[Cm 03-04 Free Download Full Version
Sharif Garmon
[bugfix] Updated how we generate hashes for the transpiled, chunked client bundles.This prevents subtle bugs where bundles could have the same hash, but different contents, and thus stale (browser cached) chunks may be used in certain situations.This bug most probably arose in v2.22.0, so please update to this version if possible!See PR 1263 for more.
The address Auspice uses to fetch map tiles, including the API token, has been updated and will now only work for local installs of auspice.For help on how to specify your own address, which lets you specify custom map tile sets, see the Auspice docs.See PR 1261 for more.
The Download Data functionality has been improved to export data reflecting the currently viewed subset of data.Additionally we export annotated Nexus trees which can be parsed by FigTree.See PR 1245 for more.
Colour scale generation has been refactored and a (rare) bug fixed where color-bys which defined a scale in the JSON could cause tips with no trait value set to have a colour rather than a shade of grey.See PR 1237.
Parse narratives client side.See PR 1193 and PR 1172.This shifts the default client behavior to request a narrative in markdown format and parse it client-side.The server still retains the ability to parse narratives server-side and return narratives in JSON format, so there are no breaking changes.
Narratives can now contain multiple datasets.See PR 1193, PR 1176 and PR 1164.Narrative slides may now define their own unique datasets, with datasets preemptively fetched and cached to improve performance.Invalid datasets will show an error notification and fallback to the dataset defined by the frontmatter of the narrative.
The tree URL query for specifying which node in the tree is zoomed has been changed to ?label=:, and the docs updated accordingly. The old syntax ?clade= will still work and automatically correct to the new syntax.
This version introduces experimental support for writing narratives where a page may define a section of markdown to be displayed in the main panel, instead of a tree or map. Documentation is forthcoming.
Allow datasets to define their own footer text via a string of markdown formatted text. Harcoded footers are now only used on the nextstrain.org domain and will be removed as they are incorporated into their respective builds. See PR 834 and augur PR 423.
Added support in the narratives to navigate via arrow keys. In addition to improved UI, this allows decktape to convert narratives to PDFs, and a guide has been added to the auspice docs for this.See PR 824.
Since v1.22.3 changing datasets preserved the URL queries (e.g. ?l=radial).A number of bugs relating to this have been fixed, where these queries were no longer valid for the new dataset.This also fixed potential issues related to loading datasets where the URL queries were invalid.PR 613
Strain search (using awesomplete).This highlights the path to a single tip and increases the tip radius.Strain is stored in the URL query (s=...) and can be restored via URL.Selected strain also appears in the info panel (top of screen).
Amino acid branch labels (for every tree) as well as clade labels if specified by the clade_annotation attribute.AA labels are shown where the descendent visible tips account for more than 5% of the total visible tips (same as nextflu).Clade labels are always displayed.
The documents posted on this site are XML renditions of published Federal Register documents. Each document posted on the site includes a link to the corresponding official PDF file on govinfo.gov. This prototype edition of the daily Federal Register on FederalRegister.gov will remain an unofficial informational resource until the Administrative Committee of the Federal Register (ACFR) issues a regulation granting it official legal status. For complete information about, and access to, our official publications and services, go to About the Federal Register on NARA's archives.gov.
The OFR/GPO partnership is committed to presenting accurate and reliable regulatory information on FederalRegister.gov with the objective of establishing the XML-based Federal Register as an ACFR-sanctioned publication in the future. While every effort has been made to ensure that the material on FederalRegister.gov is accurately displayed, consistent with the official SGML-based PDF version on govinfo.gov, those relying on it for legal research should verify their results against an official edition of the Federal Register. Until the ACFR grants it official status, the XML rendition of the daily Federal Register on FederalRegister.gov does not provide legal notice to the public or judicial notice to the courts.
This table of contents is a navigational tool, processed from the headings within the legal text of Federal Register documents. This repetition of headings to form internal navigation links has no substantive legal effect.
These markup elements allow the user to see how the document follows the Document Drafting Handbook that agencies use to create their documents. These can be useful for better understanding how a document is structured but are not part of the published document itself.
On March 4 (see note), Rapid7 noted that JetBrains released a fixed version of TeamCity without notifying Rapid7 that fixes had been implemented and were generally available. When Rapid7 contacted JetBrains about their uncoordinated vulnerability disclosure, JetBrains published an advisory on the vulnerabilities without responding to Rapid7 on the disclosure timeline. JetBrains later responded to indicate that CVEs had been published.
Note: The JetBrains release blog for 2023.11.4 appears to display different publication dates based on the time zone of the reader. Some readers see that it was released March 3, while others see March 4. We've modified our language above to note that Rapid7 saw the release blog on March 4, regardless of what time it was released.
Both vulnerabilities are authentication bypass vulnerabilities, the most severe of which, CVE-2024-27198, allows for a complete compromise of a vulnerable TeamCity server by a remote unauthenticated attacker, including unauthenticated RCE, as demonstrated via our exploit:
Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack.
The second vulnerability, CVE-2024-27199, allows for a limited amount of information disclosure and a limited amount of system modification, including the ability for an unauthenticated attacker to replace the HTTPS certificate in a vulnerable TeamCity server with a certificate of the attacker's choosing.
For more details on how to upgrade, please read the JetBrains release blog. Rapid7 recommends that TeamCity customers update their servers immediately, without waiting for a regular patch cycle to occur. We have included sample indicators of compromise (IOCs) along with vulnerability details below.
TeamCity exposes a web server over HTTP port 8111 by default (and can optionally be configured to run over HTTPS). An attacker can craft a URL such that all authentication checks are avoided, allowing endpoints that are intended to be authenticated to be accessed directly by an unauthenticated attacker. A remote unauthenticated attacker can leverage this to take complete control of a vulnerable TeamCity server.
The vulnerability lies in how the jetbrains.buildServer.controllers.BaseController class handles certain requests. This class is implemented in the web-openapi.jar library. We can see below, when a request is being serviced by the handleRequestInternal method in the BaseController class, if the request is not being redirected (i.e. the handler has not issued an HTTP 302 redirect), then the updateViewIfRequestHasJspParameter method will be called.
In the updateViewIfRequestHasJspParameter method listed below, we can see the variable isControllerRequestWithViewName will be set to true if both the current modelAndView has a name, and the servlet path of the current request does not end in .jsp.
We can satisfy this by requesting a URI from the server that will generate an HTTP 404 response. Such a request will generate a servlet path of /404.html. We can note that this ends in .html and not .jsp, so the isControllerRequestWithViewName will be true.
795a8134c1