i-net Clear Reports

Version 23.10

The deprecated datasource property driverLibrary has been removed. To use additional driver libraries, you must move them to the lib directory of the installation.

Version 21.4

WAR file for Oracle Weblogic

The initialization for WebSocketEndPoint to be registerable in Oracle Weblogic was changed in version 21.10. This fixed the error java.lang.IllegalStateException: Not in 'deploy' scope..

If you use an web.xml file of another WAR file you need to add the listener **com.inet.http.ExpandableServletContextListener**

Version 20.0

Changes in program structure

The internal structure has changed. That is why the new plugin reporting (file: plugins/reporting.zip) is now mandatory to start i-net Clear Reports. Due to this change the previous startup scripts are no longer valid and have to be changed.

In addition, the i-net Designers plugin remotedesigner.zip has been renamed to designer.zip.

If manual changes were made to the startup scripts, they have to be updated accordingly:

Report Server: the startup script has to be changed from
- From: ~~java -cp core/ClearReports.jar com.inet.report.ClearReportsServer~~
- To: java -jar core/inetcore.jar
i-net Designer: the startup script has to be changed from
- From: ~~java -jar core/designer.jar~~
- To: java -jar core/inetcore.jar designer
Command Line Parameters: the startup has to be changed
- From: ~~java -jar core/ClearReports.jar -forceImportConfig ...~~
- To: java -cp core/inetcore.jar com.inet.config.recovery.RecoveryConfiguration -forceImportConfig ...
**Servlet Users of custom *.war or *.ear**: the servlet class has to be changed
- From: ~~com.inet.report.ReportServlet~~
- To: com.inet.http.PluginDispatcherServlet. See the reference war file for details.

Note: Developers who utilise API classes such as com.inet.report.Engine from the reporting.jar have to extract this jar file from the reporting.zip plugin now.

Behavioural changes

The Web API plugin has been updated with a new remote interface application which requires an additional permission. Every other previous Web API extension now requires this permission as well. Users with specific Web API permissions must be checked and reconfigured in the Users and Groups Manager.
com.inet.report.ReportServlet has been removed. If there were extensions from the previously deprecated API, then they have to be moved to a plugin, registering an extension now.
The formula functions BytesFromFile and TextFromFile now limits access to files to prevent a path traversal for normal users. The specified file must be from a valid report location, and if it is located in the file system then it must be from the same directory or subdirectory as the report itself.
Custom implementations of com.inet.report.PropertiesChecker can not be added to the lib directory anymore. They have to be implemented using a plugin. See <SDK>\\Documentation and Samples\\Plugin - Samples\\PropertiesChecker for an example plugin.
Custom implementations of javax.servlet.Filter can not be added to the lib directory anymore. They have to be implemented using a plugin. See <SDK>\\Documentation and Samples\\Plugin - Samples\\ SessionDatasource for an example plugin.
The com.inet.report.Listener class has been removed. The web server has not been started by this class since version 15.x. The web server is started using the plugin webserver.zip.

Version 19.0

The MySQL Connector/J was updated to version 8.0.13. It is recommended for MySQL Server 5.5 or higher. For older MySQL Server version you could replace the MySQL Connector/J with the version of the previous i-net Clear Reports version
With the Server Printers plugin enabled users will not be able to use the server printer after upgrading to version 19. They will have to have group permissions assigned to regain access to server printers
The Data Source Manager Interface has been renewed from the ground up. Existing Data Sources in the former User/System/Temp/Session - Scopes will now be readonly from the interface but can still be added and modified using API. An new Application Scope has been added which now supports assigning user groups to restrict permissions
Data Sources are now handled differently for reports.
- Data Sources with the same name may exist with different permissions in different scopes
- The are looked up in the following order: User Session Scope → Temporary Scope → Application Scope with permission → User Scope → System Scope
- Application Scope with permission means that there may be more than one Data Source with the same name but with different permissions. The first that is allowed for the users group will be used

Version 18.0

Data will be migrated by the setup into the new format of i-net Clear Reports version 18. Therefore we recommend to backup the program data.
The /remote context of the Remote GUI has been removed. Applications beneath this entry point have been moved up one level.
If you have a plugin which implements your own AuthenticationProvider then you must rewrite it. To support multiple login sources in parallel the API has changed. A sample for a such a plugin can be found in the SDK.
If you use the repository plugin then security settings will be migrated. After the migration it will no longer work with older versions of i-net Clear Reports. Permission patterns are not supported anymore. The administrator needs to check whether the users have the desired and expected permissions.
If the remote printing plugin is enabled then in the HTML viewer this is available via menu point.
There is a new default plugin that embeds the HTML Viewer into the remote application. That means that users of the HTML Viewer will see the configured logo, will be able to to signup/login and directly access their remote applications.
When having permissions or userdata for old, now unused, users, such users will appear as User Accounts in the new Users And Groups Manager. Take a look there and delete obsolete users.
The pattern (like "", "vwl.rpt", ...) in the folder permissions of the Repository Browser are no longer supported. After migration the settings will be valid for all report files in the same folder. If other patterns than "*" (all reports) were used then it is necessary to check the folder permission settings in the Repository Browser. The permission "Server Administration" is necessary for that.
The C# implementation based on IKVM is deprecated. It was replaced with the ProcessBridge. You can find it in the SDK (https://download.inetsoftware.de/clear-reports-sdk-latest.zip). You find the required folder structure for Visual Studio and Powershell in the readme.html of the folder "i-net Clear Reports .NET Bridge". It is necessary to reimplement your program using i-net Clear Reports API because the API is not compatible with the implementation based on IKVM.
In version 18 the option "Mapping Fonts" is enabled by default. If this option is activated, all characters of a logical or not embedded font will be replaced with characters of an embedded font.

Version 17.0

Migration of Scheduler Jobs

Every Scheduler task since version 12 will be migrated to the Task Planner in the setup when updating a system that used the previous Scheduler.

Migrating tasks from the Scheduler to the Task Planner

Make sure that the plugin Task Planner - Render Reports is activated
Make sure all tasks of all users are deleted from the Task Planner. Migration only occurs if the Task Planner is empty.
Restart your server. In the initialization phase it will now migrate the tasks silently.
If it does not migrate the Scheduler tasks to the Task Planner please check the log files and send it to our support.

Migration issues

When tasks are migrated from Scheduler to Task Planner, some minor issues may arise, since many things have been streamlined and simplified. See the following hints.

Reports

The setting as file: was removed, which gave each generated report a different name. Now the name of the generated file(s) come from the title configured in the report template (.rpt). However, the *File System Action has an option File Name Format which allows you to construct a unique name.

Action settings

For Save (on servers file system) the settings Attach date and Attach time was combined into the option File Name Format.
For Send via Email, the CC and BCC options were removed, and values from CC are added as normal receivers. The options Put reports in a zip file, Attach date and Attach time were removed.
For Print (at server-known printer) the option Count of Copies was removed, it always prints once. Other even older options like orientation and quality which were only available via Java API were also removed.

Time settings

There are some rare combinations of settings which were possible with the old Scheduler but are no longer possible with the Task Planner. It is possible some of the more exotic settings will get a slightly different behavior in the Task Planner.

Daily execution with a DayStepSize greater than 1, which means execute every N days. In the scheduler this adds N days from the start date for each next execution. After conversion to Task Planner this always starts at the 1st of month and then adds N days for each next execution. If the DayStepSize is 7 then it will convert to a weekly interval.
Weekly execution with a WeekStepSize greater than 1, which means every N weeks. If it is 2 then a Two Weeks interval will be used. Other values are not supported in the Task Planner and when converting this it will set the WeekStepSize to 1.
Monthly execution with a MonthStepSize greater than 1, which means every N months. In the scheduler this adds N months to the start date for each next execution. This can only be represented with a Cron Trigger. The Cron starts at a given month and then adds N months for the next execution. When converting such tasks it will determine the start-month automatically in order to match the correct interval. This only works if the MonthStepSize is 2, 3, 4, 6 or 12. For other values it will be every N months, but the execution month will likely be wrong.
Yearly execution with a YearStepSize greater than 1, which means every N years. This is not supported in the Task Planner and when converting this it will set the YearStepSize to 1.
Delete this task after Execution: This feature is not available in the Task Planner.
Multiple executions on same day: one Time or Cron-Trigger does not support this, but you can add multiple triggers to the same task. When those tasks are migrated it will create many triggers automatically.
End execution after N executions or after a given Date: this feature is not available in the Task Planner. When converting expired tasks they will be deactivated.

Custom Actions

Old custom actions will not work after migrating to the Task Planner. Those actions must be replaced with custom Jobs and/or Actions. See the programming samples for how to implement your own Job or Action.

Dynamic Properties

Old dynamic properties classes will not work after migration to Task Planner. If you loaded your dynamic values from a Database then you can probably replace your custom dynamic properties with a Database Series. For other cases it should be replaced with a custom Series implementation. See the programming samples for how to implement your own Series type.

Task owner

In Task Planner, each task always must have an owner, so a task belongs to a user. Migrated tasks will have Scheduler as owner. Because certain triggers, jobs and result handlers require certain permissions the artificial user Scheduler gets some permissions automatically if you have System Permissions enabled. If you remove the permissions it can happen that tasks can no longer be executed.

If you want to move the tasks to another user then you must duplicate a task and then delete the old one. The new task will belong to the currently logged in user.

The Repository: permissions and ownership

Due to the new user the reporting server is running with there may be permission problems when accessing the Repository browser. You should look up the path of your repository in the Configuration Manager and check the permissions of this path in a console program on the server.

It is important for the reporting server that its user has read+write permissions to every file and additional execute permissions for directories. The owner of each file and directory should be the user the reporting server is executed with.

You can find out the respective user using ps aux | grep java.

A server restart is required after these changes were made.

Version 23.4

Scheduler migration from version 16 and earlier: The automatic migration of Scheduler tasks from versions 16 and earlier is no longer supported. In order to keep all of your configured Scheduler tasks please install an intermediate version, such as v22.10, before updating to the desired version 23 or later.

Version 23.10

The Sample Reports Repository plugin replaces the sample reports, originally delivered with the installer.

Version 21.10

Any webhooks found in existing Task Planner Discord actions will be added to the central Discord Incoming Webhooks list in the configuration.

Version 22.4

Backups

Backups for MeetUp that were previously configured and used in maintenance are no longer compatible. CoWork must be activated again in the configured backup.

It is recommended to create fresh backups before and after each update.

