Release Information

Starting with version 24.4, i-net Clear Reports requires at least Java 17 to be run. A compatible version of Java is provided with every installation of the product. This version also marks the end of the Repository browser which is replaced by the all-new Drive application.

Additionally, there is an all-new PDF viewer that allows to view rendered report files. In the configuration you can now specify the default rendering format more broadly, also including the new PDF viewer.

Migration Information

Version 24.4

The Java Viewer Applet has been removed. In modern browsers, Java Applets have been unavailable for some time now. You can still use the Java Viewer in API mode.

The ReportServletJSP has been removed. It was used as an entry point for *.jsp files that allowed to instantiate report engines and control Java Viewer Applet HTML output.

The Drive will replace the previous Report Repository as the central storage solution.

Version 23.10

The deprecated datasource property driverLibrary has been removed. To use additional driver libraries, you must move them to the lib directory of the installation.

Version 21.4

WAR file for Oracle Weblogic

The initialization for WebSocketEndPoint to be registerable in Oracle Weblogic was changed in version 21.10. This fixed the error java.lang.IllegalStateException: Not in 'deploy' scope. .

If you use an web.xml file of another WAR file you need to add the listener ** com.inet.http.ExpandableServletContextListener **

Version 20.0

Changes in program structure

The internal structure has changed. That is why the new plugin reporting (file: plugins/reporting.zip ) is now mandatory to start i-net Clear Reports. Due to this change the previous startup scripts are no longer valid and have to be changed.

In addition, the i-net Designers plugin remotedesigner.zip has been renamed to designer.zip .

If manual changes were made to the startup scripts, they have to be updated accordingly:

Report Server : the startup script has to be changed from

From: ~~java -cp core/ClearReports.jar com.inet.report.ClearReportsServer~~

To: java -jar core/inetcore.jar

i-net Designer : the startup script has to be changed from

From: ~~java -jar core/designer.jar~~

To: java -jar core/inetcore.jar designer

Command Line Parameters : the startup has to be changed

From: ~~java -jar core/ClearReports.jar -forceImportConfig ...~~

To: java -cp core/inetcore.jar com.inet.config.recovery.RecoveryConfiguration -forceImportConfig ...

**Servlet Users of custom *.war or *.ear **: the servlet class has to be changed

From: com.inet.report.ReportServlet

To: com.inet.http.PluginDispatcherServlet . See the reference war file for details.

Note: Developers who utilise API classes such as com.inet.report.Engine from the reporting.jar have to extract this jar file from the reporting.zip plugin now.

Behavioural changes

The Web API plugin has been updated with a new remote interface application which requires an additional permission. Every other previous Web API extension now requires this permission as well. Users with specific Web API permissions must be checked and reconfigured in the Users and Groups Manager .

com.inet.report.ReportServlet has been removed. If there were extensions from the previously deprecated API, then they have to be moved to a plugin, registering an extension now.

The formula functions BytesFromFile and TextFromFile now limits access to files to prevent a path traversal for normal users. The specified file must be from a valid report location, and if it is located in the file system then it must be from the same directory or subdirectory as the report itself.

Custom implementations of com.inet.report.PropertiesChecker can not be added to the lib directory anymore. They have to be implemented using a plugin. See <SDK>\\Documentation and Samples\\Plugin - Samples\\PropertiesChecker for an example plugin.

Custom implementations of javax.servlet.Filter can not be added to the lib directory anymore. They have to be implemented using a plugin. See <SDK>\\Documentation and Samples\\Plugin - Samples\\ SessionDatasource for an example plugin.

The com.inet.report.Listener class has been removed. The web server has not been started by this class since version 15.x. The web server is started using the plugin webserver.zip .

Version 19.0

The MySQL Connector/J was updated to version 8.0.13. It is recommended for MySQL Server 5.5 or higher. For older MySQL Server version you could replace the MySQL Connector/J with the version of the previous i-net Clear Reports version

With the Server Printers plugin enabled users will not be able to use the server printer after upgrading to version 19. They will have to have group permissions assigned to regain access to server printers

The Data Source Manager Interface has been renewed from the ground up. Existing Data Sources in the former User/System/Temp/Session - Scopes will now be readonly from the interface but can still be added and modified using API. An new Application Scope has been added which now supports assigning user groups to restrict permissions

Data Sources are now handled differently for reports.

Data Sources with the same name may exist with different permissions in different scopes

The are looked up in the following order: User Session Scope → Temporary Scope → Application Scope with permission → User Scope → System Scope

Application Scope with permission means that there may be more than one Data Source with the same name but with different permissions. The first that is allowed for the users group will be used

Version 18.0

Data will be migrated by the setup into the new format of i-net Clear Reports version 18. Therefore we recommend to backup the program data.

The /remote context of the Remote GUI has been removed. Applications beneath this entry point have been moved up one level.

If you have a plugin which implements your own AuthenticationProvider then you must rewrite it. To support multiple login sources in parallel the API has changed. A sample for a such a plugin can be found in the SDK.

If you use the repository plugin then security settings will be migrated. After the migration it will no longer work with older versions of i-net Clear Reports. Permission patterns are not supported anymore. The administrator needs to check whether the users have the desired and expected permissions.

If the remote printing plugin is enabled then in the HTML viewer this is available via menu point.

There is a new default plugin that embeds the HTML Viewer into the remote application. That means that users of the HTML Viewer will see the configured logo, will be able to to signup/login and directly access their remote applications.

When having permissions or userdata for old, now unused, users, such users will appear as User Accounts in the new Users And Groups Manager. Take a look there and delete obsolete users.

The pattern (like " ", "vwl .rpt", ...) in the folder permissions of the Repository Browser are no longer supported. After migration the settings will be valid for all report files in the same folder. If other patterns than "*" (all reports) were used then it is necessary to check the folder permission settings in the Repository Browser. The permission "Server Administration" is necessary for that.

The C# implementation based on IKVM is deprecated. It was replaced with the ProcessBridge. You can find it in the SDK ( https://download.inetsoftware.de/clear-reports-sdk-latest.zip ). You find the required folder structure for Visual Studio and Powershell in the readme.html of the folder "i-net Clear Reports .NET Bridge". It is necessary to reimplement your program using i-net Clear Reports API because the API is not compatible with the implementation based on IKVM.

In version 18 the option "Mapping Fonts" is enabled by default. If this option is activated, all characters of a logical or not embedded font will be replaced with characters of an embedded font.

Version 17.0

Migration of Scheduler Jobs

Every Scheduler task since version 12 will be migrated to the Task Planner in the setup when updating a system that used the previous Scheduler.

Migrating tasks from the Scheduler to the Task Planner

Make sure that the plugin Task Planner - Render Reports is activated

Make sure all tasks of all users are deleted from the Task Planner. Migration only occurs if the Task Planner is empty.

Restart your server. In the initialization phase it will now migrate the tasks silently.

If it does not migrate the Scheduler tasks to the Task Planner please check the log files and send it to our support.

Migration issues

When tasks are migrated from Scheduler to Task Planner, some minor issues may arise, since many things have been streamlined and simplified. See the following hints.

Reports

The setting as file: was removed, which gave each generated report a different name. Now the name of the generated file(s) come from the title configured in the report template ( .rpt). However, the *File System Action has an option File Name Format which allows you to construct a unique name.

Action settings

For Save (on servers file system) the settings Attach date and Attach time was combined into the option File Name Format .

For Send via Email , the CC and BCC options were removed, and values from CC are added as normal receivers. The options Put reports in a zip file , Attach date and Attach time were removed.

For Print (at server-known printer) the option Count of Copies was removed, it always prints once. Other even older options like orientation and quality which were only available via Java API were also removed.

Time settings

There are some rare combinations of settings which were possible with the old Scheduler but are no longer possible with the Task Planner. It is possible some of the more exotic settings will get a slightly different behavior in the Task Planner.

Daily execution with a DayStepSize greater than 1, which means execute every N days. In the scheduler this adds N days from the start date for each next execution. After conversion to Task Planner this always starts at the 1st of month and then adds N days for each next execution. If the DayStepSize is 7 then it will convert to a weekly interval.

Weekly execution with a WeekStepSize greater than 1, which means every N weeks. If it is 2 then a Two Weeks interval will be used. Other values are not supported in the Task Planner and when converting this it will set the WeekStepSize to 1.

Monthly execution with a MonthStepSize greater than 1, which means every N months. In the scheduler this adds N months to the start date for each next execution. This can only be represented with a Cron Trigger. The Cron starts at a given month and then adds N months for the next execution. When converting such tasks it will determine the start-month automatically in order to match the correct interval. This only works if the MonthStepSize is 2, 3, 4, 6 or 12. For other values it will be every N months, but the execution month will likely be wrong.

Yearly execution with a YearStepSize greater than 1, which means every N years. This is not supported in the Task Planner and when converting this it will set the YearStepSize to 1.

Delete this task after Execution: This feature is not available in the Task Planner.

Multiple executions on same day: one Time or Cron-Trigger does not support this, but you can add multiple triggers to the same task. When those tasks are migrated it will create many triggers automatically.

End execution after N executions or after a given Date: this feature is not available in the Task Planner. When converting expired tasks they will be deactivated.

Custom Actions

Old custom actions will not work after migrating to the Task Planner. Those actions must be replaced with custom Jobs and/or Actions . See the programming samples for how to implement your own Job or Action.

Dynamic Properties

Old dynamic properties classes will not work after migration to Task Planner. If you loaded your dynamic values from a Database then you can probably replace your custom dynamic properties with a Database Series . For other cases it should be replaced with a custom Series implementation. See the programming samples for how to implement your own Series type.

Task owner

In Task Planner, each task always must have an owner, so a task belongs to a user. Migrated tasks will have Scheduler as owner. Because certain triggers, jobs and result handlers require certain permissions the artificial user Scheduler gets some permissions automatically if you have System Permissions enabled. If you remove the permissions it can happen that tasks can no longer be executed.

If you want to move the tasks to another user then you must duplicate a task and then delete the old one. The new task will belong to the currently logged in user.

The Repository: permissions and ownership

Due to the new user the reporting server is running with there may be permission problems when accessing the Repository browser. You should look up the path of your repository in the Configuration Manager and check the permissions of this path in a console program on the server.

