...
| Ticket | Description |
|---|---|
| TD-28930 | Delete other columns causes column lineage to be lost and reorders columns. |
| TD-28573 | Photon running environment executes column splits for fixed length columns using byte length, instead of character length. In particular, this issue affects columns containing special characters. |
| TD-27784 | Ubuntu 16 install for Azure: supervisord complains about "missing" Python packages. |
| TD-26069 | Photon evaluates date(yr, month, 0) as first date of the previous month. It should return a null value. |
Security Fixes
The following security-related fixes were completed in this release.
...
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
See CVE-2017-5645.
...
Multiple integer overflows in libgfortran might allow remote attackers to execute arbitrary code or cause a denial of service (Fortran application crash) via vectors related to array allocation.
See CVE-2014-5044.
...
Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression. Upgrade version of less to address this security vulnerability.
See CVE-2016-2515.
...
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
See CVE-2018-1199.
...
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
See CVE-2017-5644.
...
math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.
See CVE-2017-1001002.
...
If a user of Commons-Email (typically an application programmer) passes unvalidated input as the so-called "Bounce Address", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated. Mitigation: Users should upgrade to Commons-Email 1.5. You can mitigate this vulnerability for older versions of Commons Email by stripping line-breaks from data, that will be passed to Email.setBounceAddress(String).
See CVE-2018-1294.
...
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
See CVE-2016-1000031.
New Known Issues
| Ticket | Component | Description | ||||
|---|---|---|---|---|---|---|
| TD-31354 | Connectivity | When creating Tableau Server connections, the Test Connection button is missing.
| ||||
| TD-31305 | Workspace | Copying a flow invalidates the samples in the new copy. Copying or moving a node within a flow invalidates the node's samples.
| ||||
| TD-31252 | Transformer Page - Tools | Assigning a target schema through the Column Browser does not refresh the page.
| ||||
| TD-31165 | Compilation/Execution | Job results are incorrect when a sample is collected and then the last transform step is undone.
| ||||
| TD-30857 | Connectivity | Matching file path patterns in a large directory can be very slow, especially if using multiple patterns in a single dataset with parameters.
| ||||
| TD-30854 | Compilation/Execution | When creating a new dataset from the Export Results window from a CSV dataset with Snappy compression, the resulting dataset is empty when loaded in the Transformer page.
| ||||
| TD-30820 | Compilation/Execution | Some string comparison functions process leading spaces differently when executed on the Photon or the Spark running environment. | ||||
| TD-30717 | Connectivity | No validation is performed for Redshift or SQL DW connections or permissions prior to job execution. Jobs are queued and then fail. | ||||
| TD-30361 | Compilation/Execution | Spark job run on ALDS cluster fails when Snappy compression is applied to the output.
| ||||
| TD-30342 | Connectivity | No data validation is performed during publication to Redshift or SQL DW. | ||||
| TD-30139 | Connectivity | Redshift: No support via CLI or API for:
| ||||
| TD-30074 | Type System | Pre-import preview of Bigint values from Hive or Redshift are incorrect.
| ||||
| TD-28663 | Compilation/Execution | In reference dataset, UDF from the source dataset is not executed if new recipe contains a join or union step.
| ||||
| TD-27860 | Compilation/Execution | When the platform is restarted or an HA failover state is reached, any running jobs are stuck forever In Progress. |