Version 23.10

The version 23.10 is the last version that supports:
- Java 11
- Jakarta EE 8 application server
- Servlet Specification 3.1
- WebSocket 1.1

Version 23.4

The Docker Containers have been updated to run with a restricted user instead of the root users.
- The new restricted users id and group id are 1000.
- Host mounted volumes have to be updated to reflect the new user and group id manually.
- Host mounted volumes mount points of the users home directory have to be updated from /root to /home/<username>. The <username> is determined using the whois command in the container
- Additional information is available from our FAQ: https://faq.inetsoftware.de/t/upgrading-to-user-restricted-docker-container/277

Version 22.10

The Allowed Cross Origins option is renamed to Allowed Origins and performs additional checks on the server side when configured.
- The external visible URL is also sent as allowed origin using the CORS header
- Connections to the server (either HTTPs or WSs) are also checked against the list of allowed origins and the external visible URL

Version 23.10

General

There is additional security hardening implemented in this version, e.g. by removing the obsolete driverLibrary property from data sources, as well as disallowing unknown data sources by default.

Internet Explorer and the "old" Edge browser (not Chromium) are no longer supported

AdoptOpenJDK 11 bundled with installed i-net Designer and Report Server was updated to version 11.0.10
Support for Internet Explorer will be discontinued in the next version 21.4
Support for Java 8 will be discontinued in the next version 21.4. At least Java 11 will be required
Factur-X / ZUGFeRD plugin added
JDK 15 now supported
Tiff images supported

Changes

Transparent objects that are not visible are now ignored and no longer displayed visibly during PDF/A export.
Merging parameters of stored procedures with the same name in different catalog/schema is prevented.
The obsolete Datasource Property driverLibrary was removed.
In the HTML Viewer, using the search now allows to find more than 50 entries. Once the user went through all the entries to 50, another set of 50 entries will be searched in the the report.

PDF export: The rendering time is used as creation time of the PDF file. In earlier versions it was the creation time of the rpt template
The XLSX / ODS export creates fewer very small columns. This can cause problems if the report elements are not very well aligned and also very tightly designed
Embedded fonts preserved the original font family name now. This can result in a different printing output (print job size) via Java report viewer client if the same font is installed on the client system
Jpeg2000 encoded images supported
Font replacement improved for PDF reports if enabled
Perfomance of DatabaseMetaData.getTables() improved
HTML export:
- New implementation of HTML-Advanced in HTML-Export added. The result will now be fixed by i-net Clear Reports, leaving less room for render differences in the client browser
XLSX / ODS export:
- Cell-Distribution of output formats XLSX and ODS completely rewritten
- For compounds reports with URL parameter "reports" the table sheets in ODS/XLSX use the title of the underlying rpt file. In older versions the title of the first rpt file was used
Web API: Upload and verification of a single or multiple file resources into the repository enabled
Apache Cassandra database supported as datasource. The CQL (Cassandra Query Language) can be used to fetch data
MongoDB database supported as datasource
Perfomance of DatabaseMetaData.getTables() improved
Weblog datasource added
It is possible to upload and verify a single or multiple file resources into the repository using Web API
A report (engine) can be printed to a local printer using .NET API
Private key authentication to Task Planner FTP tasks added

Performance improved when embedding large font files
Date formats with regional settings (e.g. en-UK) supported in prompt dialog
Improved compatibility for old save states with dataviews
New notifications are now directly shown in the web client when the OS notifications are disabled or not possible
SameSite=Lax Attribute set for login cookies
Changes of heap memory, language, country and VM arguments will work with a server restart from the web interface. Before a service restart was required
Web applications can now be installed as Progressive Web App (PWA)
Note added to configuration property "Restrict Permissions" in dialog "User & Groups" because when global permissions are not restricted then all users have administrative access!
Diagnostics now show cache memory usage
Maintenance: It is now possible to restore backups that were not made with the current version. The backup is checked for whether it is compatible with the current version, and if so, it is able to be restored
Changed AdHoc default render format in the WebGUI to PNG for a lossless result
Use the correct database row for inlined fields in crosstab labels such as the total labels
ToWords formula function for Hungarian language adds a space as thousands separator
Break algorithm improved for Text Interpretation "HTML(advanced)" to prevent breaks in text lines
Use getColumnLabel() instead getColumnName() for DB2 driver version 4 and later. This has an effect for a SQL command with "AS" keywords on columns

Fixed Bugs

Several configuration settings for the XLS output format were used only after a server restart.
Drawing operations in subreports (e.g. bullets in HTML) did not restore the context in the output format for the JavaViewer, such as colors. Which leads to incorrect colors in the report.
The HTML Viewer modified the line spacing incorrectly to calculate font auto scaling options.
The date and time data type detector accepts only years in the range 0 to 9999 as valid dates for JSON and XML data sources.
Regression: when using the Oracle Thin driver, no database columns were found anymore in stored procedures.
Wrong value for tag ConformanceLevel error occurred when the FacturX profile BASIC WL or EN 16931 was used.
XML data sources duplicated content if the XML file contained a & encoded as &.
Regression: It was not possible to open a report using file: key URL parameter, e.g. https://servername:port/file:/<path>/<reportfile>.rpt.

NULL values of the Show Value formula will be ignored now and not be rendered as 'NULL' string.
Fixed various issues related to standard and custom number formatting in export format XLSX.
Fixed java.lang.IllegalArgumentException: Comparison method violates its general contract! that occurred when searching in the viewer
A stack overflow error was produced in the HTML Viewer when setting an incompatible default zoom and opening a subreport.
Regression: when using the Oracle Thin driver, no database columns were found anymore in stored procedures.

Version 22.10

The rendering output format Microsoft Word (*.docx) is now supported
Improved image quality in PDF output format if it is not saved in JPEG or PNG format in the report template.
The rendering output format JSON is now supported
Rendering text as HTML-Advanced output does not embed images anymore, but downloads and references them. The HMTL-Viewer supports these images even for URLs referenced in the inlined css, e.g. for background images.
Comments on MySQL table columns are no longer used as column alias.
Improved performance of date/time parsing functions date/time and datetime in formula
Continuous Stacked Bar Chart is now supported
ShowValue can now display a value from a formula on simple chart types.
Images in HTML-advanced fields are stored as separate files instead of inlined data when exporting to HTML
Transparent objects that are not visible are now ignored and no longer displayed visibly during PDF/A export.
Regression: when using the Oracle Thin driver, no database columns were found anymore in stored procedures.
MariaDB has been added to the supported data sources. It is necessary to add the driver MariaDB Connector/J.

Section with enabled "Print at Bottom of Page" was not printed at the end of the page if HTML output format was used and the page before this section was empty.
Sorting of fields did not work in HTML viewer
Under certain circumstances, narrow blank table rows occurred in XLSX and ODS export when the report contained horizontal lines near other fields and they were not correctly rasterized.
Fixed java.lang.IllegalArgumentException: Comparison method violates its general contract! that occurred when searching in the viewer
A stack overflow error was produced in the HTML Viewer when setting an incompatible default zoom and opening a subreport.
Drawing operations in subreports (e.g. bullets in HTML) did not restore the context in the output format for the JavaViewer, such as colors. Which leads to incorrect colors in the report.
Wrong value for tag ConformanceLevel error occurred when the FacturX profile BASIC WL or EN 16931 was used.

Version 22.4

Font replacement improved for 'HTML advanced' formatted text. The replacement works on character-level now, just like in other text types
TotalPageCount is evaluatable in a trigger function
Improvement of continuous charts
added support for markers
consider line style "None" to only show markers
added support for combining of continuous charts with XY charts

Fixed a NullPointerException printed to the console when logging is disabled

Version 21.10

Word break was improved for a more natural text flow
The alignment value of a field will now be applied in case of text interpretation 'HTML-advanced' as well
New output format added: Email. It is a simple HTML format. A single file format that can be used as email body. It can be triggered with the URL parameter: init=email
Formula function AddAttachment(String,Binary) added. It can be used to add embbedded files to PDF output format
Support for WebP images and other image formats added. The plugin "ImageIO Extension" is required. It can be installed using the plugin store
PDF export: Character replacing for embbeded fonts containing character which are in code blocks which are not in the code block list of the font
Reuse of images when exporting an embedded PDF to PDF, reduces the overall file size
Images in HTML content will no longer be down scaled for printing. This will result in a better resolution for images in exports (e.g. PDF) but may cause a larger file size
Formula expression result added as placeholder in result actions. It can be used to return a single value from the report to the task planner which can then be used using the [report.formula] placeholder
NoClassDefFoundError: Could not initialize class com.inet.cache.internal.MemoryObserver - occurred with OpenWebStart
Set a custom product title for external representation
Add WebAPI /api/reporting/report/render endpoint to render reports using Token Authentication
Continuous Numeric Category Axis can now also be set to logarithmic
Use the correct database row for inlined fields in crosstab labels such as the total labels
Support for exporting CSV files larger 2 GB added (format csv and data)
Add support for stored procedures for PostgreSQL
Comments on MySQL table columns are no longer used as column alias.
Support for the decimal separator of a user-defined number format in XLSX format
Transparent objects that are not visible are now ignored and no longer displayed visibly during PDF/A export.
Regression: when using the Oracle Thin driver, no database columns were found anymore in stored procedures.

Fixed the loss of datasources after a BackingStoreException in Preferences.sync()
Fixed the gray background that occurred when printing from HTML viewer
Fixed a NullPointerException printed to the console when logging is disabled
Fixed java.lang.IllegalArgumentException: Comparison method violates its general contract! that occurred when searching in the viewer
Drawing operations in subreports (e.g. bullets in HTML) did not restore the context in the output format for the JavaViewer, such as colors. Which leads to incorrect colors in the report.

Version 21.4

Some PDF files embedded in the report are incorrect displayed in the PDF export. Depending of the structure of the embedded PDF file some images can be replaces with other images of the same PDF document
ClassCastException in Maintenance with MongoDB persistence occurred
Rendering issues occurred in the "Options | i-net Clear Reports". The "i-net Clear Reports" icon was missing and the dialog "Manage configurations" was not displayed correctly
Prompt request dialog did not work in the report repository when using a guest account

Security Fixes

The default value of the "Allow unknown Data Sources" setting (key permission.allowunknowndatasource) has been changed from "true" to "false".

Version 23.4

Added Markdown text interpretation in the CommonMark and i-net CoWork flavors.