It is important for the reporting server that its user has read+write permissions to every file and additional execute permissions for directories. The owner of each file and directory should be the user the reporting server is executed with.

You can find out the respective user using ps aux | grep java .

A server restart is required after these changes were made.

Version 16.0

Java 8 required

The i-net Designer and the i-net Clear Reports server now requires Java 8 as minimum version of the Java virtual machine. The i-net Clear Reports viewer requires Java 7.

64bit Java VM embedded

The report server use a 64bit Java VM. As the 32 bit and 64 bit preferences on Windows are stored on different locations it may be necessary to export the configuration using the older i-net Clear Reports version and import it using i-net Clear Reports version 16.

Version 15.0

WebServer plugin

The i-net Clear Reports web server was moved into a plug-in. Since plug-ins will be initialized automatically, the web server will start automatically, for example if the API was used. You need to remove the webserver plug-in if you embedd i-net Clear Reports instead of using it as report server.

64bit Java VM embedded on Windows

The setup and report server on Windows use a 64bit Java VM to install and use i-net Clear Reports. As the 32 bit and 64 bit preferences on Windows are stored on different locations it may be necessary to export the configuration using the older i-net Clear Reports version and import it using version 15.

Plugins

In the configuration manager dialog "Plugins" it is now possible to activate/deactivate plugins to extend or restrict the functionality of i-net Clear Reports. Some plugins are deactivated by default, e.g. Statistics and Scheduler.

Report Renderer Job

Version 23.4

Scheduler migration from version 16 and earlier : The automatic migration of Scheduler tasks from versions 16 and earlier is no longer supported. In order to keep all of your configured Scheduler tasks please install an intermediate version, such as v22.10, before updating to the desired version 23 or later.

Sample Reports Repository

Version 23.10

The Sample Reports Repository plugin replaces the sample reports, originally delivered with the installer.

Discord

Version 21.10

Any webhooks found in existing Task Planner Discord actions will be added to the central Discord Incoming Webhooks list in the configuration.

Field Settings

Version 24.4

Custom field of type "Selectable Values" with both options "Own Value" and "Multiple Values" activated are migrated to the option "Own Value". A combination of both options is not possible anymore.

HTML Engine

Version 24.4
The HTMLEngine is a core component of all our products. As such, it must be included in the plugins directory at all times; otherwise, the server will not start.

i-net CoWork

Version 22.4

Backups

Backups for MeetUp that were previously configured and used in maintenance are no longer compatible. CoWork must be activated again in the configured backup.

It is recommended to create fresh backups before and after each update.

System Core

Version 24.4

The minimum required Java version is Java 17.

Version 23.10

The version 23.10 is the last version that supports:

Java 11

Jakarta EE 8 application server

Servlet Specification 3.1

WebSocket 1.1

Version 23.4

The Docker Containers have been updated to run with a restricted user instead of the root users.

The new restricted users id and group id are 1000 .

Host mounted volumes have to be updated to reflect the new user and group id manually.

Host mounted volumes mount points of the users home directory have to be updated from /root to /home/<username> . The <username> is determined using the whois command in the container

Additional information is available from our FAQ: https://faq.inetsoftware.de/t/upgrading-to-user-restricted-docker-container/277

Web Server

Version 22.10

The Allowed Cross Origins option is renamed to Allowed Origins and performs additional checks on the server side when configured.

The external visible URL is also sent as allowed origin using the CORS header

Connections to the server (either HTTPs or WSs) are also checked against the list of allowed origins and the external visible URL

Plugin Changes

Version 24.4

The Crystal Reports 8.5 flag "Convert DateTime to Date" is no longer supported.

The Zxing barcode JavaBean supports the code GS1-Data-Matrix.

MariaDB Connector/J driver added.

Removed Support for ReportServletJP

The non-functioning export of JAR files, which also contained the Report Viewer, has been removed from the server.

Added dynamic update of available report renderer formats that can be selected as default rendering formats in the configuration.

New Java annotation '@DoNotOptimize' for user defined functions. This annotations prevents functions with constant parameters from beeing optimized and thus from beeing always called once. '@DoNotOptimize' should be used whenever a function manipulates data instead of just returning a value.

Fixed Bugs

In HTML (advanced) text there were problems with display:inline-block which could lead to unexpected breaks when rendering.

Version 23.10

Transparent objects that are not visible are now ignored and no longer displayed visibly during PDF/A export.

Merging parameters of stored procedures with the same name in different catalog/schema is prevented.

The obsolete Datasource Property driverLibrary was removed.

In the HTML Viewer, using the search now allows to find more than 50 entries. Once the user went through all the entries to 50, another set of 50 entries will be searched in the the report.

The conversion "To SQL" in the database wizard now also supports "SQL expression fields" used in formula fields.

Several configuration settings for the XLS output format were used only after a server restart.

Drawing operations in subreports (e.g. bullets in HTML) did not restore the context in the output format for the JavaViewer, such as colors. Which leads to incorrect colors in the report.

The HTML Viewer modified the line spacing incorrectly to calculate font auto scaling options.

The date and time data type detector accepts only years in the range 0 to 9999 as valid dates for JSON and XML data sources.

Regression: when using the Oracle Thin driver, no database columns were found anymore in stored procedures.

Wrong value for tag ConformanceLevel error occurred when the FacturX profile BASIC WL or EN 16931 was used.

XML data sources duplicated content if the XML file contained a & encoded as & .

Regression: It was not possible to open a report using file: key URL parameter, e.g. https://servername:port/file:/<path>/<reportfile>.rpt .

When a subreport was moved to the next page to handle a 'keep-together' flag, lines and boxes across multiple sections within the subreports began at the top position.

Performance of SQL generation with complex formulas for grouping and sorting improved.

NULL values of the Show Value formula will be ignored now and not be rendered as 'NULL' string.

Fixed various issues related to standard and custom number formatting in export format XLSX.

Fixed java.lang.IllegalArgumentException: Comparison method violates its general contract! that occurred when searching in the viewer

A stack overflow error was produced in the HTML Viewer when setting an incompatible default zoom and opening a subreport.

Regression: when using the Oracle Thin driver, no database columns were found anymore in stored procedures.

Version 22.10

The rendering output format Microsoft Word (*.docx) is now supported

Improved image quality in PDF output format if it is not saved in JPEG or PNG format in the report template.

The rendering output format JSON is now supported

Rendering text as HTML-Advanced output does not embed images anymore, but downloads and references them. The HMTL-Viewer supports these images even for URLs referenced in the inlined css, e.g. for background images.

Comments on MySQL table columns are no longer used as column alias.

Improved performance of date/time parsing functions date/time and datetime in formula

Continuous Stacked Bar Chart is now supported

ShowValue can now display a value from a formula on simple chart types.

Images in HTML-advanced fields are stored as separate files instead of inlined data when exporting to HTML

Transparent objects that are not visible are now ignored and no longer displayed visibly during PDF/A export.

Regression: when using the Oracle Thin driver, no database columns were found anymore in stored procedures.

MariaDB has been added to the supported data sources. It is necessary to add the driver MariaDB Connector/J.

Section with enabled "Print at Bottom of Page" was not printed at the end of the page if HTML output format was used and the page before this section was empty.

Sorting of fields did not work in HTML viewer

Under certain circumstances, narrow blank table rows occurred in XLSX and ODS export when the report contained horizontal lines near other fields and they were not correctly rasterized.

Fixed java.lang.IllegalArgumentException: Comparison method violates its general contract! that occurred when searching in the viewer

A stack overflow error was produced in the HTML Viewer when setting an incompatible default zoom and opening a subreport.

Drawing operations in subreports (e.g. bullets in HTML) did not restore the context in the output format for the JavaViewer, such as colors. Which leads to incorrect colors in the report.

Wrong value for tag ConformanceLevel error occurred when the FacturX profile BASIC WL or EN 16931 was used.

When a subreport was moved to the next page to handle a 'keep-together' flag, lines and boxes across multiple sections within the subreports began at the top position.

Version 22.4

Font replacement improved for 'HTML advanced' formatted text. The replacement works on character-level now, just like in other text types

TotalPageCount is evaluatable in a trigger function

Improvement of continuous charts

added support for markers

consider line style "None" to only show markers

added support for combining of continuous charts with XY charts

Fixed a NullPointerException printed to the console when logging is disabled

Version 21.10

Word break was improved for a more natural text flow

The alignment value of a field will now be applied in case of text interpretation 'HTML-advanced' as well

New output format added: Email. It is a simple HTML format. A single file format that can be used as email body. It can be triggered with the URL parameter: init=email

Formula function AddAttachment(String,Binary) added. It can be used to add embbedded files to PDF output format

Support for WebP images and other image formats added. The plugin "ImageIO Extension" is required. It can be installed using the plugin store

PDF export: Character replacing for embbeded fonts containing character which are in code blocks which are not in the code block list of the font

Reuse of images when exporting an embedded PDF to PDF, reduces the overall file size

Images in HTML content will no longer be down scaled for printing. This will result in a better resolution for images in exports (e.g. PDF) but may cause a larger file size

Formula expression result added as placeholder in result actions. It can be used to return a single value from the report to the task planner which can then be used using the [report.formula] placeholder

NoClassDefFoundError: Could not initialize class com.inet.cache.internal.MemoryObserver - occurred with OpenWebStart

Set a custom product title for external representation

Add WebAPI /api/reporting/report/render endpoint to render reports using Token Authentication

Continuous Numeric Category Axis can now also be set to logarithmic

Use the correct database row for inlined fields in crosstab labels such as the total labels

Support for exporting CSV files larger 2 GB added (format csv and data)

Add support for stored procedures for PostgreSQL

Comments on MySQL table columns are no longer used as column alias.

Support for the decimal separator of a user-defined number format in XLSX format

Transparent objects that are not visible are now ignored and no longer displayed visibly during PDF/A export.

Regression: when using the Oracle Thin driver, no database columns were found anymore in stored procedures.

Fixed the loss of datasources after a BackingStoreException in Preferences.sync()

Fixed the gray background that occurred when printing from HTML viewer

Fixed a NullPointerException printed to the console when logging is disabled

Fixed java.lang.IllegalArgumentException: Comparison method violates its general contract! that occurred when searching in the viewer

Drawing operations in subreports (e.g. bullets in HTML) did not restore the context in the output format for the JavaViewer, such as colors. Which leads to incorrect colors in the report.

