Adding changes for Fleet v4.62.0

Author: lukeheath

CHANGELOG.md

@@ -1,3 +1,58 @@
+## Fleet 4.62.0 (Jan 02, 2025)
+
+### Bug fixes
+
+### Endpoint Operations
+- Added capability to automatically generate "trigger policies" for custom software packages.
+- Stop older scheduled queries from filling logs with errors
+- Changed script upload endpoint (`POST /api/v1/fleet/scripts`) to automatically switch CRLF line endings to LF
+- Fleshed out server response from `queries` endpoint to include `count` and `meta` pagination information.
+- Updated UI queries page to filter, sort, paginate, etc. via query params in call to server.
+- Updated platform filtering on queries page to refer to targeted platforms instead of compatible platforms
+- Updated queries API to support above targeted platform filtering
+
+### Device Management (MDM)
+- Added license key validation on `fleetctl preview` if a license key is provided; fixes cases where an invalid license key would cause `fleetctl preview` to hang.
+- Allowed team policy endpoint (`PATCH /api/latest/fleet/teams/{team_id}/policies/{policy_id}`) to receive explicit `null` as a value for `script_id` or `software_title_id` to unset a script or software installer respectively.
+- Alises EAP versions of JetBrains IDEs to "last release version plus all fixes" to avoid vulnerability false positives.
+
+### Vulnerability Management
+- Added Mastodon icon and URL to server email templates.
+- Added a validation to prevent label deletion if it is used to scope the hosts targeted by a software installer.
+- Fixed issue where minio software was not scanned for vulnerabilities correctly because of unexpected trailing characters in the version string
+
+### Bug fixes and improvements
+- Fleet UI: Fix export to CSV from trimming leading zeros by treating those values as strings
+- Send alert via SNS when a scheduled "cron" job returns errors
+- SNS topic for job error alerts can be configured separately from the existing monitor alert by adding "cron_job_failure_monitoring" to sns_topic_arns_map, otherwise defaults to the using the same topic
+- Fix bug when creating a label to preserve the selected team
+- Add UI for scoping software via labels
+- Removed server error if no private IP was found by detail_query_network_interface.
+- Added ability to use secrets ($FLEET_SECRET_YOURNAME) in scripts and profiles.
+- Fleet UI: Add searchable query targets and cleaner UI for uses with many teams or labels
+- Increased maximum length for installer URLs specified in GitOps to 4000 characters
+- Fixed a panic (and resulting failure to load CVE details) on new installs when OS versions have not been populated yet.
+- Add functionality to filter host software based on label scoping.
+- Add the ability to click a software row on the my device page and see the details of that software's installation on the host.
+- Update fleetctl dependencies that cause warnings
+- Added service annotation field to Helm Chart
+- Added features to scope Fleet-maintained apps and custom packages via labels in UI, API, and CLI.
+- Allowed software uninstalls and script-based host lock/unlock/wipe to run while global scripts are disabled.
+- Fix policy truncation UI bug
+- Add support for fleet secret validation in software installer scripts
+- Added fallback to FileVersion on EXE installers when FileVersion is set but ProductVersion isn't to allow more custom packages to be uploaded
+- Removed duplicate software records from homebrew casks already reported in the osquery `apps` table to address false positive vulnerabilities due to lack of bundle_identifier
+- Fixed cases where showing results of an inherited query viewed inside a team would include results from hosts not on thta team by adding an optional team_id parameter to queries report endpoint (`GET /api/latest/fleet/queries/{query_id}/report`)
+- Added the `labels_include_any` and `labels_exclude_any` fields to the software installer activities.
+- Updated the get host endpoint to include disk encryption stats for a linux host only if the setting is enabled
+- Added a descriptive error when a GitOps file contains script references that are missing paths
+- Fixed CVE-2024-10004 false positive on Fleet-supported platforms (vuln is iOS-only and iOS vuln checking is not supported)
+- Removed `invalid UUID` log message when validating Apple MDM UDID.
+- Fixed a bug in determining sort type of query result columns by deducing that type from the data present in those columns.
+- Display the correct percentage of hosts online, 0, when there are no hosts online.
+- Validate fleet secrets embedded into scripts and profiles on ingestion
+- Adds functionality for skipping automatic installs if the software is not scoped to the host via labels.
+
 ## Fleet 4.61.0 (Dec 17, 2024)
 