PostgreSQL version updated because of CVE-2020-13692

Version 20.10

HTML Report Viewer

Prompt dialog is pre-filled with first default prompt values
Break algorithm improved for Text Interpretation "HTML(advanced)" to prevent breaks in text lines

Print preview was empty if the "HTML Viewer Module Toolbar" plugin was enabled

Values of defaultzoom parameter changed to PAGE_FIT, PAGE_WIDTH and PAGE_HEIGHT
The HTML report viewer group tree supports several new actions: the tree can be closed using a toggle button, it can be resized by dragging the divider. Entries in the group tree can be expanded and collapsed (default) using a triangle button in front of every entry. The width and visibility of the group tree is being saved in the browser for later sessions
Remote Printing plugin added as an print option to print the current report on the server

Reports that required a prompt does not open properly in the Internet Explorer 11 after the prompt request dialog was closed

The HTML Report Viewer will now export reports with more than 100 pages to PDF instead of printing them using the browser function

If a report page can not be found in the HTML Viewer after refreshing the report (out of range error), the last page of the report will be opened. The viewer will be blocked until the report finishes rendering
CSV export from the HTML Viewer with custom delimiters set to 'Other' or 'Fixed column width' did not work
Prompt parameter value was decoded. This was problematic for PropertyChecker implementations
"Uncaught URIError: URI malformed" or "URIError: malformed URI sequence" occurred if group tree node contains special character like '%' and drill down was used on this node
Image size increases because original image data was not used

Export format "HTML.ZIP" was not available if not all export formats allowed for this report
Additionaly to the percent value the following values are now possible: "Fit Screen", "Page Height" or "Page Width"
Prompt parameters were double-encoded.

Export format "HTML.ZIP" was not available if not all export formats allowed for this report
Additionaly to the percent value the following values are now possible: "Fit Screen", "Page Height" or "Page Width"
Prompt parameters were double-encoded
HTML report viewer does not use embed fonts to get font metrics
"Uncaught URIError: URI malformed" or "URIError: malformed URI sequence" occurred if group tree node contains special character like '%' and drill down was used on this node

Fix for Microsoft IE/Edge browser: Disable endless mode while rendering the report; Show Mouse-Not-Allowed for disabled menu entries.
The jump position for search results and the group tree has been calculated wrongly when the report viewer page was scaled/zoomed in.

Fixed Bugs

Exception "java.lang.IllegalStateException" with message "Not valid for write: id=..." occurred
Error occurred with expired session: IllegalStateException: Invalid for read: id=xxx created=xxx accessed=xxx lastaccessed=xxx maxInactiveMs=xxx expiry=xxx
PDF export: Character replacement for embbeded fonts improved containing characters which are in code blocks which are not in the code block list of the font
Regression in Diagnostics occurred because of that only the first 8 entries in list was show because the pagination was broken
ORA-01000: maximum open cursors exceeded - occurred if Oracle JDBC driver was used
OutOfMemory or ReportCache errors occurred because of problems with false positive low memory detection. The log output contains the warning: "There was a low memory situation and possibly some jobs were canceled." and maybe other subsequent errors
It was not possible to login if a localhost URL was used in Chrome browser to open the web interface
Access to the repository with Login using WebDav has not worked on Windows
Wrong PDF signature configuration leads to a failed designer start
WebDav access to the report repository has not worked on Windows. No login was requested
Temporary errors (Extenal visible URL '...' was not validated) occurred during validation of Private Cloud License
PDF export: IndexOutOfBoundsException and NullPointerException occurred with embedded OpenType font
Chinese content was not aligned well on right side if Justified was used
PDF export:
- Chinese characters were missing because of a bug with word wrapping that was wider than the field, surrogate characters and font replacement.
IllegalStateException occurred with message Unknown operation: com.inet.report.renderer.doc.controller.bk@0 if:
subreport contains TotalPageCount and the last instance of the subreport has no rows
harddisk cache was used
XLSX / ODS export: Exception "java.lang.IllegalArgumentException with message x2 must not less than x1" occurred if the report contains a crosstab
XLSX / ODS export: Percentage number was incorrectly displayed (multipled by 100)
Rare rounding error occurred when reducing the scale of a number by more than 9 digits in a formula function
Patches the SQL command to query the metadata (column names) was wrong if the SQL statement contains strings which contains brackets, e.g. REPLACE(A.FIELD,'；)',')'). In this case WHERE 1=0 was added after the ORDER BY clause
Oracle table source identifier with a package name will be always used as name of a stored procedure and never as name of a table. This makes it possible to use the same name for a package stored procedure and a table
Drawing operations in subreports (e.g. bullets in HTML) did not restore the context in the output format for the JavaViewer, such as colors. Which leads to incorrect colors in the report.

i-net Designer

The following errors occurred sometimes in Remote Designer when opening a report from the repository: "No repository configuration found for file: "...rpt"" and "Not authorized. Please check your permissions and restart the Designer if applicable.".
It was not possible to edit a 3D Chart because the properties dialog does not open
Wrong PDF signature configuration leads to a failed designer start
The error "HTTP ERROR 400 Duplicate valid session cookies" occurred with remote designer

Error "cannot access class sun.print.SunAlternateMedia" occurred in the Remote Designer used with Java 9

Support for the Windows setting "Large Fonts" in the i-net Designer added if it is used with Java 9
Now the user formula can be named the same as Property Formulas
Remote i-net Designer requires the adhoc plugin
The Remote Designer now supports the JNLP protocol for a direct start of the JNLP file. The HTTP URL stays available as fallback link

Exception com.inet.cache.internal.CacheLoadException occurred on Unix if there are 2 instances running
Incorrect error markers occurred in problem finder. This error only occurred for formulas that were using a 'user defined function' when loading a report from the repository
Fixed the error "cannot access class sun.print.SunAlternateMedia" in the Remote Designer with Java 9
NullPointerException occurred if a condition in if then operator was not true
In case of a long list of system fonts the i-net Designer needed a long time to start
NullPointerException with custom Look & Feel occurred
Hairline box without background was not printed in the Java output (report preview)

Problem Finder does not warn if all Page Header sections together are longer than a page but "Underlay Following Section" is activated for one of the Page Header sections
NoSuchMethodError: com.inet.viewer.ViewerUtils.c() occurred if the remote Designer was started from i-net Clear Reports running in a servlet engine like Tomcat. In this case it was not possible to open a report or to create a new report

Version 16.4

Formula Editor: NullPointerException occurred if no values were set for parameter fields used in the formula
NoSuchMethodError: com.inet.viewer.ViewerUtils.c() occurred if the remote Designer was started from i-net Clear Reports running in a servlet engine like Tomcat. In this case it was not possible to open a report or to create a new report

Report Error [217] Unknown image format occurred while adding encoded HTML document.
It was not possible to add a MySQL stored procedure to the report in the i-net Designer.

Fixed Bugs

NullPointerException occurred in case of nested user function calls in formulas
XLS export: "Suppress if Duplicated" does not suppress duplicate fields in some cases
Unhandled Exception "java.lang.InternalError" with message "couldn't create component peer" occurred with Java 8u152
Fix the error "Report Error [1401] Illegal argument for DATE sproc ..." with SP parameter of type DATE
RTF export:
- Font names in font table should be written using an East-Asian character set encoding instead of unicode
- Content on some text boxes not displayed completely if the text box contains a lot of text
Crosstab property "Suppress Row Labes" in "Group Options" does not work for more than one field in crosstab rows, if it is enabled for more than one field in crosstab rows
Fix problems when NofM and PageCount are used alone in a subreport and not in the main report and hard disk cache is enabled. This can lead to missing pages of the main report and the subreport will miss the output of NofM
Only the end of a "Can Grow" field was displayed at the 2nd appearance of the field if the field has been continued on a second page
Patching the SQL command to query the metadata (column names) was wrong if the command contains function "listagg(...) within group ...". In this case "WHERE 1=0" was added to the listagg function

Italic text with right-aligned or justified was truncated on the right border of a text element.
XLSX export: If the property "New sheet per top-level group" was enabled then it could occur that an image was not displayed on a new sheet if it was not already displayed on the first sheet.
CSV and DATA export: UTF-8 BOM added.
Unknown operation error occurred if the report contains "Page N of M" or TotalPageCount not on the first page but on other pages and hard disk cache is used.
Java script injection was possible in the error handler.
"IllegalArgumentException: Invalid character found in the request target." occurred. To solve it username for StyleSheet URLs normalized.
PDF export: NullPointerException occurred during export in PDF/A format.
ORA-28040: No matching authentication protocol - occurred with Oracle 12c
It was not possible to open an .rpt file with a double click in the i-net Designer. The i-net Designer installer now register the .rpt extension correctly.
It was not possible to add ZxingBarCode JavaBean to a report because of missing files in "lib/beans" directory of i-net Designer installation.
Formula Editor: NullPointerException occurred if no values were set for parameter fields used in the formula.
It was not allowed to resize the render window in repository browser if Internet Explorer was used.

Version 16.2

Add class DocumentOutputStream to create rendered documents with fewer memory usage or write asynchrone.
Stored Procedure is not executed before the parameter request dialog appear. This improves the performance of adding large stored procedures to the report.

Add also pieces of WHERE from the Record Selection Formula if in addition to the joined tables there is an SQL Command.
NegativeArraySizeException occurred while parsing an BMP image. BMP images with top down line order now supported.
PDF export:
- The choosen embedded font for supplementary code points was incorrect. Symbolic fonts like SansSerif were not replaced correctly.
- Replacement of logical Fonts has not worked correctly if PDFA export was used.
- Texts with supplementary characters can be now be exported in PDF format.
The following exception occurred if a certificate with IBM JavaVM was used: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available.
XLSX export:
- Skip zero characters in XLSX output because this produce corrupt XLSX files.
- The border of text elements was drawn with double line thickness.
The error "Data not found : page=1.html" has occurred sometimes.
A not blank section could be detected as blank section if:
1. the section properties "Suppress Blank Section" and "Keep Together" are enabled
2. the section contains only a subreport which Top position is not at the top of the section
3. the free space of the section above the subreport does not fit on the the previous page

Security Fixes

Critical Security Update for Help Plugin (CVE-2020-11431)
Fixed XXE vulnerability for authenticated users with privileges to ad-hoc reporting or remote designer (CVE-2020-12684)
Fixed multiple XSS vulnerabilities (login was not required).
Fixed a path traversal vulnerability which allowed access to files within the installation folder and its sub-folders

Version 16.3

Certificate from Let’s Encrypt certificate authority can be requested in the "Web Server" dialog.