When a subreport was moved to the next page to handle a 'keep-together' flag, lines and boxes across multiple sections within the subreports began at the top position.

Version 21.4

PDF export: The rendering time is used as creation time of the PDF file. In earlier versions it was the creation time of the rpt template

The XLSX / ODS export creates fewer very small columns. This can cause problems if the report elements are not very well aligned and also very tightly designed

Embedded fonts preserved the original font family name now. This can result in a different printing output (print job size) via Java report viewer client if the same font is installed on the client system

Jpeg2000 encoded images supported

Font replacement improved for PDF reports if enabled

Perfomance of DatabaseMetaData.getTables() improved

HTML export:

New implementation of HTML-Advanced in HTML-Export added. The result will now be fixed by i-net Clear Reports, leaving less room for render differences in the client browser

XLSX / ODS export:

Cell-Distribution of output formats XLSX and ODS completely rewritten

For compounds reports with URL parameter "reports" the table sheets in ODS/XLSX use the title of the underlying rpt file. In older versions the title of the first rpt file was used

Web API : Upload and verification of a single or multiple file resources into the repository enabled

Apache Cassandra database supported as datasource. The CQL (Cassandra Query Language) can be used to fetch data

MongoDB database supported as datasource

Perfomance of DatabaseMetaData.getTables() improved

Weblog datasource added

It is possible to upload and verify a single or multiple file resources into the repository using Web API

A report (engine) can be printed to a local printer using .NET API

Private key authentication to Task Planner FTP tasks added

Some PDF files embedded in the report are incorrect displayed in the PDF export. Depending of the structure of the embedded PDF file some images can be replaces with other images of the same PDF document

ClassCastException in Maintenance with MongoDB persistence occurred

Rendering issues occurred in the "Options | i-net Clear Reports". The "i-net Clear Reports" icon was missing and the dialog "Manage configurations" was not displayed correctly

Prompt request dialog did not work in the report repository when using a guest account

Security Fixes

The default value of the "Allow unknown Data Sources" setting (key permission.allowunknowndatasource) has been changed from "true" to "false".

Security Update for CVE-2024-1597

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.

Version 23.4

Added Markdown text interpretation in the CommonMark and i-net CoWork flavors.

PostgreSQL version updated because of CVE-2020-13692

Version 20.10

Performance improved when embedding large font files

Date formats with regional settings (e.g. en-UK) supported in prompt dialog

Improved compatibility for old save states with dataviews

New notifications are now directly shown in the web client when the OS notifications are disabled or not possible

SameSite=Lax Attribute set for login cookies

Changes of heap memory, language, country and VM arguments will work with a server restart from the web interface. Before a service restart was required

Web applications can now be installed as Progressive Web App (PWA)

Note added to configuration property "Restrict Permissions" in dialog "User & Groups" because when global permissions are not restricted then all users have administrative access!

Diagnostics now show cache memory usage

Maintenance: It is now possible to restore backups that were not made with the current version. The backup is checked for whether it is compatible with the current version, and if so, it is able to be restored

Changed AdHoc default render format in the WebGUI to PNG for a lossless result

Use the correct database row for inlined fields in crosstab labels such as the total labels

ToWords formula function for Hungarian language adds a space as thousands separator

Break algorithm improved for Text Interpretation "HTML(advanced)" to prevent breaks in text lines

Use getColumnLabel() instead getColumnName() for DB2 driver version 4 and later. This has an effect for a SQL command with "AS" keywords on columns

HTML Report Viewer

Prompt dialog is pre-filled with first default prompt values

Break algorithm improved for Text Interpretation "HTML(advanced)" to prevent breaks in text lines

Print preview was empty if the "HTML Viewer Module Toolbar" plugin was enabled

Values of defaultzoom parameter changed to PAGE_FIT, PAGE_WIDTH and PAGE_HEIGHT

The HTML report viewer group tree supports several new actions: the tree can be closed using a toggle button, it can be resized by dragging the divider. Entries in the group tree can be expanded and collapsed (default) using a triangle button in front of every entry. The width and visibility of the group tree is being saved in the browser for later sessions

Remote Printing plugin added as an print option to print the current report on the server

Reports that required a prompt does not open properly in the Internet Explorer 11 after the prompt request dialog was closed

The HTML Report Viewer will now export reports with more than 100 pages to PDF instead of printing them using the browser function

If a report page can not be found in the HTML Viewer after refreshing the report (out of range error), the last page of the report will be opened. The viewer will be blocked until the report finishes rendering

CSV export from the HTML Viewer with custom delimiters set to 'Other' or 'Fixed column width' did not work

Prompt parameter value was decoded. This was problematic for PropertyChecker implementations

"Uncaught URIError: URI malformed" or "URIError: malformed URI sequence" occurred if group tree node contains special character like '%' and drill down was used on this node

Image size increases because original image data was not used

Export format "HTML.ZIP" was not available if not all export formats allowed for this report

Additionaly to the percent value the following values are now possible: "Fit Screen",​ "Page Height"​ or "Page Width"

Prompt parameters were double-encoded.

Export format "HTML.ZIP" was not available if not all export formats allowed for this report

Additionaly to the percent value the following values are now possible: "Fit Screen",​ "Page Height"​ or "Page Width"

Prompt parameters were double-encoded

HTML report viewer does not use embed fonts to get font metrics

"Uncaught URIError: URI malformed" or "URIError: malformed URI sequence" occurred if group tree node contains special character like '%' and drill down was used on this node

Fix for Microsoft IE/Edge browser: Disable endless mode while rendering the report; Show Mouse-Not-Allowed for disabled menu entries.

The jump position for search results and the group tree has been calculated wrongly when the report viewer page was scaled/zoomed in.

The HTML report viewer can be customized via plugins. See the HTML viewer programming guide for details.

Lines beginning on page 2 and going through multiple sections where missing in HTML viewer if the report contains an "N of M" element.

Version 15.1

ZxingBarCodes JavaBean now supports "Format" property to create for example Barcode EAN-128 (GS1-128).

DateDiff formula function now supports TIME value.

Editable RTF export: Background color for text elements supported. Lines and boxes are not supported in this format.

For compatibility level <= 8, the default of summary fields is now zero instead of null. This was the original default in these versions.

Saves the zoom level so that it can be set again after a reload.

In the HTML prompt dialog, manually entering a 2-digit year (e.g. 14) interpreted the year as 0014.

Subreport position was incorrect if the page contains a watermark and therefore "Underlay following section" was enabled for the page header.

HTML prompt dialog was not displayed in Microsoft Edge browser on Windows 10.

Lines crossing multiple sections where missing on page 2 and the following pages if the report contains an "Page N of M" element.

CSV export if requested - was DATA though CSV has been set.

Multiple page formats in the HTML report viewer and other export formats supported when using multiple reports.

XLSX export added to export dialog.

Introduce permanent link to the export menu of the HTML VIewer. It allows copying the current export configuration. The button can be displayed via report URL parameter.

The HTML report viewer supports Form Authentication within the viewer itself instead of before the viewer is being displayed.

IPv6 supported.

Timezone support added to HTML report viewer. This is only supported by the Chrome browser currently.

Subreport position in section with enabled "Underlay Following Section" was incorrect.

Depending on the used browser, one of the following errors has occurred: "TypeError: k.elementStyle is not a function" or "Object doesn't support property or method 'elementStyle'".

Fixed Bugs

Exception "java.lang.IllegalStateException" with message "Not valid for write: id=..." occurred

Error occurred with expired session: IllegalStateException: Invalid for read: id=xxx created=xxx accessed=xxx lastaccessed=xxx maxInactiveMs=xxx expiry=xxx

PDF export: Character replacement for embbeded fonts improved containing characters which are in code blocks which are not in the code block list of the font

Regression in Diagnostics occurred because of that only the first 8 entries in list was show because the pagination was broken

ORA-01000: maximum open cursors exceeded - occurred if Oracle JDBC driver was used

OutOfMemory or ReportCache errors occurred because of problems with false positive low memory detection. The log output contains the warning: "There was a low memory situation and possibly some jobs were canceled." and maybe other subsequent errors

It was not possible to login if a localhost URL was used in Chrome browser to open the web interface

Access to the repository with Login using WebDav has not worked on Windows

Wrong PDF signature configuration leads to a failed designer start

WebDav access to the report repository has not worked on Windows. No login was requested

Temporary errors (Extenal visible URL '...' was not validated) occurred during validation of Private Cloud License

PDF export: IndexOutOfBoundsException and NullPointerException occurred with embedded OpenType font

Chinese content was not aligned well on right side if Justified was used

PDF export:

Chinese characters were missing because of a bug with word wrapping that was wider than the field, surrogate characters and font replacement.

IllegalStateException occurred with message Unknown operation: com.inet.report.renderer.doc.controller.bk@0 if:

subreport contains TotalPageCount and the last instance of the subreport has no rows

harddisk cache was used

XLSX / ODS export: Exception "java.lang.IllegalArgumentException with message x2 must not less than x1" occurred if the report contains a crosstab

XLSX / ODS export: Percentage number was incorrectly displayed (multipled by 100)

Rare rounding error occurred when reducing the scale of a number by more than 9 digits in a formula function

Patches the SQL command to query the metadata (column names) was wrong if the SQL statement contains strings which contains brackets, e.g. REPLACE(A.FIELD,'；)',')') . In this case WHERE 1=0 was added after the ORDER BY clause

Oracle table source identifier with a package name will be always used as name of a stored procedure and never as name of a table. This makes it possible to use the same name for a package stored procedure and a table

Drawing operations in subreports (e.g. bullets in HTML) did not restore the context in the output format for the JavaViewer, such as colors. Which leads to incorrect colors in the report.

i-net Designer

The following errors occurred sometimes in Remote Designer when opening a report from the repository: "No repository configuration found for file: "...rpt"" and "Not authorized. Please check your permissions and restart the Designer if applicable.".

