Updating changelog for 4.47.2

CHANGELOG.md

@@ -1,3 +1,11 @@
+## Fleet 4.47.2 (Mar 22, 2024)
+
+### Bug fixes
+
+
+* Fixed false negative vulnerabilities on macOS Homebrew Python packages.
+* Resolved the issue where Microsoft Edge was not reporting vulnerabilities.
+
 ## Fleet 4.47.1 (Mar 18, 2024)
 
 ### Bug fixes

charts/fleet/Chart.yaml

@@ -8,7 +8,7 @@ version: v6.0.2
 home: https://github.com/fleetdm/fleet
 sources:
   - https://github.com/fleetdm/fleet.git
-appVersion: v4.47.1
+appVersion: v4.47.2
 dependencies:
   - name: mysql
     condition: mysql.enabled

charts/fleet/values.yaml

@@ -2,7 +2,7 @@
 # All settings related to how Fleet is deployed in Kubernetes
 hostName: fleet.localhost
 replicas: 3 # The number of Fleet instances to deploy
-imageTag: v4.47.1 # Version of Fleet to deploy
+imageTag: v4.47.2 # Version of Fleet to deploy
 podAnnotations: {} # Additional annotations to add to the Fleet pod
 serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account
 resources:

infrastructure/dogfood/terraform/aws/variables.tf

@@ -56,7 +56,7 @@ variable "database_name" {
 
 variable "fleet_image" {
   description = "the name of the container image to run"
-  default     = "fleetdm/fleet:v4.47.1"
+  default     = "fleetdm/fleet:v4.47.2"
 }
 
 variable "software_inventory" {

infrastructure/dogfood/terraform/gcp/variables.tf

@@ -68,5 +68,5 @@ variable "redis_mem" {
 }
 
 variable "image" {
-  default = "fleet:v4.47.1"
+  default = "fleet:v4.47.2"
 }

terraform/byo-vpc/byo-db/byo-ecs/variables.tf

@@ -13,7 +13,7 @@ variable "fleet_config" {
   type = object({
     mem                          = optional(number, 4096)
     cpu                          = optional(number, 512)
-    image                        = optional(string, "fleetdm/fleet:v4.47.1")
+    image                        = optional(string, "fleetdm/fleet:v4.47.2")
     family                       = optional(string, "fleet")
     sidecars                     = optional(list(any), [])
     depends_on                   = optional(list(any), [])

terraform/byo-vpc/byo-db/variables.tf

@@ -74,7 +74,7 @@ variable "fleet_config" {
   type = object({
     mem                          = optional(number, 4096)
     cpu                          = optional(number, 512)
-    image                        = optional(string, "fleetdm/fleet:v4.47.1")
+    image                        = optional(string, "fleetdm/fleet:v4.47.2")
     family                       = optional(string, "fleet")
     sidecars                     = optional(list(any), [])
     depends_on                   = optional(list(any), [])

terraform/byo-vpc/example/main.tf

@@ -17,7 +17,7 @@ provider "aws" {
 }
 
 locals {
-  fleet_image = "fleetdm/fleet:v4.47.1"
+  fleet_image = "fleetdm/fleet:v4.47.2"
   domain_name = "example.com"
 }
 

terraform/byo-vpc/variables.tf

@@ -167,7 +167,7 @@ variable "fleet_config" {
   type = object({
     mem                          = optional(number, 4096)
     cpu                          = optional(number, 512)
-    image                        = optional(string, "fleetdm/fleet:v4.47.1")
+    image                        = optional(string, "fleetdm/fleet:v4.47.2")
     family                       = optional(string, "fleet")
     sidecars                     = optional(list(any), [])
     depends_on                   = optional(list(any), [])

terraform/example/main.tf

@@ -59,8 +59,8 @@ module "fleet" {
 
   fleet_config = {
     # To avoid pull-rate limiting from dockerhub, consider using our quay.io mirror
-    # for the Fleet image. e.g. "quay.io/fleetdm/fleet:v4.47.1"
-    image = "fleetdm/fleet:v4.47.1" # override default to deploy the image you desire
+    # for the Fleet image. e.g. "quay.io/fleetdm/fleet:v4.47.2"
+    image = "fleetdm/fleet:v4.47.2" # override default to deploy the image you desire
     # See https://fleetdm.com/docs/deploy/reference-architectures#aws for appropriate scaling
     # memory and cpu.
     autoscaling = {

terraform/variables.tf

@@ -215,7 +215,7 @@ variable "fleet_config" {
   type = object({
     mem                          = optional(number, 4096)
     cpu                          = optional(number, 512)
-    image                        = optional(string, "fleetdm/fleet:v4.47.1")
+    image                        = optional(string, "fleetdm/fleet:v4.47.2")
     family                       = optional(string, "fleet")
     sidecars                     = optional(list(any), [])
     depends_on                   = optional(list(any), [])