SDK

HTML Viewer Print via PDF Plugin: Error occurred: Class Not Found: com.inet.htmlviewer.printpdf.HTMLViewerPrintViaPDFPlugin

Samples for PropertiesChecker and EngineFactory plugins added
API method CertificateInfo.getInstance, parameter keyStorePathOrUrl supports path or URL. Keystore file for signing PDF files can be set as URL
The C# implementation based on IKVM is deprecated. It was replaced with the ProcessBridge

Security Fixes

Security Fix: Open Redirect Vulnerability occurred (CVE-2020-28150)
Security Fix: Jetty CVE-2020-27216
- In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability
Possible JavaScript injections prevented
Security Fix for CVE-2020-13692
- PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE

Version 20.4

General

Java version 14 supported
Web API added for Datasource, Backup/Restore in maintenance
Web API core plugin added. It provides a GUI for that a permission is necessary
Translations plugin added. With this plugin it is possible to translate labels and messages of the GUI in an additional language
The minimum supported Windows version is Windows 8 or Windows Server 2012
The plugin reporting (file reporting.zip) added. It is required because it contains the base product
The XMLRPC plugin has been deprecated in favour of the new WebAPI plugin using a RESTful JSON interface
macOS: Recovery Manager started with an error "Protocol family unavailable"
Private Cloud License added

Changes

User defined functions can now be used in the record selection to be executed on the database. This requires all parameters of the function call to be constants or prompt fields
Improved cell distribution for crosstabs in ODS and XLSX format
Login of Members of Windows group Guest is possible

Fixed Bugs

Zero value displayed with sign (-0) if the result was from a negation in a formula
Error "Report Error [1401] Illegal argument for DATE sproc ..." occurred with SP parameter of type DATE
Arabic text in text export truncated
Security Bug: Improved security to prevent 'efail' attacks. Image URLs need to be valid in text interpretation "Advanced HTML"
Fix problems when NofM and PageCount are used alone in a subreport and not in the main report and hard disk cache is enabled. This can lead to missing pages of the main report and the subreport will miss the output of NofM
Overlapping fields in Ad-Hoc reports with sums in group footers occurred
Truncated Arabic text occurred in text export
Orignal SQLException was hidden by TransferException

Task Planner

Use the client time zone (if available) to display the next execution times
Placeholder from some triggers was added
A task can be executed parallel multiple times now

XML export added to the task planner
Prompt values added as placeholder that can be used for example for report name or in email action.
It is now supported to set "Delete previous results after X days" for a file action. With this property it is possible for example to delete old backups

Error message improved if the Engine Cache Timeout occurs. In earlier versions an ArrayIndexOutOfBoundsException occurred
Permissions for the task planner can be set via groups now. The task owner must login once after the update to activate this
All default values of a prompt parameter will be set if the prompt field supports multiple values on new report jobs
Task Planner rights can be set via group rights in "Users and Groups" app
It is possible to export/import a task using Web API

Sorting and grouping of tasks by owner was wrong

If a prompt field of a report supports "Multiple Values" then all default values of the prompt will be added to the array of values

Export Properties was missing in "Jobs" dialog "Report" for Excel and Open Document Spreadsheet
CSV export was missing
Problems in the task planner with the reporting cache occurred if a previous task execution has produced an error
It could occur that the TaskPlanner clean up the 'normal' user comparisons
Default values of Prompt fields were not read from the rpt file
NumberFormatException: For input string: "<long number>" occurred
Filename of CSV export with enabled "Data only" property and postscript export was wrong.

Fixed Bugs

Formatting was broken if alpha numeric sorting was used for a group
Use getColumnLabel() instead getColumnName() for DB2 JDBC driver version 4 and later. This has an effect for a SQL commands which use column alias ("AS" keywords on columns)
Hairline box without background was not printed in the Java output (report preview)
"Check Connection" in datasource properties was very slow with Oracle database version 12c release 2

Security Fixes

Fixed XXE vulnerability for authenticated users with privileges to ad-hoc reporting or remote designer (CVE-2020-12684)
Fixed multiple XSS vulnerabilities (login was not required).
Fixed a path traversal vulnerability which allowed access to files within the installation folder and its sub-folders
The formula functions BytesFromFile and TextFromFile now limits access to files to prevent a path traversal for normal users. The file must be from a valid report location, and if it comes it from the file system then it must be from the same directory or subdirectory as the report itself

Version 19.2

General

New reports no longer store the report data source in the report template by default. You can change this option in the report's Document Properties, however be aware that this gives anyone with the report template full access to your data source
New implementation of the Datasource Manager
Redis support as cloud persistence backend was removed. If you use it then migrate to MongoDB before you update
Cloud synchronization and events to run i-net Clear Reports shared across several cloud nodes added
Let's Encrypt protocol version ACMEv2 supported. The Let's Encrypt protocol version ACMEv1 will be end of support on November 1st, 2020. If you use Let's Encrypt certificates for HTTPS then you need this update

Changes

The "External visible URL" being used for the EHLO command when connecting to an SMTP server
Any subdomain (like *.example.com) on "Allowed Cross Origins" supported
PDF export: Dejvu-Sans is used as default font for font embedding if no other font is available in the font path
Fix the recognition of value data types for JSON data sources if the source files contain white spaces
Null values in JSON data source supported
New data Sources will be saved in the new application scope now
The property "driverLibrary" has been removed from the list of properties for Data Sources. Additional drivers for databases have to be provided using the "lib" directory of the installation
Thai support for the formula function ToWords
Add Engine.SetData to the .NET process bridge
Persistence Repository implementation added
Benchmark for CPU and IO rating added in Maintenance application
Engine.SetData added to the .NET process bridge

Data Source Manager

The Data Source Manager has been reworked from the ground up and comes with an all-new Remote GUI interface. It now supports assigning datasource permissions to specific user groups

Completely new Data Source Manager Interface
New Data Sources will always be created in the Application Scope
Existing Data Sources in the former User/System/Temp/Session - Scopes will be readonly in the Remote GUI
Assigning user group permissions to datasources can be performed by users with the User Manager permission.
Data Sources can be exported individually using the cards menu and multiple Data Sources can be exported using Click and CTRL+Click / CMD+Click to select and then using the top menu "Export" Button
The Import (top menu → Add → Import) of Data Sources will always create the new Data Sources in the editable Application Scope
The former Scopes are available via API only. The Remote Interface only displays the indirectly using the "visibility" entry in the Data Source card
Default value of the property "Supports SQL92" in a new Oracle datasource is true now

For a new Oracle datasource the default value of the property "Supports SQL92" was false. Since Oracle version 9 it supports the SQL ANSI 92 syntax. Therefore the default value is true now
The datasource manager allows to enter a custom database/catalog name while still suggesting existing names
Cannot read property 'driver.group.basic' of undefined occurred if a datasource was saved without modifications

Fixed Bugs

Possible deadlock on startup occurred if a custom configuration was set via "clearreports.config" or "clearreports.configfile"
Permission check with Authentication Groups for logged in users was wrong
Multiple values in the property "Other VM Arguments" in configuration dialog "Web Server" were not supported
Rare rounding error occurred when the scale of a number was reduced by more than 9 digits in a formula function
Access to the repository with Login using WebDav has not worked on Windows
OutOfMemory or ReportCache errors occurred because of problems with false positive low memory detection. The log output contains the warning: "There was a low memory situation and possibly some jobs were canceled." and maybe other subsequent errors
Security issue "Cross-Site Scripting" occurred
Unknown operation: com.inet.report.renderer.doc.controller.bk@0 occurred with TotalPageCount (NofM) in subreports
Property RELOAD_ON_NEW_REQUEST does not work if there was no output format specified in the report URL
"java.io.NotSerializableException: com.inet.font.truetype.i" occurred if a font path was set and "Page NofM" or PageCount was used in very large reports. Because of that the server could hang
Regression occurred: Special field "current user" and the formula WebUserName returns the display name. Now it returns again the id of the user and not the display name
Embedded fonts used in PDF documents embedded in a sub report where missing in the created report
Layout of text in right to left fonts (Arabic, Hebrew) was wrong, if the text parts have different styles (bold, italic, etc.). It occurs in the output formats: PDF, PostScript, image and Java report viewer
Sorting in charts with 2 groups was incorrect if the first category value does not contains all series values of the chart. In this case the sorting of the series was incorrect
PDF export: Embedded fonts with glyphs in the range of 0xF000-0xF0FF were not dispalyed in PDF file
CSV export: Empty CSV export with encoding UTF8 opened with MS Excel. MS Excel shows the content "ï»¿" in the first cell instead of a complete empty table
ORA-01000: maximum open cursors exceeded - occurred if Oracle JDBC driver was used
NullPointerException in debug mode if a plugin has no version information
Patching the SQL command to query the metadata (column names) was wrong if the command contains function listagg(...) within group .... In this case WHERE 1=0 was added to the listagg function
XLSX / ODS export: Percentage number was incorrectly displayed (multipled by 100)
Patches the SQL command to query the metadata (column names) was wrong if the SQL statement contains strings which contains brackets, e.g. REPLACE(A.FIELD,'；)',')'). In this case WHERE 1=0 was added after the ORDER By clause
Break algorithm improved for Text Interpretation "HTML(advanced)" to prevent breaks in text lines
Oracle table source identifier with a package name will be always used as name of a stored procedure and never as name of a table. This makes it possible to use the same name for a package stored procedure and a table
IllegalStateException: REGISTER error occurred because a classloader loop occurred if the i-net Clear Reports libaries has been added to /lib directory
Layout of text in right to left fonts (Arabic, Hebrew) was wrong in the design view, if the text parts have different styles (bold, italic, etc.)
NullPointerException occurred when opening an rpt file with corrupt subreport, created by an older i-net Designer version
XLSX export: Line offset was wrong on third sheet if "New sheet per top level" was enabled
The automatic font scaling did not work as expected in Internet Explorer
Buttons to sort and filter task list not displayed if Task Planner list is very long
Report server was started with command line parameter "-importdatasource" or "-forceimportdatasource"

Configuration data lost if MongoDB was used for persistence with multiple report server instances
Synchronization of cached user data, groups, task planner, maintenance data between multiple nodes was incorrect if using database persistence (MongoDb, Redis)
Fix the recognition of value data types for JSON data sources if the source files contain white spaces
In Chrome browser it was not possible to save the PDF result of a report if it was already displayed in PDF viewer of the Chrome browser. The save prompt indicates ‘Save as type: All Files (.)’ instead of PDF
Text export: Charset was set incorrectly
Property RELOAD_ON_NEW_REQUEST does not work if there was no output format specified in the report URL
NoSuchMethodError: 'void java.lang.SecurityManager.checkSystemClipboardAccess()' occurred if Java report viewer was use with Java 11
Hairline box without background was not printed in the Java output (report preview)

Version 19.0

Percent formatting in the XLSX export format was incorrect
Warning for required .NET Framework 3.5 removed
Configuration data lost if MongoDB was used for persistence with multiple report server instances
Infinite loop occurred when using report viewer in an iFrame