It was not possible to edit a 3D Chart because the properties dialog does not open

Wrong PDF signature configuration leads to a failed designer start

The error " HTTP ERROR 400 Duplicate valid session cookies " occurred with remote designer

Error "cannot access class sun.print.SunAlternateMedia" occurred in the Remote Designer used with Java 9

Support for the Windows setting "Large Fonts" in the i-net Designer added if it is used with Java 9

Now the user formula can be named the same as Property Formulas

Remote i-net Designer requires the adhoc plugin

The Remote Designer now supports the JNLP protocol for a direct start of the JNLP file. The HTTP URL stays available as fallback link

Exception com.inet.cache.internal.CacheLoadException occurred on Unix if there are 2 instances running

Incorrect error markers occurred in problem finder. This error only occurred for formulas that were using a 'user defined function' when loading a report from the repository

Fixed the error "cannot access class sun.print.SunAlternateMedia" in the Remote Designer with Java 9

NullPointerException occurred if a condition in if then operator was not true

In case of a long list of system fonts the i-net Designer needed a long time to start

NullPointerException with custom Look & Feel occurred

Hairline box without background was not printed in the Java output (report preview)

Problem Finder does not warn if all Page Header sections together are longer than a page but "Underlay Following Section" is activated for one of the Page Header sections

NoSuchMethodError: com.inet.viewer.ViewerUtils.c() occurred if the remote Designer was started from i-net Clear Reports running in a servlet engine like Tomcat. In this case it was not possible to open a report or to create a new report

Version 16.4

Formula Editor: NullPointerException occurred if no values were set for parameter fields used in the formula

NoSuchMethodError: com.inet.viewer.ViewerUtils.c() occurred if the remote Designer was started from i-net Clear Reports running in a servlet engine like Tomcat. In this case it was not possible to open a report or to create a new report

Report Error [217] Unknown image format occurred while adding encoded HTML document.

It was not possible to add a MySQL stored procedure to the report in the i-net Designer.

NullPointerException occurred while opening old rpt file with enable "Customize Groupname" and "Use Formula Value" but no specified formula.

Because of bug in multicast DNS (mDNS) not all available report repository URLs were displayed in the drop down list in repository options if client or server has multiple network adapters.

Memory leak with property formulas occurred.

Copy & Paste of a formula element between two reports now also paste the formula if it does not exists in the target report.

Version 16.0

Support for placeholders in the SQL statement of the dynamic default values of parameter fields added.

RTF export: Background color for text elements in editable rtf supported.

PDF export: It is now possible to replace characters of not embedded fonts, used in report, with embedded fonts.

The static logging binder for Slf4j was extracted in a separate JAR file inetslf4j.jar.

The deprecated command "seac" for accented character is implemented in embedded CID fonts.

The report cache will be cleared after the (report) permissions have been changed.

Java Beans show the result of before reading property forumlas.

It is supported to set a row buffer greater than 999.

Parameter field with Dynamic (SQL) default values can use Cascading Parent also.

Stored Procedure is not executed before the parameter request dialog appear. This improves the performance of adding large stored procedures to the report.

Problem Finder rule that checks for an empty detail section modified. Multi-section-elements are now considered.

Structure of the i-net Clear Reports properties adapted to the structure of the remote configuration manager.

Parameter fields where requested in a loop in the Database Wizard, if the count of parameters in an SQL command was increased to 2 or more.

Row Buffer does not allow values greater than 999.

Refresh of stored procedures in the Database Wizard has not worked if the stored procedures does not accept Null parameters.

Problem Finder: Added rule to warn on multi-section elements which cannot be rendered because it starts in an "underlay following" section.

Alpha-numeric sorting is now available for interactive sorting and groups.

New rule added to the problem finder - giving a warning for identical overlapping elements (which can happen due to Copy & Paste).

Properties "Disable filtering" and "Disable sorting" removed from report property dialog. They will be displayed only if the properties are already set in the current report.

Parameter Properties: Double-click to add a default value for a range prompt - this opens the add range dialog.

Summary Field Properties: An enabled Evaluate "On Change Of" for a group field was modified to "For Each Record" if Reset "On Change Of" was enabled for any other field with the exception of groups after the report was reopened.

Although login type "Database Login" was set, the Database Wizard has not used this set connection.

If Nimbus Look & Feel was used and the i-net Designer was running with Java 8, then selected tree nodes disappeared on selection, and a popup was not displayed with the text color.

A disabled "Running Total" was not saved if "Evaluate - For Each Record" was enabled and "Reset - On change of" a field was enabled.

It was possible to delete crosstab sub elements without deleting the crosstab.

Database wizard:

It did not use the connection from a set LoginDatabase.

When prompts were used in SQL commands, they were not requested.

SQL Editor: OK button was not enabled because of invalid SQL statement.

GUI-lock occurred in the Report Wizard of the Remote Designer.

Summary dialog: Removing the running total flag from a summary field was not saved if there was a reset field.

Step-by-Step Tutorials were not displayed in Free Designer if it was used with Java 8.

The key of the translated text defined with formula function "TranslateFixed" was not listed in the Language Editor.

Version 14.1

Alpha-numeric sorting is now available for interactive sorting as well.

Login type "Database Authentication" added - use a database's authentication as an authentication method.

New warnings in case of null-check by =null and in case of confusion of = and := in Crystal-Syntax added.

Corporate Design guide added to the documentation.

Grouped Summary fields are now an error in the record selection formula since their value is undefined while filtering. Use them in the group selection instead.

Performance and stability improvements for reports with massive formula dependencies.

When PostgreSQL database is used and the quotesToLowerCase (Quote Database Identifier) property is set in datasource configuration, database identifiers are always quoted.

'Default Author' button added to category Summary in the Document Properties dialog.

Sort option to sort string fields by their alpha numeric value added to the Sort Records dialog.

Chart Properties: Property "Bar Spacing" added to the category "Plot Specific" of a bar chart.

Group Properties: Alpha-Numeric sorting of STRING fields can now be used for groups as well.

API method EmbeddedUtils.getSelectedEngine() added. It returns the current selected engine of the report. It may differ from getCurrentEngine, if a subreport is selected.

License exception with Report Data datasource occurred.

"Report file not found" exception occurred in Database Wizard when Report Data datasource was used.

Remote Designer: Deadlock with local saved reports could occur.

Authentication exception occurred, if the current user does not have the right to access a report from repository. A login box will now be displayed.

Empty binary prompts caused the report browser to hang.

The formatting functions CURRENTFIELDVALUE and DEFAULTATTRIBUTE were not displayed in the tree on the right side of the Formula Editor. They will be displayed if the current formula is a property formula.

Visual Database Wizard never used the set connection from LoginDatabase.

If the i-net Designer was running on Mac OSX and the Formula Editor was opened with the "New" button in the fields browser then it was sometimes not possible to edit formulas in the Formula Editor.

SQLException: "Method not supported from this layout driver" occurred if LayoutDatasource was used to create ad hoc reporting template in i-net Designer.

If Nimbus look&feel was used and the i-net Designer was running with Java 8 then selected tree nodes disappeared on selection.

The key of the translated text defined with formula function "TranslateFixed" was not listed in the Language Editor.

Fixed Bugs

NullPointerException occurred in case of nested user function calls in formulas

XLS export: "Suppress if Duplicated" does not suppress duplicate fields in some cases

Unhandled Exception "java.lang.InternalError" with message "couldn't create component peer" occurred with Java 8u152

Fix the error "Report Error [1401] Illegal argument for DATE sproc ..." with SP parameter of type DATE

RTF export:

Font names in font table should be written using an East-Asian character set encoding instead of unicode

Content on some text boxes not displayed completely if the text box contains a lot of text

Crosstab property "Suppress Row Labes" in "Group Options" does not work for more than one field in crosstab rows, if it is enabled for more than one field in crosstab rows

Fix problems when NofM and PageCount are used alone in a subreport and not in the main report and hard disk cache is enabled. This can lead to missing pages of the main report and the subreport will miss the output of NofM

Only the end of a "Can Grow" field was displayed at the 2nd appearance of the field if the field has been continued on a second page

Patching the SQL command to query the metadata (column names) was wrong if the command contains function "listagg(...) within group ...". In this case "WHERE 1=0" was added to the listagg function

Italic text with right-aligned or justified was truncated on the right border of a text element.

XLSX export: If the property "New sheet per top-level group" was enabled then it could occur that an image was not displayed on a new sheet if it was not already displayed on the first sheet.

CSV and DATA export: UTF-8 BOM added.

Unknown operation error occurred if the report contains "Page N of M" or TotalPageCount not on the first page but on other pages and hard disk cache is used.

Java script injection was possible in the error handler.

"IllegalArgumentException: Invalid character found in the request target." occurred. To solve it username for StyleSheet URLs normalized.

PDF export: NullPointerException occurred during export in PDF/A format.

ORA-28040: No matching authentication protocol - occurred with Oracle 12c

It was not possible to open an .rpt file with a double click in the i-net Designer. The i-net Designer installer now register the .rpt extension correctly.

It was not possible to add ZxingBarCode JavaBean to a report because of missing files in "lib/beans" directory of i-net Designer installation.

Formula Editor: NullPointerException occurred if no values were set for parameter fields used in the formula.

It was not allowed to resize the render window in repository browser if Internet Explorer was used.

Version 16.2

Add class DocumentOutputStream to create rendered documents with fewer memory usage or write asynchrone.

Stored Procedure is not executed before the parameter request dialog appear. This improves the performance of adding large stored procedures to the report.

Add also pieces of WHERE from the Record Selection Formula if in addition to the joined tables there is an SQL Command.

NegativeArraySizeException occurred while parsing an BMP image. BMP images with top down line order now supported.

PDF export:

The choosen embedded font for supplementary code points was incorrect. Symbolic fonts like SansSerif were not replaced correctly.

Replacement of logical Fonts has not worked correctly if PDFA export was used.

Texts with supplementary characters can be now be exported in PDF format.

The following exception occurred if a certificate with IBM JavaVM was used: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available.

XLSX export:

Skip zero characters in XLSX output because this produce corrupt XLSX files.

The border of text elements was drawn with double line thickness.

The error "Data not found : page=1.html" has occurred sometimes.