tools/cis/cis_benchmarks_diff.txt

@@ -0,0 +1,68 @@
+Diff generated on: 2023-11-23 13:13:44
+
+file1: -- file1
+file2: ++ file2
+@@ -197 +197 @@
+file1: 9.1.4 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' (Automated)384
+file2: 9.1.4 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' (Automated)383
+@@ -288,3 +288,2 @@
+file1: 18.4.6 (L1) Ensure 'LSA Protection' is set to 'Enabled' (Automated)
+file1: 18.4.7 (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'  (Automated)
+file1: 18.4.8 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' (Automated)
+file2: 18.4.6 (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'  (Automated)
+file2: 18.4.7 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' (Automated)
+@@ -310,2 +309,3 @@
+file1: 18.6.4.1 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on  public networks' (Automated)
+file1: 18.6.4.2 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' (Automated)
+file2: 18.6.4.1 (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or  higher (Automated)
+file2: 18.6.4.2 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on  public networks' (Automated)
+file2: 18.6.4.3 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' (Automated)
+@@ -370,6 +370,7 @@
+file1: 18.9.5.1 (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' (Automated)
+file1: 18.9.5.2 (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to  'Secure Boot' or higher (Automated)
+file1: 18.9.5.3 (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code  Integrity' is set to 'Enabled with UEFI lock' (Automated)
+file1: 18.9.5.4 (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is  set to 'True (checked)' (Automated)
+file1: 18.9.5.5 (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to  'Enabled with UEFI lock' (Automated)
+file1: 18.9.5.6 (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to  'Enabled' (Automated)
+file2: 18.9.5.1 (L1) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' (Automated)
+file2: 18.9.5.2 (L1) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to  'Secure Boot' or higher (Automated)
+file2: 18.9.5.3 (L1) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code  Integrity' is set to 'Enabled with UEFI lock' (Automated)
+file2: 18.9.5.4 (L1) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set  to 'True (checked)' (Automated)
+file2: 18.9.5.5 (L1) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to  'Enabled with UEFI lock' (Automated)
+file2: 18.9.5.6 (L1) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to  'Enabled' (Automated)
+file2: 18.9.5.7 (L1) Ensure 'Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack  Protection' is set to 'Enabled: Enabled in enforcement mode' (Automated)
+@@ -425 +426 @@
+file1: 18.9.25.2 (NG) Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with  UEFI Lock' (Automated)
+file2: 18.9.25.2 (L1) Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with  UEFI Lock' (Automated)
+@@ -588,2 +589,3 @@
+file1: 18.10.29.3 (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' (Automated)
+file1: 18.10.29.4 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' (Automated)
+file2: 18.10.29.3 (L2) Ensure 'Turn off files from Office.com in Quick access view' is set to 'Enabled' (Automated)
+file2: 18.10.29.4 (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' (Automated)
+file2: 18.10.29.5 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' (Automated)
+@@ -597 +598,0 @@
+file1: 18.10.35.1 (L1) 'Disable Internet Explorer 11 as a standalone browser' is set to 'Enabled: Always'  (Automated)
+@@ -625,6 +626,6 @@
+file1: 18.10.44.1 (NG) Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'  (Automated)
+file1: 18.10.44.2 (NG) Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is  set to 'Disabled' (Automated)
+file1: 18.10.44.3 (NG) Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to  'Disabled' (Automated)
+file1: 18.10.44.4 (NG) Ensure 'Allow files to download and save to the host operating system from Microsoft  Defender Application Guard' is set to 'Disabled' (Automated)
+file1: 18.10.44.5 (NG) Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard  behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'  (Automated)
+file1: 18.10.44.6 (NG) Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to  'Enabled: 1' (Automated)
+file2: 18.10.44.1 (L1) Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'  (Automated)
+file2: 18.10.44.2 (L1) Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is  set to 'Disabled' (Automated)
+file2: 18.10.44.3 (L1) Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to  'Disabled' (Automated)
+file2: 18.10.44.4 (L1) Ensure 'Allow files to download and save to the host operating system from Microsoft  Defender Application Guard' is set to 'Disabled' (Automated)
+file2: 18.10.44.5 (L1) Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard  behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'  (Automated)
+file2: 18.10.44.6 (L1) Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to  'Enabled: 1' (Automated)
+@@ -647 +648,2 @@
+file1: 18.10.57.2.2 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' (Automated)
+file2: 18.10.57.2.2 (L2) Ensure 'Disable Cloud Clipboard integration for server-to-client data transfer' is set to  'Enabled' (Automated)
+file2: 18.10.57.2.3 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' (Automated)
+@@ -696,0 +699,4 @@
+file2: 18.10.76.1.1 (L1) Ensure 'Notify Malicious' is set to 'Enabled' (Automated)
+file2: 18.10.76.1.2 (L1) Ensure 'Notify Password Reuse' is set to 'Enabled' (Automated)
+file2: 18.10.76.1.3 (L1) Ensure 'Notify Unsafe App' is set to 'Enabled' (Automated)
+file2: 18.10.76.1.4 (L1) Ensure 'Service Enabled' is set to 'Enabled' (Automated)
+@@ -703,0 +710 @@
+file2: 18.10.79.1 (L1) Ensure 'Enable ESS with Supported Peripherals' is set to 'Enabled: 1' (Automated)