 ## Endpoint operations

charts/fleet/Chart.yaml

@@ -8,7 +8,7 @@ version: v6.3.0
 home: https://github.com/fleetdm/fleet
 sources:
   - https://github.com/fleetdm/fleet.git
-appVersion: v4.61.0
+appVersion: v4.62.0
 dependencies:
   - name: mysql
     condition: mysql.enabled

charts/fleet/values.yaml

@@ -3,7 +3,7 @@
 hostName: fleet.localhost
 replicas: 3 # The number of Fleet instances to deploy
 imageRepository: fleetdm/fleet
-imageTag: v4.61.0 # Version of Fleet to deploy
+imageTag: v4.62.0 # Version of Fleet to deploy
 podAnnotations: {} # Additional annotations to add to the Fleet pod
 serviceAnnotations: {} # Additional annotations to add to the Fleet service
 serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account

infrastructure/dogfood/terraform/aws/variables.tf

@@ -56,7 +56,7 @@ variable "database_name" {
 
 variable "fleet_image" {
   description = "the name of the container image to run"
-  default     = "fleetdm/fleet:v4.61.0"
+  default     = "fleetdm/fleet:v4.62.0"
 }
 
 variable "software_inventory" {

infrastructure/dogfood/terraform/gcp/variables.tf

@@ -68,7 +68,7 @@ variable "redis_mem" {
 }
 
 variable "image" {
-  default = "fleetdm/fleet:v4.61.0"
+  default = "fleetdm/fleet:v4.62.0"
 }
 
 variable "software_installers_bucket_name" {

infrastructure/guardduty/.terraform.lock.hcl

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.61.0"
+      version = "~> 4.62.0"
     }
   }
   backend "s3" {

infrastructure/guardduty/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.61.0"
+      version = "~> 4.62.0"
     }
   }
   backend "s3" {

infrastructure/infrastructure/cloudtrail/main.tf

@@ -20,7 +20,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.61.0"
+      version = "~> 4.62.0"
     }
   }
   backend "s3" {

infrastructure/infrastructure/elastic-agent/.terraform.lock.hcl

@@ -15,7 +15,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.61.0"
+      version = "~> 4.62.0"
     }
   }
   backend "s3" {

infrastructure/infrastructure/elastic-agent/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.61.0"
+      version = "~> 4.62.0"
     }
   }
   backend "s3" {

infrastructure/infrastructure/guardduty-alerts/.terraform.lock.hcl

@@ -9,7 +9,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.61.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.62.0 |
 
 ## Modules
 

infrastructure/infrastructure/guardduty-alerts/main.tf

@@ -24,7 +24,7 @@ variable "fleet_config" {
     vuln_processing_cpu                  = optional(number, 2048)
     vuln_data_stream_mem                 = optional(number, 1024)
     vuln_data_stream_cpu                 = optional(number, 512)
-    image                                = optional(string, "fleetdm/fleet:v4.61.0")
+    image                                = optional(string, "fleetdm/fleet:v4.62.0")
     family                               = optional(string, "fleet-vuln-processing")
     sidecars                             = optional(list(any), [])
     extra_environment_variables          = optional(map(string), {})
@@ -82,7 +82,7 @@ variable "fleet_config" {
     vuln_processing_cpu                  = 2048
     vuln_data_stream_mem                 = 1024
     vuln_data_stream_cpu                 = 512
-    image                                = "fleetdm/fleet:v4.61.0"
+    image                                = "fleetdm/fleet:v4.62.0"
     family                               = "fleet-vuln-processing"
     sidecars                             = []
     extra_environment_variables          = {}

infrastructure/infrastructure/spend_alerts/main.tf

@@ -6,7 +6,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.61.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.62.0 |
 