Version 18.1

Endless loop with a multiple page (PDF) document in a dynamic image location occurred
Percent format in XLSX format shows 0%
FactoryConfigurationError: "Provider com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl not found" occurred
Postscript export: Images with 8 bit gray color are displayed incorrectly or postscript printer does not print it
IllegalStateException occurred with message "Unknown operation: com.inet.report.renderer.doc.controller.bk@0"
Security issue "Cross-Site Scripting" occurred
Rare rounding error occurred when the scale of a number was reduced by more than 9 digits in a formula function
ORA-01000: maximum open cursors exceeded - occurred if Oracle JDBC driver was used
Stacktrace of ReportError was displayed to the user
Reports that required a prompt does not open properly in the Internet Explorer 11 after the prompt request dialog was closed
Default zoom was too small if the report was exported in only one HTML page
Authentication on Repository failed if Remote Designer was started in Repository Browser
Hairline box without background was not printed in the Java output (report preview)
"NamingException: LDAP response read timed out" occurred if Windows Active Directory was used for authentication with a large number of groups
The following error has occurred in Internet Explorer while restoring a backup: "Object doesn't support property or method 'includes'"
Sorting and grouping of tasks by owner was wrong

Version 18.0

Security Fixes

Critical Security Update for Help Plugin (CVE-2020-11431)
Fixed XXE vulnerability for authenticated users with privileges to ad-hoc reporting or remote designer (CVE-2020-12684)
Fixed multiple XSS vulnerabilities (login was not required).
Fixed a path traversal vulnerability which allowed access to files within the installation folder and its sub-folders

Version 19.1

General

AdoptOpenJDK updated to version 11.0.3
Cloud providers like AWS, Jelastic, Heroku supported
New Prompt dialog implementation
- User experience improved
- Cleaner, more modern look and feel
- Theming supported
- More than 1000 default values supported
- Prompt dialog added to Task Planner
- Google Web Toolkit framework and plugin removed

Java version 12 now supported
Plugin "Notifications" added for receiving status updates and error messages as well as optional recurring, configured messages
Plugin "UpdateCheck" added to regularly check for updates of the system. The Plugin also provides a maintenance module to manually check for updates and to control how often it should check for updates and to display the changes made since the installed version. Download links will be provided in case a new version is available
Redis and MongoDB are now supported locations for the persistence of i-net Clear Reports in cloud environments
Cookie banner added to the web interface to indicate the use of cookies for the login
Event Log views added to Statistics app in report server web interface

AdoptOpenJDK 11 bundled with installed i-net Designer and Report Server
Use the certificates of the operating system under Windows and OSX because this cerficates are more up to date
Domain license supports a single host also without reverse DNS lookup
Let's Encrypt protocol version ACMEv2 supported. The Let's Encrypt protocol version ACMEv1 will be end of support on November 1st, 2020. If you use Let's Encrypt certificates for HTTPS then you need this update
Critical Security Update for Help Plugin (CVE-2020-11431)
Fixed XXE vulnerability for authenticated users with privileges to ad-hoc reporting or remote designer (CVE-2020-12684)
Fixed multiple XSS vulnerabilities (login was not required).
Fixed a path traversal vulnerability which allowed access to files within the installation folder and its sub-folders

Java 11 supported
Users and Groups Manager added.

With the user manager it is possible to create and manage user accounts and groups. It replaces the Permissions dialog in the Configuration Manager. Each plugin can store its own user settings now

Login improved:
- Multiple Login Types can be used at the same time
- Login Types added: Google, GitBub, Facebook, Microsoft ADFS
- i-net Clear Reports Login added. Users can add new user accounts which are stored in the persistence folder of i-net Clear Reports
Diagnostics added
- It contains the current Server Information, Logging etc.
- Statistics now contains only statistical data about performance, load etc. that are captured during runtime
Different event logs added to the statistics to monitor the state of the system
Web Application "Help": The search feature in the help improved. The help tree remains and search results are highlighted in the tree.
Available as Docker container from https://hub.docker.com/r/inetsoftware/i-net-clear-reports/ (requires a Domain license, trial license available)

Changes

A restart in the server interface triggers a restart of all nodes if database persistence (MongoDb, Redis) is used
Event log contains a "node" column if it runs with database persistence (MongoDb, Redis)
Let's Encrypt certificate requests now work with multiple server and database persistence
Default "Font Path" for PDF export and Java viewer added. The default font path contains DejaVu fonts for Monospaced, Sans Serif and Serif fonts. Font embedding of DejaVu fonts is enabled by default
Prompt dialog added to Task Planner

Notification for low disk space added
Locale of the client is used for formatting in the prompt dialog, e.g. for date formatting
The webserver can be configured to send addtional header fields with HTTP responses to, e.g. enforce HSTS or provide custom server information to the web client
Users are no longer required to have Java installed separately anymore: the Designer now supports a protocol handler to open a locally installed i-net Designer instead of the JNLP variant
It is now supported to give users or user groups the permission (serverprint) to remotely print on specific printers connected to the server. Now each group can be set to only print on its own server / network printer
Multiple LDAP server on authentication supported as fallback
Account id of the user added to the "stored data" view
A master account will be created after a valid login using the master password even if the setting "Create new User" is deactivated
New feature "stay logged in". After login, each user will remain logged in until they log out. After 28 days, they will be automatically logged out. It is also possible to delete user sessions in the "User and Groups" module, if you have the permission to access this module
Login Sessions displayed in the User details
It is now supported to select a preconfigured datasource for a database series in the Task Planner. The user defined JDBC settings are still possible

Text export: Encoding of lines and boxes in text format improved
Repository events added to Event Log
XML Export added to the task planner

The JDBC-ODBC-Bridge now supports VARCHAR values larger 255 characters
Support for SSL certificate in PEM format added
The report URL parameter "reports" now supports XLSX and ODS. A new sheet will be created for each report
Userinfo (user:password) supported in the report URL parameter. It will be send as Basic authentication header
Support for XLSX and ODS format for multiple report file reports added
"Bean Data Source" removed because of security reasons
Option "Font Mapping" to replace fonts that are not embeddable for PDF files is enabled by default. The change will have direct impact on Font Path settings

Report Repository

Reimplementation of the repository search using our own search engine
Java report viewer removed from the list of output formats because Java applets are not supported by most current browser versions

Configuration Manager

Function to activate a configuration temporarily removed
Property "Keystore File" for signing PDF files supports URL

Message "Configuration not available. Please reinstall the application" was displayed sometimes while the Configuration Manager web GUI was loading the configuration
Error "$rootScope.model.activeCategory is undefined" occurred after server restart

Java Report Viewer

NullPointerException occurred if there was no default printer

ClassCastException with custom L&F occurred
The report viewer set a printer resolution only if Java 9 is used and no printer resolution was set. The bug was fixed in Java 10: https://bugs.openjdk.java.net/browse/JDK-8186987

Report Server

LDAP authentication: It was not possible to login with a user contained in an LDAP group with a group name (full Distiguished Name) longer than 100 characters

Version 17.1

The JAR file inetslf4j.jar was renamed into inetloggeradapter.jar. It also contains an adapter for Commons Logging
PDF export: JPEG images in EXIF format now supported
Memory improvements for images with image key
Date parsing order optimized to conform the modified date patterns in Java 9
Login Type "Internal Webserver" is also available if i-net Clear Reports is not running in an application server but if an login filter is used
Performance optimization for user expander formulas

Servlet

Servlet Spec was changed to version 3.1 and the class of the login servlet was changed to com.inet.authentication.LoginServlet

Fixed Bugs

Multiple issues with the Java 9 release candidate occurred
PDF export: Some bugs in PDF/A-1b export has been fixed
XLS / XLSX export:
- Number property formulas were used although the Decimal number format was used instead of the user defined number format and the property formulas should be disabled. This could result for example in a wrong sign
- Client timezone was ignored for date time values in the XLSX format
- "Suppress if Duplicated" does not suppress duplicate fields in some cases
- Percent format in XLSX format shows 0%
No cipher suite error with HTTPS connections occurred
Line height style was only used in first line of wrapped text, if Text Interpretation "HTML(advanced)" was used
Fix a bug with recursive table joins over multiple data sources (DS-A → DS-B → DS-A). The resulting error message was: "Report Error [1403] Error occurred while fetching data or while using data cache."
Unhandled Exception "java.lang.InternalError" with message "couldn't create component peer" occurred with Java 8u152
Clip/alignment of italic right align text with a large italic angle was wrong
Word breaking of Thai language in advanced HTML content was wrong. The correct behaviour requires the report locale set to be 'Thai'
Error "Report Error [1401] Illegal argument for DATE sproc ..." with SP parameter of type DATE occurred
Error "Could not create font with ID X" occurred if an OTF font was used and the property "Compress Viewer Fonts" in the Configuration Manager dialog "Font" was enabled
RTF export:
- Font names in font table should be written using an East-Asian character set encoding instead of unicode
- Content on some text boxes not displayed completely if the text box contains a lot of text
PDF export: Barcode font was too big
ArrayIndexOutOfBoundsException occurred if facename und familyname arrays have a different lenght
"The design of the crosstab is too large" occurred with a crosstab in a subreport
Currency symbol was displayed although the field was suppressed
If "Underlay Following Section" was enabled for a section in a subreport then it could occur that the subreport was moved to the report report page
If the URL used in BytesFromFile function returns an 404 error then "unknown image format" was displayed in executed report. In this case image will be shown as blank
Exception: "org.bouncycastle.asn1.pkcs.PrivateKeyInfo cannot be cast to org.bouncycastle.openssl.PEMKeyPair" occurred
Crosstab property "Suppress Row Labes" in "Group Options" does not work for more than one field in crosstab rows, if it is enabled for more than one field in crosstab rows
Fix problems when NofM and PageCount are used alone in a subreport and not in the main report and hard disk cache is enabled. This can lead to missing pages of the main report and the subreport will miss the output of NofM
Only the end of a "Can Grow" field was displayed at the 2nd appearance of the field if the field has been continued on a second page
If an embedded font have different font metrics as the system font with the same name and text interpretation "HTML(Advanced)" was used then the text layout could be broken
SVGDecoder does not work with Java 9 (or higher): ClassNotFoundException: org.w3c.dom.css.DOMImplementationCSS
PDF document was not displayed correctly in report
Decimal number format in XLSX and ODS output format was 0 instead of the correct number
Fonts of an PDF document embedded in sub report were missing
Security issue "Cross-Site Scripting" occurred
ORA-01000: maximum open cursors exceeded - occurred if Oracle JDBC driver was used

Repository

MIME type mismatch via SSL connection with strict MIME type checking for Echo2 Modules like Repository Browser

Web Interface

java.lang.NullPointerException occurred while opening file chooser

Security Fixes

Critical Security Update for Help Plugin (CVE-2020-11431)
Fixed XXE vulnerability for authenticated users with privileges to ad-hoc reporting or remote designer (CVE-2020-12684)
Fixed multiple XSS vulnerabilities (login was not required).
Fixed a path traversal vulnerability which allowed access to files within the installation folder and its sub-folders

Version 17.0

General

Task Planner replaces Scheduler
Let's Encrypt (https certificate provider) can be updated using the Task Planner
Improved rendering of Reports embedded in Emails send via the Task Planner
- Will provide better support for most mail clients, except any kind of Outlook software
SDK comes with new sample plugins and Gradle scripts to compile them
Standalone HelpCenter for the documentation
Datasources can be saved using a Maintenance Backup Task

Fixed Bugs

ORA-28040: No matching authentication protocol - occurred with Oracle 12c
The current execution of the formula "x" was aborted due to a null value
Directory Plugins and lib not found if UNC path was used with Java 8

Scheduler

NeedPromptException occurred even though no prompt was needed.

