenticated Users" from :file:`C:\\wapt`. :program:`cacls.exe` has been replaced by :program:`icacls.exe`: * on pre-wapt 1.3.7 systems, you can fix this by running the following command, or upgrade to wapt 1.3.8 (you may check :code:`icacls.exe c:\wapt /inheritance:r`) * This can be achieved with a GPO, or a wapt package * [IMP] in next versions of WAPT, the default install path of wapt will be changed from root folder :file:`C:\\wapt` to a more standard :file:`C:\\Program Files (x86)\\wapt`. * [IMP] By default, :program:`waptsetup.exe` / :program:`waptsetup-tis.exe` do not distribute certificates to avoid to deploy directly packages from Tranquil IT. :program:`waptagent.exe` by default distributes the certificates that are installed on the mangement desktop creating the :program:`waptagent`. Core changes ------------ * [IMP] The database structure has changed between 1.3.8 and 1.3.8.2 to include additional attributes from packages: *signer*, *signer_fingerprint*, *locale*, and *maturity*. *signer* and *signer_fingerprint* are populated when signing the package to identify the origin. This means local WAPT database is upgraded when first starting WAPT 1.3.8.2 and this is not backward compatible; * [IMP] Installers have a limited set of options, the most common use of WAPT is privileged; * [ADD] 3 new parameters for the :program:`waptexit` policy behavior: *hiberboot_enabled*, *max_gpo_script_wait*, *pre_shutdown_timeout*. These parameters are not set by default and should be added to :file:`wapt-get.ini` *[global]* section if needed; * [IMP] Use user's :file:`waptconsole.ini` configuration file instead of :file:`wapt-get.ini` for the commands targeted to package development (*sources*, *make-template*, *make-host-template*, *make-group-template*, *build-package*, *sign-package*, *build-upload*, *duplicate*, *edit*, *edit-host*, *upload-package*, *update-packages*. This avoids the need to write these parameters in :file:`wapt-get.ini` on the development workstation. These parameters are not shared across multiple users on same host. One use case is to allow multiple profiles (key, upload location) depending on the maturity of package (development, test, production...); **SetupHelpers** * [ADD] helper functions :code:`setuphelpers.dir_is_empty`, :code:`setuphelpers.file_is_locked`, :code:`setuphelpers.service_restart` and :code:`setuphelpers.WindowsVersions` class * [IMP] Added referer and *user_agent* in :code:`setuphelpers.wget` and :code:`setuphelpers.wgets` * [IMP] run function: define stdin as PIPE to avoid lockup process waiting for input or error like unable to duplicate handle when using for example powershell * [IMP] Version class: try to compare version using at least Version.members_count * [FIX] encoding fixes for registry functions, fix encoding for registry_setstring key name * [FIX] :code:`setuphelpers.install_exe_if_needed`: do not check uninstall_key or min_version if not provided * [FIX] :code:`setuphelpers.install_exe_if_needed` and :code:`setuphelpers.install_msi_if_needed` version check if *--force* * [UPD] Check version and uninstall key after install with :command:`setuphelpers.install_exe_if_needed` and :code:`setuphelpers.install_msi_if_needed` * [UPD] inventory includes informations from WMI.Win32_OperatingSystem * [ADD] :code:`setuphelpers.get_disk_free_space` helper function * [UPD] check free disk space when downloading with :code:`setuphelpers.wget`. Check http status before. * [UPD] Version class: Version('7')=1.2.2 only: https://roundup.tranquil.it/wapt/issue433 * [ADD] read the docs theme for sphinx *SetupHelpers* API documentation. WIP https://roundup.tranquil.it/wapt/issue427 * [IMP] doc updates * [ADD] api/v1/hosts_delete method * [ADD] :command:`need_install`, :command:`install_exe_if_needed`, :command:`install_msi_if_needed` functions to *SetupHelpers* * [ADD] parameters for :program:`waptdeploy`. ======================= WAPT 1.2.1 (2015-03-26) ======================= **WAPT Console** * [ADD] combobox for filtering on groups in :program:`waptconsole`. * [ADD] :guilabel:`Add ADS Groups as packages` action to WAPT host selection popup menu * [ADD] :command:`cleancache` action to clean local packages cache in the WAPT Console * [ADD] added :command:`notify_server` on network reconfiguration if :program:`waptserver` is available; * [IMP] column :guilabel:`groups` shows only host's direct dependencies with package's section == "group" instead of all direct dependencies. * [ADD] optional anonymous statistics (nb of hosts, nb of packages, age of updates...) sent to Tranquil IT to document the communication around WAPT (sent by :program:`waptconsole` at most every 24h) * [IMP] improved mass hosts delete, * [ADD] delete hosts package action. WAPT Server >=1.2.2 only: https://roundup.tranquil.it/wapt/issue433 * [IMP] big packages uploads (write uploaded packages by chunk) (but still some issues on 32bits WAPT Servers due to :program:`uwsgi`) * [IMP] display version of mismatch when editing package * [FIX] host's packages not saved when some dependencies do not exist anymore * [FIX] restore working :guilabel:`Cancel running task` button * [FIX] canceling subprocesses not working in freepascal apps (when waiting for :program:`InnoSetup` compile for example) **wapt-get / WAPT service** * [ADD] :command:`reset-uuid` and :command:`generate-uuid` for https://roundup.tranquil.it/wapt/issue421 duplicated :term:`UUID` issues * [IMP] :command:`find_wapt_repo_url` processus to avoid waiting for all repos if one repo is ok (improved response time in buggy networks) * [IMP] windows DNS resolver in wapt client (python part) instead of pure python resolver. Should reduce issues when multiple network cards or inactive network connections. * [IMP] changed priority of WAPT Server discovery using SRV dns records. --> first priority ascending and weight