A not blank section could be detected as blank section if:

the section properties "Suppress Blank Section" and "Keep Together" are enabled

the section contains only a subreport which Top position is not at the top of the section

the free space of the section above the subreport does not fit on the the previous page

Security Fixes

Critical Security Update for Help Plugin (CVE-2020-11431)

Fixed XXE vulnerability for authenticated users with privileges to ad-hoc reporting or remote designer (CVE-2020-12684)

Fixed multiple XSS vulnerabilities (login was not required).

Fixed a path traversal vulnerability which allowed access to files within the installation folder and its sub-folders

Version 16.3

Certificate from Let’s Encrypt certificate authority can be requested in the "Web Server" dialog.

API modifications

Added Classes:

AuthenticationProvider

RemoteWebUserInfo

WebUserInfo

Added Methods:

BarPlot.getBarMarginPercent()

BarPlot.setBarMarginPercent( double )

CrossTabBody.moveSummaryField(int,int)

The method signature of DesignerDataModel.openPropertyFormulaDialog changed. Now a property name and a flag to indicate a tristate is necessary.

HTML Viewer Print via PDF Plugin: Error occurred: Class Not Found: com.inet.htmlviewer.printpdf.HTMLViewerPrintViaPDFPlugin

Samples for PropertiesChecker and EngineFactory plugins added

API method CertificateInfo.getInstance, parameter keyStorePathOrUrl supports path or URL. Keystore file for signing PDF files can be set as URL

The C# implementation based on IKVM is deprecated. It was replaced with the ProcessBridge

Folder samplereports added. It contains the sample rpt files.

Security Fixes

Security Fix: Open Redirect Vulnerability occurred (CVE-2020-28150)

Security Fix: Jetty CVE-2020-27216

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability

Possible JavaScript injections prevented

Security Fix for CVE-2020-13692

PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE

Version 20.4

User defined functions can now be used in the record selection to be executed on the database. This requires all parameters of the function call to be constants or prompt fields

Improved cell distribution for crosstabs in ODS and XLSX format

Login of Members of Windows group Guest is possible

Fixed Bugs

Zero value displayed with sign (-0) if the result was from a negation in a formula

Error "Report Error [1401] Illegal argument for DATE sproc ..." occurred with SP parameter of type DATE

Arabic text in text export truncated

Security Bug: Improved security to prevent 'efail' attacks. Image URLs need to be valid in text interpretation "Advanced HTML"

Fix problems when NofM and PageCount are used alone in a subreport and not in the main report and hard disk cache is enabled. This can lead to missing pages of the main report and the subreport will miss the output of NofM

Overlapping fields in Ad-Hoc reports with sums in group footers occurred

Truncated Arabic text occurred in text export

Orignal SQLException was hidden by TransferException

Task Planner

Use the client time zone (if available) to display the next execution times

Placeholder from some triggers was added

A task can be executed parallel multiple times now

XML export added to the task planner

Prompt values added as placeholder that can be used for example for report name or in email action.

It is now supported to set "Delete previous results after X days" for a file action. With this property it is possible for example to delete old backups

Error message improved if the Engine Cache Timeout occurs. In earlier versions an ArrayIndexOutOfBoundsException occurred

Permissions for the task planner can be set via groups now. The task owner must login once after the update to activate this

All default values of a prompt parameter will be set if the prompt field supports multiple values on new report jobs

Task Planner rights can be set via group rights in "Users and Groups" app

It is possible to export/import a task using Web API

Sorting and grouping of tasks by owner was wrong

If a prompt field of a report supports "Multiple Values" then all default values of the prompt will be added to the array of values

Export Properties was missing in "Jobs" dialog "Report" for Excel and Open Document Spreadsheet

CSV export was missing

Problems in the task planner with the reporting cache occurred if a previous task execution has produced an error

It could occur that the TaskPlanner clean up the 'normal' user comparisons

Default values of Prompt fields were not read from the rpt file

NumberFormatException: For input string: "<long number>" occurred

Filename of CSV export with enabled "Data only" property and postscript export was wrong.

Fixed Bugs

Formatting was broken if alpha numeric sorting was used for a group

Use getColumnLabel() instead getColumnName() for DB2 JDBC driver version 4 and later. This has an effect for a SQL commands which use column alias ("AS" keywords on columns)

Hairline box without background was not printed in the Java output (report preview)

"Check Connection" in datasource properties was very slow with Oracle database version 12c release 2

Security Fixes

Fixed XXE vulnerability for authenticated users with privileges to ad-hoc reporting or remote designer (CVE-2020-12684)

Fixed multiple XSS vulnerabilities (login was not required).

Fixed a path traversal vulnerability which allowed access to files within the installation folder and its sub-folders

The formula functions BytesFromFile and TextFromFile now limits access to files to prevent a path traversal for normal users. The file must be from a valid report location, and if it comes it from the file system then it must be from the same directory or subdirectory as the report itself

Version 19.2

The "External visible URL" being used for the EHLO command when connecting to an SMTP server

Any subdomain (like *.example.com) on "Allowed Cross Origins" supported

PDF export: Dejvu-Sans is used as default font for font embedding if no other font is available in the font path

Fix the recognition of value data types for JSON data sources if the source files contain white spaces

Null values in JSON data source supported

New data Sources will be saved in the new application scope now

The property "driverLibrary" has been removed from the list of properties for Data Sources. Additional drivers for databases have to be provided using the "lib" directory of the installation

Thai support for the formula function ToWords

Add Engine.SetData to the .NET process bridge

Persistence Repository implementation added

Benchmark for CPU and IO rating added in Maintenance application

Engine.SetData added to the .NET process bridge

Data Source Manager

The Data Source Manager has been reworked from the ground up and comes with an all-new Remote GUI interface. It now supports assigning datasource permissions to specific user groups

Completely new Data Source Manager Interface

New Data Sources will always be created in the Application Scope

Existing Data Sources in the former User/System/Temp/Session - Scopes will be readonly in the Remote GUI

Assigning user group permissions to datasources can be performed by users with the User Manager permission.

Data Sources can be exported individually using the cards menu and multiple Data Sources can be exported using Click and CTRL+Click / CMD+Click to select and then using the top menu " Export " Button

The Import (top menu → Add → Import) of Data Sources will always create the new Data Sources in the editable Application Scope

The former Scopes are available via API only. The Remote Interface only displays the indirectly using the "visibility" entry in the Data Source card

Default value of the property "Supports SQL92" in a new Oracle datasource is true now

For a new Oracle datasource the default value of the property "Supports SQL92" was false. Since Oracle version 9 it supports the SQL ANSI 92 syntax. Therefore the default value is true now

The datasource manager allows to enter a custom database/catalog name while still suggesting existing names

Cannot read property 'driver.group.basic' of undefined occurred if a datasource was saved without modifications

Fixed Bugs

Possible deadlock on startup occurred if a custom configuration was set via "clearreports.config" or "clearreports.configfile"

Permission check with Authentication Groups for logged in users was wrong

Multiple values in the property "Other VM Arguments" in configuration dialog "Web Server" were not supported

Rare rounding error occurred when the scale of a number was reduced by more than 9 digits in a formula function

Access to the repository with Login using WebDav has not worked on Windows

OutOfMemory or ReportCache errors occurred because of problems with false positive low memory detection. The log output contains the warning: "There was a low memory situation and possibly some jobs were canceled." and maybe other subsequent errors

Security issue "Cross-Site Scripting" occurred

Unknown operation: com.inet.report.renderer.doc.controller.bk@0 occurred with TotalPageCount (NofM) in subreports

Property RELOAD_ON_NEW_REQUEST does not work if there was no output format specified in the report URL

"java.io.NotSerializableException: com.inet.font.truetype.i" occurred if a font path was set and "Page NofM" or PageCount was used in very large reports. Because of that the server could hang

Regression occurred: Special field "current user" and the formula WebUserName returns the display name. Now it returns again the id of the user and not the display name

Embedded fonts used in PDF documents embedded in a sub report where missing in the created report

Layout of text in right to left fonts (Arabic, Hebrew) was wrong, if the text parts have different styles (bold, italic, etc.). It occurs in the output formats: PDF, PostScript, image and Java report viewer

Sorting in charts with 2 groups was incorrect if the first category value does not contains all series values of the chart. In this case the sorting of the series was incorrect

PDF export: Embedded fonts with glyphs in the range of 0xF000-0xF0FF were not dispalyed in PDF file

CSV export: Empty CSV export with encoding UTF8 opened with MS Excel. MS Excel shows the content "" in the first cell instead of a complete empty table

ORA-01000: maximum open cursors exceeded - occurred if Oracle JDBC driver was used

NullPointerException in debug mode if a plugin has no version information

Patching the SQL command to query the metadata (column names) was wrong if the command contains function listagg(...) within group ... . In this case WHERE 1=0 was added to the listagg function

XLSX / ODS export: Percentage number was incorrectly displayed (multipled by 100)

Patches the SQL command to query the metadata (column names) was wrong if the SQL statement contains strings which contains brackets, e.g. REPLACE(A.FIELD,'；)',')') . In this case WHERE 1=0 was added after the ORDER By clause

Break algorithm improved for Text Interpretation "HTML(advanced)" to prevent breaks in text lines

Oracle table source identifier with a package name will be always used as name of a stored procedure and never as name of a table. This makes it possible to use the same name for a package stored procedure and a table

IllegalStateException: REGISTER error occurred because a classloader loop occurred if the i-net Clear Reports libaries has been added to /lib directory

Layout of text in right to left fonts (Arabic, Hebrew) was wrong in the design view, if the text parts have different styles (bold, italic, etc.)