Version 23.4

Fixed Bugs

The query timeout set via the Designer user interface was ignored.
Reports with special characters could not be opened via the repository browser in the Designer because of encoding problems.
Reports with special characters could not be opened via File->Reopen... because of encoding problems.

The following errors occurred sometimes in Remote Designer when opening a report from the repository: "No repository configuration found for file: "...rpt"" and "Not authorized. Please check your permissions and restart the Designer if applicable.".
The query timeout set via the Designer user interface was ignored.

NoClassDefFoundError: Could not initialize class com.inet.cache.internal.MemoryObserver - occurred with OpenWebStart
The query timeout set via the Designer user interface was ignored.

Security Fixes

The JNLP client could theoretically be sent another client's cookie at startup.

Version 22.10

The JNLP client could theoretically be sent another client's cookie at startup.

Version 21.10

The JNLP client could theoretically be sent another client's cookie at startup.

Version 22.10

Fixed setting the password for exporting reports as encrypted PDF files.

Version 23.10

Initial release of the Sample Reports Plugin
This plugin contains several sample reports that will be put into a newly created repository.
If no repository was active, the newly created one will be activated. Otherwise the repository will only be created.
Note that the sample reports and repository will not be removed when deactivating or uninstalling the plugin.

Version 23.4

Directly printing a report now requires the URL parameter printNow=1.
Printer tray selection is supported. For Java 17, the command line parameter --add-exports=java.desktop/sun.print=ALL-UNNAMED is required. Command line parameter can be set in the configuration application in the advanced view.

Version 23.10

Updated the internal Batik libraries to version 1.16.

Version 22.10

Updated the internal Batik libraries to version 1.14.

Version 23.4

Triggers can be set to start after events as opposed to only before them.
The calendar trigger automatically refreshes its events from the given calendar every 30 seconds.

Fixed Bugs

Next task execution times filter out past potential execution times.

Version 22.10

There is a new calendar trigger that allows running Task Planner task with a time offset when an event occurs in the given ics or iCal file.

Version 23.10

New Clear Reports formula function "gpt" which takes any string query as a parameter and returns the GPT response.
Added obfuscation to storage of OpenAI API Key in configuration.
HelpDesk spam filter capability (off by default) which can check incoming emails for whether GPT would categorize them as spam.
Anonymization of any telephone numbers and email addresses to avoid sending personally identifiable data to OpenAI.

Version 22.10

Fixed Bugs

Improved the Server Status Command in regards to its CPU load calculation when the server is running on Windows.

Version 22.4

Added a new command serverstatus which displays server information such as version, CPU load, memory usage, and more.

Version 21.4

Fixed Bugs

Unnecessary restart message occurred in the web server dialog of the configuration manager if the HTTP port was changed to not default and the HTTPS port is default

Version 23.10

In the user settings, it can be enabled that the own status displays a phone icon on the user's avatar when the user is involved in a call in any channel.

Version 23.4

In the configuration you can set whether the audio and video connections are allowed to go through the public client connections or only through configured TURN servers.

Fixed Bugs

The CoWork Calls WebAPI ignored the preview mode option that prevents accidental execution of destructive operations.

Version 22.10

Improved the automatic reconnection of calls
Added option to set TURN servers which are responsible for negotiating audio and video call connections
The overlay of a call from another channel can now be moved to another corner of the window
Audio output improved when switching channels: no more interruptions
Sounds are played when another participant joins or leaves a call or raises the hand (configurable)
Optionally, the entering or leaving of a participant in a call can be announced by voice ( configurable)
Audio and video calls are automatically reconnected when the connection to the server is restored, or the page is reloaded by mistake
In the channel list, the participants of a call are now listed below the channel
The caller view and the call overlay have been further optimized
The available reactions within a call can now be defined in the configuration. If all emojis are removed, this feature will also be disabled
Layout improvements for calls in the Safari browser

Speech recognition when switching with a call to another channel

Version 22.4

Added support for voice and video calls
Allow screen share of multiple screens without participating in a voice call
Added support for muting and leaving calls using the WebAPI

Version 23.4

The details like name, description and icon of meeting rooms can be changed by authorized users.
Users with the "Create Meeting Rooms" permission can add additional members to a room via the member list.

Version 22.10

With CoWork meeting rooms, temporary channels can be set up and external users can be invited. Many use cases such as external support, product demonstrations and the creation of temporary workgroups are possible.

Version 23.10

Added obfuscation to storage of DeepL API Key in configuration.

Version 23.10

The new Web Server Errors panel displays a graph of request errors logged by the server. All web server responses with a status code of 400 or higher are logged and displayed aggregated per day.
In the logging panel, the list of selectable threads has been reverse sorted. The log file can thus be filtered to the last up to 100 threads.

Fixed Bugs

Condition for free disk space returned the wrong boolean value.

Version 23.4

Condition for free disk space returned the wrong boolean value.

Version 22.10

Added support for a memory dump when running with an OpenJ9 Java VM.

Condition for free disk space returned the wrong boolean value.

Version 21.10

Condition for free disk space returned the wrong boolean value.

Version 22.4

Fixed Bugs

Fixed possible error message "accountID must not be null" in Discord configuration.

Version 21.10

Discord plugin in category "Task Planner" will be replaced by general Discord plugin. You can find it in Plugin Store category "Communication". If the old plugin was activated, the new one will be installed automatically by the setup

Version 23.4

Added separate backup and restore option for Embedded Websites.

Version 23.4

File results of a Task Planner task are optionally sent as an attachment with the CoWork message.

Fixed Bugs

Added a helpful link instead of an error message in the task planner dialog in case an external server hadn't been set yet.

Version 22.10

Added new Data Type "Date with Time" and "Time"
Added option "Ignore timezone" for "Date" and "Date with Time" in order to work with local dates
Label and description of predefined and user-defined fields can be translated into multiple languages via the Field Settings dialog
Added task in maintenance which will backup all user field settings with translations and custom fields.

Version 22.10

Fixed Bugs

When using a relative target directory with multiple file results, the target directory was not reset. This resulted in the same directory structure being created for each additional file result within the previous one.

Version 22.4

When using a relative target directory with multiple file results, the target directory was not reset. This resulted in the same directory structure being created for each additional file result within the previous one.

Version 23.4

Support for generating a Software-Bill-of-Materials JSON file using the server's ./well-known/sbom URL with an administrative user account.

Fixed Bugs

Release Notes were not displayed in the HelpCenter.

Version 22.10

Links that require another plugin to be enabled open the Plugins Store where the required plugin can be activated or loaded.

Version 21.10

PDF export was not possible from a help page accessed through an untrusted HTTP URL in the browser.

Version 23.10

Added placeholders to the HTTP trigger, that are filled by sending multiple optional "parameter" queries. that means, that you can extend the HTTP trigger URL with ?parameter=abc&parameter=def... to fill the placeholders.

Version 23.4

Added text area field for POST and PUT methods to allow directly sending JSON data with the request

Version 22.10

Fixed Bugs

Fixed access to trigger when set to be available for everyone

Version 22.4

Added option to add header entries to HTTP action

Version 23.10

General

The CoWork messaging gained many advanced features, such as emoji reactions, Markdown table support and improved attachment previews.

Added plugin to talk to ChatGPT using bot commands.

Changes

Users can react to messages with emojis. The last five emojis are quickly accessible via the context menu.
The action "CoWork Online Status" of the Task Planner allows to change the status of the user by e.g. time triggers or CoWork commands.
Text files attached to messages get a preview with the first 10 lines. This can be expanded further to show up to 50KB of the file.
When pasting text into a new message, it will be added as an attachment if it is more than 4000 characters or 40 lines long.
Using the context menu, individual attachments of a message can be removed.
Horizontal lines and Markdown tables can be used in message texts.
The WebAPI returns reactions on messages and allows to toggle reactions for a logged in user.
The WebAPI returns an "Access Forbidden 403" status instead of "Access Denied 401" when a logged-in user does not have access to a team or channel.
The WebAPI allows to search for messages using the same syntax as the CoWork application.

Version 23.4

Scrolling of the messages improved
The user's online status is displayed at the messages and at the suggestions for mentions. Displaying the status on the individual messages can be deactivated in the settings.
In the menu of a message the user and the time of the message are shown.
It is possible to reply to messages. The user of the quoted message is automatically mentioned and gets a notification about the reply.
Messages, channels and users for direct messages can be found via the global search bar
Management of members of teams and channels has been changed:
- Formerly public channels (with no members specified) now have the "All Users" group as a member by default.
- Teams and channels without members are no longer accessible to all users, now they can be accessed by no one
- Channels can now be explicitly set to inherit members from the team. Alternatively, a custom selection can be made.
- Groups no longer need to have CoWork permission explicitly set to be set for memberships. All groups are selectable.
Channels support uploading of custom icons
Videos will be played inline in the channel.
The color markers used to highlight new messages in channels can be set as follows: mentions only, all messages or completely disabled.
Using the "Copy Text" action in the context menu, the selected text or the entire text of a message can be copied.
In the "Emoji" dialog of the configuration interface, custom emoji can be added via SVG.
An extra page with details of logged-in users and created messages has been added for the diagnostic application. Other CoWork plugins can add additional information.
Automatic playback of gif animations and videos can be customized in the settings.
Links to web pages in messages additionally generate a preview with title, description and image if the web page contains appropriate Open Graph or Twitter metatags.

Version 22.10

Added support for the creation of temporary meeting rooms.
Added support for emoji
Integrated idle detection with a configurable delay. Will switch from online to away when absent
A marker is now displayed to indicate new messages
CoWork reconnects to the server without reloading the whole page
The Task Planner trigger "CoWork Command" is able to split the parameters into single values to be referenced via placeholder in jobs and actions
Drafts are saved per channel and also synchronize across multiple devices
Links in messages can be copied via a click in the context menu
Smaller thumbnails are generated for images. Attachments are cached in the client for up to 30 days.
Improved focus handling for touch devices

Version 22.4

Added link to the bottom of the message list to jump to the latest message with one click
Changed markdown editor to better support major browsers
Added Task Planner trigger to add CoWork commands that will execute a Task Planner task
Added Task Planner action to send a message in a specific channel
Redesign of members list in channel
Images can now be opened with a click as larger preview
Added badge to the task bar entry when there are unread messages

Version 22.4

Security Fixes

Library update to fix CVE-2021-23792.