 ## Modules
 

terraform/addons/ses/README.md

@@ -16,7 +16,7 @@ variable "fleet_config" {
     mem                          = optional(number, 4096)
     cpu                          = optional(number, 512)
     pid_mode                     = optional(string, null)
-    image                        = optional(string, "fleetdm/fleet:v4.61.0")
+    image                        = optional(string, "fleetdm/fleet:v4.62.0")
     family                       = optional(string, "fleet")
     sidecars                     = optional(list(any), [])
     depends_on                   = optional(list(any), [])
@@ -119,7 +119,7 @@ variable "fleet_config" {
     mem                          = 512
     cpu                          = 256
     pid_mode                     = null
-    image                        = "fleetdm/fleet:v4.61.0"
+    image                        = "fleetdm/fleet:v4.62.0"
     family                       = "fleet"
     sidecars                     = []
     depends_on                   = []

terraform/addons/vuln-processing/variables.tf

@@ -77,7 +77,7 @@ variable "fleet_config" {
     mem                          = optional(number, 4096)
     cpu                          = optional(number, 512)
     pid_mode                     = optional(string, null)
-    image                        = optional(string, "fleetdm/fleet:v4.61.0")
+    image                        = optional(string, "fleetdm/fleet:v4.62.0")
     family                       = optional(string, "fleet")
     sidecars                     = optional(list(any), [])
     depends_on                   = optional(list(any), [])
@@ -205,7 +205,7 @@ variable "fleet_config" {
     mem                          = 512
     cpu                          = 256
     pid_mode                     = null
-    image                        = "fleetdm/fleet:v4.61.0"
+    image                        = "fleetdm/fleet:v4.62.0"
     family                       = "fleet"
     sidecars                     = []
     depends_on                   = []

terraform/byo-vpc/byo-db/README.md

@@ -17,7 +17,7 @@ provider "aws" {
 }
 
 locals {
-  fleet_image = "fleetdm/fleet:v4.61.0"
+  fleet_image = "fleetdm/fleet:v4.62.0"
   domain_name = "example.com"
 }
 

terraform/byo-vpc/byo-db/byo-ecs/variables.tf

@@ -170,7 +170,7 @@ variable "fleet_config" {
     mem                          = optional(number, 4096)
     cpu                          = optional(number, 512)
     pid_mode                     = optional(string, null)
-    image                        = optional(string, "fleetdm/fleet:v4.61.0")
+    image                        = optional(string, "fleetdm/fleet:v4.62.0")
     family                       = optional(string, "fleet")
     sidecars                     = optional(list(any), [])
     depends_on                   = optional(list(any), [])
@@ -298,7 +298,7 @@ variable "fleet_config" {
     mem                          = 512
     cpu                          = 256
     pid_mode                     = null
-    image                        = "fleetdm/fleet:v4.61.0"
+    image                        = "fleetdm/fleet:v4.62.0"
     family                       = "fleet"
     sidecars                     = []
     depends_on                   = []

terraform/byo-vpc/byo-db/variables.tf

@@ -63,8 +63,8 @@ module "fleet" {
 
   fleet_config = {
     # To avoid pull-rate limiting from dockerhub, consider using our quay.io mirror
-    # for the Fleet image. e.g. "quay.io/fleetdm/fleet:v4.61.0"
-    image = "fleetdm/fleet:v4.61.0" # override default to deploy the image you desire
+    # for the Fleet image. e.g. "quay.io/fleetdm/fleet:v4.62.0"
+    image = "fleetdm/fleet:v4.62.0" # override default to deploy the image you desire
     # See https://fleetdm.com/docs/deploy/reference-architectures#aws for appropriate scaling
     # memory and cpu.
     autoscaling = {

terraform/byo-vpc/example/main.tf

@@ -218,7 +218,7 @@ variable "fleet_config" {
     mem                          = optional(number, 4096)
     cpu                          = optional(number, 512)
     pid_mode                     = optional(string, null)
-    image                        = optional(string, "fleetdm/fleet:v4.61.0")
+    image                        = optional(string, "fleetdm/fleet:v4.62.0")
     family                       = optional(string, "fleet")
     sidecars                     = optional(list(any), [])
     depends_on                   = optional(list(any), [])
@@ -346,7 +346,7 @@ variable "fleet_config" {
     mem                          = 512
     cpu                          = 256
     pid_mode                     = null
-    image                        = "fleetdm/fleet:v4.61.0"
+    image                        = "fleetdm/fleet:v4.62.0"
     family                       = "fleet"
     sidecars                     = []
     depends_on                   = []

terraform/byo-vpc/variables.tf

@@ -1,6 +1,6 @@
 {
   "name": "fleetctl",
-  "version": "v4.61.0",
+  "version": "v4.62.0",
   "description": "Installer for the fleetctl CLI tool",
   "bin": {
     "fleetctl": "./run.js"