NullPointerException occurred when opening an rpt file with corrupt subreport, created by an older i-net Designer version

XLSX export: Line offset was wrong on third sheet if "New sheet per top level" was enabled

The automatic font scaling did not work as expected in Internet Explorer

Buttons to sort and filter task list not displayed if Task Planner list is very long

Report server was started with command line parameter "-importdatasource" or "-forceimportdatasource"

Configuration data lost if MongoDB was used for persistence with multiple report server instances

Synchronization of cached user data, groups, task planner, maintenance data between multiple nodes was incorrect if using database persistence (MongoDb, Redis)

Fix the recognition of value data types for JSON data sources if the source files contain white spaces

In Chrome browser it was not possible to save the PDF result of a report if it was already displayed in PDF viewer of the Chrome browser. The save prompt indicates ‘Save as type: All Files ( . )’ instead of PDF

Text export: Charset was set incorrectly

Property RELOAD_ON_NEW_REQUEST does not work if there was no output format specified in the report URL

NoSuchMethodError: 'void java.lang.SecurityManager.checkSystemClipboardAccess()' occurred if Java report viewer was use with Java 11

Hairline box without background was not printed in the Java output (report preview)

Version 19.0

Notification for low disk space added

Locale of the client is used for formatting in the prompt dialog, e.g. for date formatting

The webserver can be configured to send addtional header fields with HTTP responses to, e.g. enforce HSTS or provide custom server information to the web client

Users are no longer required to have Java installed separately anymore: the Designer now supports a protocol handler to open a locally installed i-net Designer instead of the JNLP variant

It is now supported to give users or user groups the permission (serverprint) to remotely print on specific printers connected to the server. Now each group can be set to only print on its own server / network printer

Multiple LDAP server on authentication supported as fallback

Account id of the user added to the "stored data" view

A master account will be created after a valid login using the master password even if the setting "Create new User" is deactivated

New feature "stay logged in". After login, each user will remain logged in until they log out. After 28 days, they will be automatically logged out. It is also possible to delete user sessions in the "User and Groups" module, if you have the permission to access this module

Login Sessions displayed in the User details

It is now supported to select a preconfigured datasource for a database series in the Task Planner. The user defined JDBC settings are still possible

Percent formatting in the XLSX export format was incorrect

Warning for required .NET Framework 3.5 removed

Configuration data lost if MongoDB was used for persistence with multiple report server instances

Infinite loop occurred when using report viewer in an iFrame

Version 18.1

Text export: Encoding of lines and boxes in text format improved

Repository events added to Event Log

XML Export added to the task planner

Endless loop with a multiple page (PDF) document in a dynamic image location occurred

Percent format in XLSX format shows 0%

FactoryConfigurationError: "Provider com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl not found" occurred

Postscript export: Images with 8 bit gray color are displayed incorrectly or postscript printer does not print it

IllegalStateException occurred with message "Unknown operation: com.inet.report.renderer.doc.controller.bk@0"

Security issue "Cross-Site Scripting" occurred

Rare rounding error occurred when the scale of a number was reduced by more than 9 digits in a formula function

ORA-01000: maximum open cursors exceeded - occurred if Oracle JDBC driver was used

Stacktrace of ReportError was displayed to the user

Reports that required a prompt does not open properly in the Internet Explorer 11 after the prompt request dialog was closed

Default zoom was too small if the report was exported in only one HTML page

Authentication on Repository failed if Remote Designer was started in Repository Browser

Hairline box without background was not printed in the Java output (report preview)

"NamingException: LDAP response read timed out" occurred if Windows Active Directory was used for authentication with a large number of groups

The following error has occurred in Internet Explorer while restoring a backup: "Object doesn't support property or method 'includes'"

Sorting and grouping of tasks by owner was wrong

Version 18.0

The JDBC-ODBC-Bridge now supports VARCHAR values larger 255 characters

Support for SSL certificate in PEM format added

The report URL parameter "reports" now supports XLSX and ODS. A new sheet will be created for each report

Userinfo (user:password) supported in the report URL parameter. It will be send as Basic authentication header

Support for XLSX and ODS format for multiple report file reports added

"Bean Data Source" removed because of security reasons

Option "Font Mapping" to replace fonts that are not embeddable for PDF files is enabled by default. The change will have direct impact on Font Path settings

Security Fixes

Critical Security Update for Help Plugin (CVE-2020-11431)

Fixed XXE vulnerability for authenticated users with privileges to ad-hoc reporting or remote designer (CVE-2020-12684)

Fixed multiple XSS vulnerabilities (login was not required).

Fixed a path traversal vulnerability which allowed access to files within the installation folder and its sub-folders

Version 19.1

A restart in the server interface triggers a restart of all nodes if database persistence (MongoDb, Redis) is used

Event log contains a "node" column if it runs with database persistence (MongoDb, Redis)

Let's Encrypt certificate requests now work with multiple server and database persistence

Default "Font Path" for PDF export and Java viewer added. The default font path contains DejaVu fonts for Monospaced, Sans Serif and Serif fonts. Font embedding of DejaVu fonts is enabled by default

Prompt dialog added to Task Planner

Report Repository

Reimplementation of the repository search using our own search engine

Java report viewer removed from the list of output formats because Java applets are not supported by most current browser versions

Configuration Manager

Function to activate a configuration temporarily removed

Property "Keystore File" for signing PDF files supports URL

Message "Configuration not available. Please reinstall the application" was displayed sometimes while the Configuration Manager web GUI was loading the configuration

Error "$rootScope.model.activeCategory is undefined" occurred after server restart

The max heap memory (-Xmx) for the Java VM running the report server can be set in the configuration manager dialog "Webserver". The default value is 1/4 of the RAM (for 32-bit it is 256 MB).

Keyboard usage for tables and lists in the configuration manager has been improved.

Increasing the security, stronger one-way encyption for the Master Password added.

To increase and simplify the configuration of i-net Clear Reports, the configuration manager has been redesigned and reimplemented. The assignment of properties to groups was improved. Also a "simple" and "advanced" view was introduced.

Simple / Advanced view added. Properties were divided in different views to simplify the configuration.

For a better understanding properties were partially move into other groups.

All available users and groups are displayed in the drop down box of category permissions.

The categories System Permissions and Report Permissions were combined into the category: Permissions. In the category Permissions it is now possible to specify which user and/or groups can execute all reports. The permissions for repository reports are specified in the Repository Browser.

Java Report Viewer

NullPointerException occurred if there was no default printer

ClassCastException with custom L&F occurred

The report viewer set a printer resolution only if Java 9 is used and no printer resolution was set. The bug was fixed in Java 10: https://bugs.openjdk.java.net/browse/JDK-8186987

In rare cases, reports could cause error messages in the report viewer if there were empty pieces of text.

Report Server

LDAP authentication: It was not possible to login with a user contained in an LDAP group with a group name (full Distiguished Name) longer than 100 characters

Version 17.1

The JAR file inetslf4j.jar was renamed into inetloggeradapter.jar. It also contains an adapter for Commons Logging

PDF export: JPEG images in EXIF format now supported

Memory improvements for images with image key

Date parsing order optimized to conform the modified date patterns in Java 9

Login Type "Internal Webserver" is also available if i-net Clear Reports is not running in an application server but if an login filter is used

Performance optimization for user expander formulas

Servlet

Servlet Spec was changed to version 3.1 and the class of the login servlet was changed to com.inet.authentication.LoginServlet

Fixed Bugs

Multiple issues with the Java 9 release candidate occurred

PDF export: Some bugs in PDF/A-1b export has been fixed

XLS / XLSX export:

Number property formulas were used although the Decimal number format was used instead of the user defined number format and the property formulas should be disabled. This could result for example in a wrong sign

Client timezone was ignored for date time values in the XLSX format

"Suppress if Duplicated" does not suppress duplicate fields in some cases

Percent format in XLSX format shows 0%

No cipher suite error with HTTPS connections occurred

Line height style was only used in first line of wrapped text, if Text Interpretation "HTML(advanced)" was used

Fix a bug with recursive table joins over multiple data sources (DS-A → DS-B → DS-A). The resulting error message was: "Report Error [1403] Error occurred while fetching data or while using data cache."

Unhandled Exception "java.lang.InternalError" with message "couldn't create component peer" occurred with Java 8u152

Clip/alignment of italic right align text with a large italic angle was wrong

Word breaking of Thai language in advanced HTML content was wrong. The correct behaviour requires the report locale set to be 'Thai'

Error "Report Error [1401] Illegal argument for DATE sproc ..." with SP parameter of type DATE occurred

Error "Could not create font with ID X" occurred if an OTF font was used and the property "Compress Viewer Fonts" in the Configuration Manager dialog "Font" was enabled

RTF export:

Font names in font table should be written using an East-Asian character set encoding instead of unicode

Content on some text boxes not displayed completely if the text box contains a lot of text

PDF export: Barcode font was too big

ArrayIndexOutOfBoundsException occurred if facename und familyname arrays have a different lenght

"The design of the crosstab is too large" occurred with a crosstab in a subreport

Currency symbol was displayed although the field was suppressed

If "Underlay Following Section" was enabled for a section in a subreport then it could occur that the subreport was moved to the report report page

If the URL used in BytesFromFile function returns an 404 error then "unknown image format" was displayed in executed report. In this case image will be shown as blank

Exception: "org.bouncycastle.asn1.pkcs.PrivateKeyInfo cannot be cast to org.bouncycastle.openssl.PEMKeyPair" occurred

Crosstab property "Suppress Row Labes" in "Group Options" does not work for more than one field in crosstab rows, if it is enabled for more than one field in crosstab rows

Fix problems when NofM and PageCount are used alone in a subreport and not in the main report and hard disk cache is enabled. This can lead to missing pages of the main report and the subreport will miss the output of NofM

Only the end of a "Can Grow" field was displayed at the 2nd appearance of the field if the field has been continued on a second page

If an embedded font have different font metrics as the system font with the same name and text interpretation "HTML(Advanced)" was used then the text layout could be broken

SVGDecoder does not work with Java 9 (or higher): ClassNotFoundException: org.w3c.dom.css.DOMImplementationCSS

PDF document was not displayed correctly in report

Decimal number format in XLSX and ODS output format was 0 instead of the correct number

Fonts of an PDF document embedded in sub report were missing

Security issue "Cross-Site Scripting" occurred

ORA-01000: maximum open cursors exceeded - occurred if Oracle JDBC driver was used

Repository

MIME type mismatch via SSL connection with strict MIME type checking for Echo2 Modules like Repository Browser

Permissions in repository browser changed: Files and folders are now visible if the user have the execution right for this folder. Permissions are inherited to sub folders and can be overwritten in a sub folder.

Web Interface

java.lang.NullPointerException occurred while opening file chooser

Security Fixes

Critical Security Update for Help Plugin (CVE-2020-11431)

Fixed XXE vulnerability for authenticated users with privileges to ad-hoc reporting or remote designer (CVE-2020-12684)

Fixed multiple XSS vulnerabilities (login was not required).