Version 23.10

Added an advanced configuration property to determine which server name is being used for the EHLO mail command. When using a private network server alongside a public mail server, it may be necessary to provide a publicly determinable server name in order to avoid higher spam score values or potential rejection of emails by the mail server.

Version 23.4

Support for S/MIME signature and encryption of email messages

Version 23.10

Backups can be selected from the server, e.g. when they can not be uploaded in the web interface due to their size (>2GB).

Version 22.10

When changing data of multiple users at once, custom user fields which accept multiple values can now be set to multiple values instead of only one as before.
The User Accounts section of the Maintenance application allows to deactivate multiple users at the same time.

Fixed Bugs

Fixed a rare error that could occur when changing data of users on custom user fields whose keys were purely numbers.

Version 22.4

The User Accounts section of Maintenance allows to set user data for multiple users at the same time. This can be helpful for when entire departments or groups of users have changed addresses or other information.

Version 21.10

Problems with backup of large files from a database persistence (MongoDB, AzureCosmosDB) occurred

Version 23.4

Fixed Bugs

Simple line breaks were incorrectly displayed in the browser version of MS Teams.

Version 22.10

Improved the configuration page to link to the store if the token authentication plugin needs to be installed.

The task planner template "Microsoft Teams" would incorrectly insert the server's URL if it did not end on a slash.

Version 22.10

The default language for notifications created in the Configuration application is English. When opening and saving existing notifications, an automatic update of the default language is made in this dialog.
Notifications sent to the operating system require interaction from now on if the notification is critical. This feature is available only if it is supported by the browser and the operating system.

Version 22.4

Added support for Web-Push notifications. A hint is displayed when the browser requests permission to show the notifications.

Version 21.10

Fixed Bugs

Permanent notifications must be kept in the notification center, even though they are displayed by the operating system

Version 23.10

For Google and Microsoft Azure login the settings from the plugin oauth.connection can be used.

Version 23.4

Also imports the avatar for new users when they log in to Azure.
Also adds a system login for Azure and ADFS users so that users can be merged with a possible LDAP import.

Fixed Bugs

When logging in a new OAuth user, the metadata, such as email, last name, first name, and avatar were not applied. The user was displayed only with the ID, instead of a display name.

Version 22.10

When logging in a new OAuth user, the metadata, such as email, last name, first name, and avatar were not applied. The user was displayed only with the ID, instead of a display name.

Version 22.4

Added optional tenant for Microsoft Azure authentication.

Version 22.4

Added support for OAuth 2.0 authentication for emails for Office 365 (modern authentication) and Gmail.

Version 22.4

Fixed Bugs

Fixed encoding problems in notifications containing non-ASCII characters.

Version 23.10

Security Fixes

Security Update for CVE-2023-45818
- TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimming functions before being stored in the undo stack. If the HTML snippet is restored from the undo stack, the combination of the string manipulation and reparative parsing by either the browser's native DOMParser API (TinyMCE 6) or the SaxParser API (TinyMCE 5) mutates the HTML maliciously, allowing an XSS payload to be executed. This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring HTML is trimmed using node-level manipulation instead of string manipulation. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Security Update for CVE-2023-48219
- TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. his vulnerability has been patched in TinyMCE versions 6.7.3 and 5.10.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Version 23.4

Added magnifying glass icon in the search bar to increase the visibility of the search function.
In the company info dialog of the configuration, it is possible to set to whom the installation hint for the application as a PWA is displayed. Guests and other special user accounts never get the hint displayed.

Version 22.10

The search bar has been updated to use CodeMirror for better overall keyboard support

Upgraded library momentjs to version 2.29.4 due to CVE-2022-24785 and CVE-2022-31129
Upgraded library tinymce to version 5.10.2 to include latest bugfixes

Version 22.4

Optimization of the connection recovery from the browser to the server

Version 21.10

Moved file service check to temp folder instead of working directory

Fixed Bugs

Fixed data buffer length for ajax and websocket requests
Corrected timeout handling for websocket connections with broken VPN connections

Version 22.4

Report files with special characters in its name now opens in the repository.
Report properties are now displayed correctly in the Extended Properties dialog.

Version 21.10

Sorting of files and folders is now in lexical order, regardless of the repository type used

Version 21.10

Fixed Bugs

Fixes badly formatted cookies sent to the login script.

Version 23.4

When installing on a drive other than C:\ (Windows) then the program data directory can be changed during the setup.

Version 22.4

Setup now works properly when updating a single or multiple plugins via the plugin store. Duplicate executions and confusing messages will be avoided.
When updating the product-core plugin, Setup now updates all updateable plugins from the store.

Version 23.4

The event log backup job can optionally include previously archived event entries when using a file persistence.

Version 21.10

Date and time values now respect the client's time zone when displayed
Memory for user and reports now store 20,000 entries as maximum to limit memory consumption

Version 23.10

The store now shows a link to the full changelog and migration information history in the plugin details.
In the plugin changelog history you can select a specific version to jump to that section.
In the help, when opening the release information page, there is now a dropdown to select a version from which, up until the current one, the release changes are displayed.

Security Fixes

Plugin sideload is disabled if permissions are not restricted in the system.

Version 22.4

Allow navigating through screenshots with the cursor keys. Escape key will close the preview.

Version 21.10

The plugin store is new and replaces the configuration of the plugins in the configuration
New versions and features are requested from the public plugin store and can be installed
On future updates, the setup will automatically update all activated plugins from the store

Version 23.10

General

This version marks an LTS release, the last in which Java 11 is supported.
The bundled Eclipse Temurin was updated to version 17.0.9.

The bundled Eclipse Temurin was updated to version 17.0.8
The services of RPM and DEB use the SystemD format instead of the outdated init.d format.
The Docker Containers have been updated to run with a restricted user instead of the root users.

Changes

When searching "Date field:<date", the day of the date is no longer included in the search result.
Added DynamoDB persistence property TablePrefix.
All web server responses with a status code of 400 or higher are stored in an additional event log. They can be checked with the statistics and diagnostics plugins.
The order of authentication providers without settings can be changed in the Configuration Manager.
Added security.txt configuration option. The content of this option will be sent to clients requesting the /.well-known/security.txt file.
The guest account no longer has administrative permissions for security reasons, even if there are no restrictions on permissions (systempermission.enabled=false). Administrative permissions of the guest account must be explicitly activated if required (guest.full.permissions=true).

Eventlog entries are also written in Recovery Manager.
Configuration action in Login category added to reset authentication group members.

Security Fixes

Security Update for CVE-2023-35116
- An issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.
Security Update for CVE-2018-1002208
- SharpZipLib before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
Security Update for CVE-2021-32840
- SharpZipLib is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry ../evil.txt may be extracted in the parent directory of destFolder. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.
Security Update for CVE-2023-5072
- Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
Security Update for CVE-2023-44487
- The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Security Update for CVE-2023-22102
- Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Security Update for CVE-2023-34062
- In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack.
- Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources.

Version 23.4

Security Update for CVE-2022-36033
- jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks option is enabled, HTML including javascript: URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable SafeList.preserveRelativeLinks, which will rewrite input URLs as absolute URLs - ensure an appropriate Content Security Policy is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
Security Update for CVE-2020-13946
- In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.
Security Update for CVE-2022-42003
- In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
Security Update for CVE-2022-31684
- Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
Security Update for CVE-2022-41946
- pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either PreparedStatement.setText(int, InputStream) or PreparedStatemet.setBytea(int, InputStream) will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.
Security Update for CVE-2021-37533
- Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https:*issues.apache.org/jira/browse/NET-711.
Security Update for CVE-2022-23494
- tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user. This vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements. Users are advised to upgrade to either 5.10.7 or 6.3.1. Users unable to upgrade may ensure the the images_upload_handler returns a valid value as per the images_upload_handler documentation.
Security Update for CVE-2022-41915
- Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling DefaultHttpHeadesr.set with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the DefaultHttpHeaders.set(CharSequence, Iterator<?>) call, into a remove() call, and call add() in a loop over the iterator of values.
Security Update for CVE-2023-22551
- The FTP (aka "Implementation of a simple FTP client and server") project through 96c1a35 allows remote attackers to cause a denial of service (memory consumption) by engaging in client activity, such as establishing and then terminating a connection. This occurs because malloc is used but free is not.
Security Update for CVE-2023-24998
- Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
Security Update for CVE-2022-45688
- A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
Security Update for CVE-2022-45688
- Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.

Version 22.10

Installer for macOS using Apple Silicon is available
The bundled Eclipse Temurin is version 17.0.6
Added support for DynamoDB persistence
Added support for the HTTP header Forward (RFC 7329) for use with reverse proxies.
Database Persistence accepts any configuration scope (USER or SYSTEM) and can also run as a non-root account.

Added option to disable the "Stay logged in" feature for all users.
Security Update for CVE-2020-36518
- jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Security Update for CVE-2022-24823
- Netty is an open-source, asynchronous event-driven network application framework. The package ''io.netty:netty-codec-http'' prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own ''java.io.tmpdir'' when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
Security Update for CVE-2021-23792
- The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
Security Update for CVE-2022-21363
- Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Security Update for CVE-2020-11023
- In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Security Update for CVE-2022-2191
- In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.
Security Update for CVE-2022-2047
- In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
Security Update for CVE-2022-31160
- jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling ''.checkboxradio( "refresh" )'' on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the ''label'' in a ''span''.
Security Update for CVE-2022-31197
- PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the ''java.sql.ResultRow.refreshRow()'' method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. '';'', could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the ''ResultSet.refreshRow()'' method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the ''refreshRow()'' method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as ''42.2.26'' and ''42.4.1''. Users are advised to upgrade. There are no known workarounds for this issue.
Security Update for CVE-2022-31129
- moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Security Update for CVE-2022-36033
- jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including ''javascript:'' URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default ''SafeList.preserveRelativeLinks'' option is enabled, HTML including ''javascript:'' URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable ''SafeList.preserveRelativeLinks'', which will rewrite input URLs as absolute URLs - ensure an appropriate [[https:*developer.mozilla.org/en-US/docs/Web/HTTP/CSP|Content Security Policy]] is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
Security Update for CVE-2022-42003
- In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
Security Update for CVE-2022-31684
- Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
Security Update for CVE-2021-37533
- Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https:*issues.apache.org/jira/browse/NET-711.
Security Update for CVE-2022-23494
- tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user. This vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements. Users are advised to upgrade to either 5.10.7 or 6.3.1. Users unable to upgrade may ensure the the images_upload_handler returns a valid value as per the images_upload_handler documentation.
Security Update for CVE-2022-41915
- Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling DefaultHttpHeadesr.set with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the DefaultHttpHeaders.set(CharSequence, Iterator) call, into a remove() call, and call add() in a loop over the iterator of values.
Security Update for CVE-2023-24998
- Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Version 22.4

The bundled AdoptOpenJDK 17 was updated to Eclipse Temurin 17.0.4.1.
Two factor authentication supported.
Prevent side load of plugins for wrong application version.
It is now supported to use Web-Push notifications.
MeetUp has grown up, is called i-net CoWork and is now also available as a separate product.