descending. --> comply with standards. * [FIX] solved some issues with :program:`SQLite` and threads in local :program:`waptservice` * [IMP] explicit transaction handling and *isolation_level* = *None* for local waptDB (to try to avoid locks) * [IMP] teardown handler for :program:`waptservice` to commit or rollback thread local connections * [FIX] for waptrepo detection in freepascal parts: same processus as python part. * [FIX] for :command:`edit_package` when supplying a wapt filename instead of package request **SetupHelpers** * [ADD] read the docs theme for sphinx *SetupHelpers* API documentation. WIP https://roundup.tranquil.it/wapt/issue427 * [ADD] _all_ list to avoid importing unecessary names in :program:`setup.py` modules. Now only functions defined in *SetupHelpers* are available when importing *SetupHelpers*. This can break some WAPT packages if names were indirectly imported through *SetupHelpers* module. * [ADD] :command:`need_install`, :command:`install_exe_if_needed`, :command:`install_msi_if_needed` functions to *SetupHelpers*. * [ADD] :command:`local_desktops` function * [FIX] version class instances accept to be compared to str * [REM] :code:`setuphelpers.processnames_list` which is unused in *SetupHelpers* * [ADD] :code:`setuphelpers.add_ads_groups` and :code:`setuphelpers.get_computer_groups` to :program:`waptdevutils.py` * [FIX] :code:`setuphelpers.run` helper * [FIX] on_write callback not working * [FIX] TimeoutExpired not formatted properly * [FIX] use closure for registry keys **The WAPT Deployment utility** * [IMP] Improved the WAPT Deployment utility with more command line options (in particular tasks to merge to default innosetup selected tasks) * [FIX] waptrepo detection using dns records Install ------- * [FIX] :program:`waptagent` upload error on windows * [FIX] debian packages should work for Jessie * [IMP] :command:`copytree2` for :program:`waptupgrade` * [FIX] trap exception for version check on copy of :mimetype:`.exe` and :mimetype:`.dll` * [FIX] :program:`mongodb-server` version should be >= 2.4 ======================= WAPT-1.1.1 (2015-02-26) ======================= **WAPT Console** * [IMP] Improved the loading of the main grid has been optimized; only configured columns are displayed; * [IMP] Improved the WAPT Server: detects the hosts whose :program:`waptservice` is listening. Their :guilabel:`Reachable` status is shown with a green / grey indicator; * [IMP] Improved the WAPT package to upgrade WAPT on hosts (???-waptupgrade.wapt) is generated by the WAPT Console at the same time as the WAPT agent installer (:program:`waptagent.exe`), the two files are then uploaded on the WAPT Server; * [ADD] Added the package dependencies of each host are displayed in the grid. This allows to see what hosts have no package; * [ADD] Added possibility to trigger available package upgrades on hosts that are listening from the WAPT Console. In that case, the host sends its status to the WAPT Server after the upgrade; * [ADD] Added possibility to filter hosts in the WAPT Console according to their upgrade status or whether they are "reachable" or not, * [ADD] When packages are flagged for install but are not yet installed on a host, they appear with a blue "+" indicator. It is then possible to force the immediate install of the package with a right-click; **The WAPT service** * [ADD] cleaning of the cache on the hosts after each successful upgrade; **The WAPT Server** * [ADD] the versions of the WAPT agent, WAPT Server are shown in the main web page of the WAPT Server (with a red indicator if there is a problem); **SetupHelpers** * [ADD] Added functions to *SetupHelpers* to manage shortcuts: - :code:`setuphelpers.remove_desktop_shortcut`; - :code:`setuphelpers.remove_user_desktop_shortcut`; - :code:`setuphelpers.remove_programs_menu_shortcut`; - :code:`setuphelpers.remove_user_programs_menu_shortcut`. **Installation** * [IMP] verification of used ports during the post-configuration of WAPT Server on a Windows host; **Webservices** * [IMP] the :program:`waptserver` no longer listen on 8080 port by default. The Apache frontal web server listens in HTTP and HTTPS and relays action calls to the python :program:`waptservice` that only listens locally. It is therefore necessary to update :file:`wapt-get.ini` files on WAPT agents and to replace *wapt_server* = http://srvwapt.mydomain.lan:8080 with *wapt_server* = https://srvwapt.mydomain.lan If you can not make that change to your WAPT agents, it is possible to return to the previous behavior. On Debian, edit the file :file:`/opt/wapt/waptserver/waptserver.ini`, and in the ``[uwsgi]`` section, put: .. code-block:: bash http-socket = 0.0.0.0:8080 On Windows, edit :file:`C:\\wapt\waptserver\\waptserver.ini` and replace: .. code-block:: bash server = Rocket(('127.0.0.1', port), 'wsgi', {"wsgi_app":app}) with: .. code-block:: bash server = Rocket(('0.0.0.0', port), 'wsgi', {"wsgi_app":app}) The repository may stay in HTTP on port 80. The calls to the WAPT Server are authenticated, but it is advized to restrict access to authorized sub-networks with a firewall. * [IMP] json calls to the webservice of the WAPT Server are now standardized; * [IMP] when launching :command:`update` / :command:`upgrade` / :command:`remove` / :command:`forget` / :command:`tasks_status` actions from the WAPT Console, the IP address of the host is no longer sent, but instead its :term:`UUID`, and it is the WAPT Server that finds the IP address and the port to use; et c'est le serveur wapt qui s'occupe de déterminer quelle IP / port utiliser; * [ADD] verification in the WAPT Console that the version of the WAPT Server is sufficient; * [ADD] the timeout to connect to WAPT agents and read the data are configurable in :file:`waptserver.ini`; ===================== WAPT-1.0 (2015-01-31) ===================== * [ADD] first public version of WAPT