Fixed a path traversal vulnerability which allowed access to files within the installation folder and its sub-folders

Version 17.0

Fixed Bugs

ORA-28040: No matching authentication protocol - occurred with Oracle 12c

The current execution of the formula "x" was aborted due to a null value

Directory Plugins and lib not found if UNC path was used with Java 8

Scheduler

NeedPromptException occurred even though no prompt was needed.

Version 16.1

The cache for rendered reports was completely rewritten to prevent a large amount of sporadic errors and to improve the performance.

Includes performance improvements for large XLSX files.

Formula functions Ceiling, Floor, MRound and RoundUp added.

crossdomain.xml and robots.txt can be set in the configuration manager.

Includes memory improvements for reports containing "Page N of M" that take effect when a cache type other than memory cache is used.

Support for Surrogates/Supplementary characters (32 bit characters) added.

BOM (Byte Order Mark) added to text export if the encoding is UTF-8 so that text editors will correct display UTF-8 characters.

Link "Configure Scheduler now" has been removed from the scheduler GUI.

Text and attachments in emails sent by scheduler were in wrong order.

Version 15.0
The Java VM version 8 is embedded with i-net Designer and Report Server on Windows and Mac. It will be installed and used if no Java VM version 8 was found on the machine. During setup of the report server using the Custom installation type it is possible to install the i-net Clear Reports .NET API. This allows to embed i-net Clear Reports into an .NET application.

Report URL parameter "reports" added - the value should be multiple reports you want to render as one output, e.g. PDF-file. Separate each report by semi-colon.

XLSX export for newer Microsoft Excel versions added.

Webserver plugin added.

CHAR and NCHAR values are also truncated for dynamic prompt values.

Limited the number of threads used by the Jetty webserver on a high cpu count machine to prevent IllegalStateException: Insufficient max threads in ThreadPool .

The report URL will be resolved after checkProperties . This makes it easier to work with your own address space.

Jetty version updated to version 9.2.10.

It is now supported to embed OTF fonts in PDF export and Java report viewer.

The record selection formula is now divided into a part that is executable on the database and a part that is not executable on the database. The part that is executable on the database will be added to the Where clause of the SQL statement. The other part will be executed in the memory. In previous versions the complete record selection formula was executed in memory if a part of it was not executable on the database.

If both clearreports.config and clearreports.configfile are set in the web.xml file of the i-net Clear Reports servlet then clearreports.configfile is used as fallback only if the configuration in clearreports.config was not found.

The PHP Proxy has been removed. The Apache setup now requires the additional modules "rewrite", "proxy_http" and "headers" and uses the internal mechanism to forward requests via Apache to i-net Clear Reports.

Fixed Bugs

Image export: IllegalStateException occurred if printing was disabled for the exported report.

Date ranges were not always correctly localized.

Unicode characters like Polish characters were not encoded in ZxingBarCodes JavaBean. It encoded only iso_1 characters.

ClassNotFoundException occurred if the configuration contains a custom PropertyChecker.

XLSX and ODS export: NullPointerException occurred if the classpath contains the Woodstox Stax XML API.

Error "javax.xml.parsers.FactoryConfigurationError: Provider redirected. DocumentBuilderFactory not found" occurred if WildFly was used.

The "round" formula function has not always used ROUND_HALF_UP like documented.

In very rare cases the multiplication of large numbers or numbers with a large scale returns a wrong result.

Regressions:

The cursor of Oracle functions was not registered.

Duplicate Oracle procedures in the root and in a package of a schema were not found.

Data export: Suppressed fields were not refreshed.

ArrayStoreException occurred if a FormulaExpanderClass with a Binary parameters for functions was used.

In very rare cases the line chart has overwritten the border of the chart.

The following Ora4SQLException occurred if a stored procedure with Date type input parameter was added to a report: [OraDriver?] #14 Unknown or unsupported SQL type. <0>.

SocketException: Invalid argument occurred if only ipv4 is available (-Djava.net.preferIPv4Stack=true).

Special Field and formula function "ReportFile" has returned absolute report file URL. In case of http URL it returns the relative URL again.

IllegalStateException: PRE_INIT occurred if a JSP page is the first request after a restart of the report server.

Login box was displayed multiple times for the first user in application server if the login of the application server was used and the user has login in another program part first.

NullPointerException occurred if JsonData used as datasource.

CheckProperties methods in Sample.jsp are not called correctly.

JSON datasource: Quotes ignored. Therefore strings where interpreted as number.

Because of some bugs in the JSON-RPC implementation, it was not possible to use the library JSON-RPC 2.0.

OrderBy part of the SQL statement contains the result of a formula if the report was grouped by a formula.

"Can grow" text elements with field parts could end up incorrectly duplicating their data in a row if the data had caused a page break on the previous row of data.

Sometimes NullPointerException could occur after the 10 minutes timeout of the web API has occurred.

Add also pieces of WHERE from the Record Selection Formula if in addition to the joined tables there is an SQL Command.

NullPointerException occurred if only JSP or Cache API was used and the report name was not set with complete path.

NegativeArraySizeException occurred while parsing an BMP image. BMP images with top down line order now supported.

Prevent a double login box for the first user in the application server if you use the login of the application server and the user has already logged in in another program part.

The following exception occurred if a certificate with IBM JavaVM was used: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available.

XLSX export: Skip zero characters in XLSX output because this produce corrupt XLSX files.

NullPointerException occurred in case of nested user function calls in formulas.

Postscript export: Memory leak occurred with embedded font Arial Narrow.

XLS export: "Suppress if Duplicated" does not suppress duplicate fields in some cases.

Regression: Exception "Total Page Count not supported in this context" occurred while TotalPageCount was only used in a formula that was added to the report design.

Unhandled Exception "java.lang.InternalError" with message "couldn't create component peer" occurred with Java 8u152.

Changed Behavior

To prevent an OutOfMemoryError , the maximum number of errors in EngineState was limited to 10.

Formula ADD operation is now more strict: Strings can only be added to strings. Hidden internal type conversions are no longer possible.

Formula fields with evaluation time BeforeReading that are included in the record selection filter can be executed on the database even if they contain local variables.

For Oracle database, the column name will be used as column alias instead of comment.

Support for database functions of MySQL v5 and greater added.

When quotesToLowerCase (Quote Database Identifier) property is set in datasource configuration, database identifiers are always quoted.

It is now supported to use cascading parameters from different database tables.

The method Datasource.getConnection() has a call counter now. You need to call close() as many times as you call getConnection() . Otherwise you will have a connection leak. We recommend using the try-with-resources feature introduced in Java 7:

try( Connection conn = ds.getConnection() ) {
// some stuff
       
API Changes
        
Classes, methods and constants that had been set to deprecated in version 12 and older have been removed.
        
Added Classes or Interfaces: 
          
com.inet.report.EngineBundle
          
com.inet.report.database.fetch.DataCollector
          
com.inet.report.database.fetch.FetchTables
          
com.inet.report.formula.UserDefinedFunction
        
Added Methods: 
          
SwingViewerContext.SwingViewerContext(Component)
       
Deprecations
        
Report URL parameter sproc: You can use any of the prompt parameters in the report URL to set the parameter field value for a stored procedure instead.
        
Report URL parameter queryfile: If you have report files with query files then you need to migrate them so that they use a datasource.
       
WAR File
        
File initial_configuration.properties added. It can be modified and used to create the configuration of i-net Clear Reports servlet.
       
Setup
        
Report server setup will create a report repository for sample reports if no configuration exists from another installation. The samplereports directory will be created in the ProgramData directory.
       
Fixed Bugs
        
"Suppress Blank Section" has not worked correctly, if "Keep Together" was enabled for the same section. Problem occurred only if the dynamic content was on the bottom of the section.
        
Searching inside advanced HTML elements has not worked in i-net Designer preview and report viewer.
        
NullPointerException occurred if only JSP or Cache API was used and the report name was not set with complete path.
       
.NET Edition
        
The .NET libraries are part of the SDK that you can download from our website.
        
The .NET edition is not available anymore. During setup of the report server using the "Custom" installation type, it is possible to install the i-net Clear Reports .NET API with which it is possible to embed i-net Clear Reports into a .NET application.
       
Fixed Bugs
        
A summary field with enabled Running Total and with Evaluate "On Change Of" a group and Reset "On Change Of" any non-group field was not working correctly.
        
The required hard disk space on a restart was reduced through reusing of files.
        
The method engine.getDefaultSqlOfAllStatements(boolean leavePrompts) ignored the leavePrompts parameter.
        
In some export format, the height of a section was not increased even when it contained an image with enabled "Can Grow" property.
        
PDF form fields did not work correctly in subreports.
        
HTML export: 
          
Representation of developer edition labels was incorrect.
          
Text was not displayed after multi-column layout in subreport.
        
XLS export: ArrayIndexOutOfBoundsException occurred if an image in a section did not fit to a sheet. The section now starts on a new sheet.
        
ODS export: Depending on the used cell distribution and the report design, rows with height of 0 were added.
        
Cascading parameters were required to have the same value type as their parents which is not actually necessary.
        
There were multiple issues with setting the parent references of cascading parameters.
        
The report was not executed (The data source "xxx" is not defined.) if database connection was set programmatically using setConnection but the datasource on the report was designed does not exists on the server running the report engine.
        
NullPointerException occurred with XLSX and ODS export if the Woodstox Stax XML API was in the classpath.
        
The exception "SocketException: bad argument for IP_MULTICAST_IF2" occurred on Mac OSX if ethernet adapter "en0" was not available.
       
Installer
        
On Suse SLES and OpenSuse the following errors occurred during installation of the rpm package: 
          
daemonize is needed by clear-reports-server-16.0.225-1.noarch
          
initscripts is needed by clear-reports-server-16.0.225-1.noarch
       
Fixed Bugs
        
ODS export: Multiple white spaces has been ignored.
        
If the report server was started with "-Djava.net.preferIPv4Stack=true" then "java.net.SocketException?: Protocol family unavailable" occurred.
        
XLSX export: Performance improvements for large reports.
       
Plugins
        
Changed Remote Printing API plugin to support a global printing job list. Reworked UI for a better user experience.
       