Fixed a thread bug that allowed a user to run single requests in another users security context.
Security Update for CVE-2021-37136
- The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack.
Security Update for CVE-2021-37137
- The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Security Update for CVE-2020-21913
- International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp.
Security Update for CVE-2021-4126
- No information available.
Security Update for CVE-2021-43797
- Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
Security Update for CVE-2021-41182
- jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. A workaround is to not accept the value of the altField option from untrusted sources.
Security Update for CVE-2021-41183
- jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. A workaround is to not accept the value of the *Text options from untrusted sources.
Security Update for CVE-2021-41184
- jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. A workaround is to not accept the value of the of option from untrusted sources.
Security Update for CVE-2020-36518
- jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Security Update for CVE-2022-24785 and CVE-2022-31129
- Upgraded library momentjs to version 2.29.4.

Version 21.10

The bundled AdoptOpenJDK 11 was updated to version 11.0.15
Java 17 supported
Update of old versions is now limited. If you are using an unsupported old version, an update to an intermediate version is required
It is allowed to create a Let's Encrypt certificate with a callback to the HTTPS port. Problems with redirect to HTTPS and if the server runs only on HTTPS are solved
Added QR code to the error page, linking to a help page which may have further details
Different ports, configured in the configuration Web Server dialog, use different HTTP sessions
An error message occurred during setup if redirect to HTTPS is enabled
The plugins dialog in the configuration of the server was replaced by the Plugin Store

Fixed a thread bug that allowed a user to run single requests in another users security context.
Security Update for CVE-2021-29425
- In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like ''%%"//../foo", or "\..\foo"%%'', the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value
Security Update for CVE-2021-28165
- In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame
Security Update for CVE-2021-28169
- For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application
Security Update for CVE-2021-34428
- For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
Security Update for CVE-2021-21409
- Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final
Security Update for CVE-2021-31812
- In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions
Security Update for CVE-2021-36090
- When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package
Security Update for CVE-2021-35517
- When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package
Security Update for CVE-2021-37714
- jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes

Version 21.4

Memory management for systems with a large heap (>= 4 GB) was improved
The version number of plugins now consists of 3 parts
The plugin "Web Server Defender" added to protects against DoS and account hacking using brute force
The cookie attribute "SameSite" can now be set. The default value is Lax
Search bar and ticket views now also support an OR search with the keywords "or", "||" and "|"
Embedded web pages now also supports the linking (redirect) of web pages. Additional rights management based on "users and groups" memberships
Generic OpenID Connect (OIDC) authentication provider added
Azure OpenID Connect (OIDC) authentication provider added
Sample plugin for Custom OAuth provider added

Jetty version updated because of:
- CVE-2020-27216
  - In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability
- CVE-2020-13956
  - Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution
- CVE-2020-27218
  - In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request
- CVE-2020-27223
  - In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values
*Guava version updated to 30.1 because of CVE-2020-8908**
- A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured
Cron-utils updated to version 9.1.3 because of https://nvd.nist.gov/vuln/detail/CVE-2020-26238
Security Update for CVE-2020-1967
- Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f)
Security Update for CVE-2021-20328
- Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption

Fixed Bugs

Fixed a bug breaking the User Manager web interface if the country of the server is not valid.
Fixed a bug with searching digits and number data types which has produce the error: IllegalArgumentException: Empty left and right operand in search condition
Fixed a deadlock with OpenJ9 Java VM when starting the server via API.

Fixed embedded fonts for .NET viewer (error message: Could not create font with ID 1).

OAuth authentication (Azure) with Safari browser was not possible
Permission check for the WebAPI has not worked in connection with the default Windows Authentication
URL was wrong after signup with any OAuth authentication provider like Azure and if a reverse proxy (like default.aspx for IIS) was used

Version 23.4

Adds the {initiator} placeholder to the server stop trigger, which contains the display name of the user who restarted the server.
Tasks executed using the /api/taskplanner/execute endpoint are temporarily stored for the user, allowing them to access them later. If the tasks are not accessed again via the WebAPI within 60 seconds, they will be automatically removed.

Fixed Bugs

In the task planner maintenance section, it was not possible to move tasks away from deactivated users.

Version 22.10

The parallel execution of one and the same task is now in general allowed
Manually starting a task while it is running is now possible
PUBLIC-API: To distinguish between multiple executions the TaskEvent and HistoryEntry now contains executionID, a unique ID for the execution.
PUBLIC-API: TaskPlanner's execute-method now return a CompletableFuture to allow more control over actions after the execution.
PUBLIC-API: New method cancelTaskExecution(GUID,GUID,boolean) to cancel a single running execution of a task instead of all running executions.
Added Low Memory Trigger to notify administrators of this critical situation.
PUBLIC-API: TimeTriggerFactory's generic type is now Trigger as it can return different types of trigger: TimeTrigger and TimeTriggerForCustomSettings

Fixed loading of large lists of tasks in the UI
Fixed bug endlessly showing task as running with 0% or 100% progress although there was no execution.
The license check of the Reporting Plus license for the Task Planning application was incorrect.
The option custom in time triggers works correctly.

Version 22.4

Placeholders are grouped if they start with the same prefix
Added the option custom in time triggers.
A maintenance module is provided for batch moving Task Planner tasks from one user to another.

Fixed visibility of Task Planner triggers, jobs, and actions (based on a user's permissions) to be in sync with the visibility of help sections for these triggers, jobs, and actions.

Version 21.10

Long running tasks were sometimes displayed as 'INCOMPLETE'
Correction of identical file names in the file actions for multiple identical jobs with parameter placeholders in one task.

Version 21.4

New Task Planner Job added to determine the free disk space in the working directory, cache and persistence directories. A threshold for minimum available disk space can be defined to trigger actions when there is not enough disk space left

Triggering of time-trigger interval 'Two Weeks' was in wrong week at the beginning of a new year.

Version 23.4

Fixed Bugs

Fixed spelling mistake in "Dark Forest" theme

Version 22.10

Removed experimental Material Blue theme

Version 23.10

Fixed Bugs

When accessing the server using HMAC token authentication, the system failed to log the user token's last access time.

Version 21.10

Added Plugin "Token Authentication".
Enables Web API access using access tokens. It allows users to create access token as another means of authentication into their account - but with restricted access scopes.
Support added for HMAC token authentication like used from MS Teams

Version 23.10

2FA emails are now sent to all stored email addresses of the user and not only to the first address.

Version 22.10

A second factor can be made mandatory in the login settings of the server configuration. If there is no second factor set for a user, it is required to be set up after a fresh login.

Version 22.4

Plugin added to support two factor authentication.

Version 23.10

Added additional permission to read information from the Users and Groups Manager using the WebAPI. This allows read-only restricted access to search for users and return minimal information about them.

Version 23.4

Added Web API Extension for Users and Groups, that allows to search for either user or groups and display detail information about them.

Version 22.4

Added apply button to the edit dialog of a user or group. This allows to save the changes without closing the edit dialog.
The avatar of users can be changed in the users and groups application with a click on the avatar image of the selected user

Version 21.10

Per URL parameter s search phrases can now be passed to Users and Groups in the web interface
A new warning message appears when removing the last group member in a sub-group which will inherit memberships
In the preview it is possible to switch the view to show inherit entries for permissions, allowed actions and resources
Added a new label to allowed actions and permissions that tells if it is granted and if it is inherit

Version 22.10

Opened up the WebAPI UI to be available for public requests, such as the Task Planners HTTP trigger, allowing to run the trigger from the browser.
Added input field for the current URL, restricting editing to variable parts that require IDs
Added JSON area to send custom JSON to a request URL
Added selection for HTTP method and send key to re-submit the request
Added ability to remember ID-token in the current web API session and automatically fill them until page is refreshed

Version 21.10

Update of the permission handling to determine if a user has access to API endpoints

Version 23.10

Added option the security section of the webserver configuration to control embedding the application usingX-Frame-Options.

Version 23.4

Security Fixes

Security Update for CVE-2023-44487
- The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Version 22.10

Added placeholders for start and expiration date of the HTTPS certificate that is currently being used. The placeholders can then be used in Task Planner actions.
Changed Jetty server from version 9.4.x to 10.0.x.
Added support for HTTP/2 protocol.
Allowed Cross Origins is now called Allowed Origins

If Allowed Origins is set, it will send CORS headers that also include the external visible URL.
- The server now checks that it is addressed using any of the given values from either the external visible URL or the Alowed Origins
- The server checks HTTP/s as well as WS/s connections

Version 22.4

An optional web context of the web server can be set if the server should not run in the root context.

Release Information

Migration Information

Reporting

WAR file for Oracle Weblogic

Changes in program structure

Behavioural changes

Migration of Scheduler Jobs

Migration issues

Reports

Action settings

Time settings

Custom Actions

Dynamic Properties

Task owner

The Repository: permissions and ownership

Report Renderer Job

Sample Reports Repository

Discord

i-net CoWork

Backups

System Core

Web Server

Plugins

Reporting

General

Changes

Fixed Bugs

Security Fixes

HTML Report Viewer

Fixed Bugs

i-net Designer

Fixed Bugs

Security Fixes

SDK

Security Fixes

General

Changes

Fixed Bugs

Task Planner

Fixed Bugs

Security Fixes

General

Changes

Data Source Manager

Fixed Bugs

Security Fixes

General

Changes

Report Repository

Configuration Manager

Java Report Viewer

Report Server

Servlet

Fixed Bugs

Repository

Web Interface

Security Fixes

General

Fixed Bugs

Scheduler

i-net Designer

Fixed Bugs

Security Fixes

Report Renderer Job

Sample Reports Repository

Server Printing

SVG image embedding

Calendar

Fixed Bugs

ChatGPT

Collaboration

Fixed Bugs

Configuration

Fixed Bugs

CoWork Calls

Fixed Bugs

CoWork Meeting Rooms

DeepL

Diagnostics

Fixed Bugs