Java report viewer
        
The design margins when printing via PrinterJobProgress API has been changed if the designed margins are smaller than the printable margins of the printer. Earlier this was done only in the print dialog.
        
Regression: If a report was rendered longer than 10 minutes then the error message "wrong mimetype text/html" has occurred.
        
Regression since version 15.0: The group tree contained a node more than once if there was not enough space for the group on the previous report page.
        
Characters in the chart legends or heading were missing if the chart was included in a subreport and an embedded font was used.
        
Subreport on Demand and Interactive Sorting does not work correctly with Java report viewer.
        
Java report viewer does not show a report if it is running with Java version 7.
        
NullPointerException occurred when adding a report view using API to the report viewer.
        
XLSX export added to export dialog.
        
It is now possible to switch between the prompts in the prompt request dialog using Ctrl+Alt+P (for Previous) and Ctrl+Alt+N (for Next).
        
Support Open Type Fonts.
        
Embedded multipage formats, like PDF, correctly displayed.
        
Font data for fonts with different styles are embedded only if the data differs.
        
If the Java report viewer was running at least with Java 7u65, then the printer properties dialog was not displayed after a click on the properties button in the print dialog.
        
Printer Properties dialog was not displayed since Java VM version 7u65. The printer property dialog will be displayed now immediately with Java version 7u65 or newer.
        
Characters were missing in charts legend.
        
It is now possible to switch between the prompts in the parameter request dialog using Ctrl+Alt+P and Ctrl+Alt+N.
        
If the Java report viewer was running at least with Java 7u65, then the printer properties dialog was not displayed after a click on the properties button in the print dialog.
       
Ad Hoc Reporting
        
IllegalArgumentException occurred if ad hoc reporting was used on a database repository.
        
Ad hoc dataview: "Formula Field not found" error occurred if the formula field was used only in the record selection formula of the ad hoc dataview.
        
"Cannot read property 'addEventListener'" occurred in ad hoc reporting.
        
Permission for 'Remote Designer' now includes (former) permissions for 'Remote Datasources' as well.
        
In ad hoc reporting the user is now allowed to use all ad hoc templates and ad hoc dataviews unless a repository is used as storage and report permissions are set in the report repository.
        
Excluding filter criteria in Ad Hoc reporting are now concatenated by AND instead of OR.
        
If a dataview name contains space(s) and it was saved in a database repository, then it was not available in Ad Hoc reporting.
        
Loading issue on remote Ad Hoc filter page occurred. If the same Ad Hoc report was loaded with different filter values, only the first filter value was used.
        
Ad Hoc reporting applet could not use ad hoc dataview if an database repository was used.
        
The following exception has occurred, if cascading prompts were used in Ad Hoc reporting: NoClassDefFoundError: com/google/gwt/user/server/rpc/RemoteServiceServlet.
       
Fixed Bugs
        
PDF export: 
          
A blank subreport with enabled "Suppress if Blank" property could hide the following data.
          
A blank subreport with enabled "Suppress if Blank" property could create an empty page.
        
Excel export: Cell distribution property was not used in subreports.
        
HTML export: If the property "Multiple HTML files" is disabled then only the first page of a multi-page report was displayed in the browser.
        
Charts: 
          
Bug with StackedBarCharts occured. It caused the total sum to appear only if the last or before-last series has a value in that column.
        
ReportServletJSP restored.
        
The i-net Clear Reports plugins were not loaded correctly if deployed in Tomcat 8.0.11.
        
Unicode problems occurred if the codepage of the Java VM was different to the codepage of the platform.
        
Restoring of Unicode data from the harddisk cache and database cache was wrong.
        
HTML prompt dialog: 
          
It did not open up for exporting a report in cases when a report contained a date range prompt with range default values.
          
Time prompts were not correctly handled.
          
Time prompts were not correctly checked for their limits if they had limits for allowed values.
          
If more than one sub-report had a prompt with the same prompt name, the HTML prompt dialog only set the value of the prompt from the first sub-report, causing the prompt dialog to re-appear when hitting Submit.
          
URL parameters setting prompt values were not always used correctly for setting up chosen values.
          
Date range values which included a limit for allowed values were not always correctly checked for the limit.
          
If a date prompt was set to "default values only", it still displayed a calendar button for choosing a date.
          
If a value was missing, then cascading sub-prompts were not correctly selected in the prompt tree in the HTML prompt dialog.
        
Database field and dynamic prompt field values with type CHAR or NCHAR were not truncated.
        
PDF form fields did not work correctly in subreports.
        
HTML export: 
          
Representation of developer edition labels was incorrect.
          
Page content was moved to the right side of the page, after an subreport.
        
NullPointerException in MemoryStream.writeUTF8(SourceFile:196) occurred.
        
Exception: "Protocol is not file: jndi:...rpt" occurred in a formula.
        
CurrentDate formula function has returned the current time as hidden value. If it was used for the calculation, then it could lead to false results.
        
Regression: If a report renders longer than 10 minutes an error message "Wrong Mime Type text/html" has occurred, if the Java report viewer was used.
        
The "round" formula function has not always used ROUND_HALF_UP like documented.
        
In very rare cases the multiplication of large numbers or numbers with a large scale returns a wrong result.
        
Data export: 
          
Suppressed fields were not refreshed.
        
Special Field and formula function "ReportFile" has returned absolute report file URL. In case of http URL it returns the relative URL again.
        
Formula function "truncate" has returned incorrect value because of internal rounding error.
        
NegativeArraySizeException occurred while parsing an BMP image. BMP images with top down line order now supported.
        
The following exception occurred if a certificate with IBM JavaVM was used: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available.
        
XLS export: 
          
Some different strings could not be distinguished, therefore instead of two different strings the same string was added two times to the XLS file.
        
Unhandled Exception "java.lang.InternalError" with message "couldn't create component peer" occurred with Java 8u152.
        
Sometimes NullPointerException could occur after the 10 minutes timeout of the web API has occurred.
       
Statistics
        
If the 'download' of a cached report causes a new cache-entry (because a different user already requested the same report or similar) then the download shows as 'Run report again' to make clear that the report will be rendered again.
        
Benchmark widget added. It can be used to test the server utilization and speed between client and server or server and database.
        
Category "System Dumps" added. It allows you to download a memory dump or thread dump of the report server.
       
HTML report viewer
        
A color picker for the background color of image export formats (only certain browsers) added.
        
The image export now supports RGB hex values as background colors (you have to properly encode the parameter).
        
Button to enable/disable promptonrefresh while displaying the report with prompt parameters added to the toolbar. It can be removed by using the report URL parameter "haspromptonrefresh=false".
        
Help tooltips added to the export dialog properties.
        
The report URL property "defaultzoom" is supported.
        
Depending on the used browser, one of the following errors has occurred: "TypeError: k.elementStyle is not a function" or "Object doesn't support property or method 'elementStyle'".
       
Remote Interface
        
The upload file dialog in the Repository Browser was optimized.
        
Statistics data are now stored in a Zip file to reduce disk space.
        
Remote statistics now have an option to set the maximum amount of data sets to load in order to keep the application responsive and smooth, especially useful for mobile clients.
        
Page 'Connection Pool' showing current database connections added to the statistics module.
        
The available groups and user will be displayed in the user/role drop down list in configuration manager categories system and report permissions if authentication type LDAP is used.
       
.Net Edition
        
IKVM updated to version 7.4.
      
i-net Designer
       
Version 24.4




    

       
Fixed Bugs
        
The designer could only open 2 files via drag & drop.
       
Version 23.4
        
The query timeout set via the Designer user interface was ignored.
        
Reports with special characters could not be opened via the repository browser in the Designer because of encoding problems.
        
Reports with special characters could not be opened via File->Reopen... because of encoding problems.
        
The following errors occurred sometimes in Remote Designer when opening a report from the repository: "No repository configuration found for file: "...rpt"" and "Not authorized. Please check your permissions and restart the Designer if applicable.".
        
The query timeout set via the Designer user interface was ignored.
        
NoClassDefFoundError: Could not initialize class com.inet.cache.internal.MemoryObserver - occurred with OpenWebStart
        
The query timeout set via the Designer user interface was ignored.
       
Security Fixes
        
The JNLP client could theoretically be sent another client's cookie at startup.
       
Version 22.10
        
The JNLP client could theoretically be sent another client's cookie at startup.
       
Version 21.10
        
The JNLP client could theoretically be sent another client's cookie at startup.
      
Report Renderer Job
       
Version 22.10
        
Fixed setting the password for exporting reports as encrypted PDF files.
      
Sample Reports Repository
       
Version 24.4
        
The samples will also be added to the Drive in addition to the deprecated repository.
       
Version 23.10
        
Initial release of the Sample Reports Plugin
        
This plugin contains several sample reports that will be put into a newly created repository.
        
If no repository was active, the newly created one will be activated. Otherwise the repository will only be created.
        
Note that the sample reports and repository will not be removed when deactivating or uninstalling the plugin.
      
Server Printing
       
Version 24.4
        
Added Remote Printing menu to the PDF Viewer.
       
Version 23.4
        
Directly printing a report now requires the URL parameter printNow=1.
        
Printer tray selection is supported. For Java 17, the command line parameter --add-exports=java.desktop/sun.print=ALL-UNNAMED is required. Command line parameter can be set in the configuration application in the advanced view.
       
Version 23.10
        
New Clear Reports formula function "gpt" which takes any string query as a parameter and returns the GPT response.
        
Added obfuscation to storage of OpenAI API Key in configuration.
        
HelpDesk spam filter capability (off by default) which can check incoming emails for whether GPT would categorize them as spam.
        
Anonymization of any telephone numbers and email addresses to avoid sending personally identifiable data to OpenAI.
      
Calendar
       
Version 24.4
       
Fixed Bugs
        
Setting up a calendar Task Planner trigger on repeating events that began in the past did not correctly compute the next execution time.
        
Calendar triggers with trigger times set to trigger after calendar events would not trigger for repeating events.
       
Version 23.4
        
Triggers can be set to start after events as opposed to only before them.
        
The calendar trigger automatically refreshes its events from the given calendar every 30 seconds.
        
Next task execution times filter out past potential execution times.
       
Version 22.10
        
There is a new calendar trigger that allows running Task Planner task with a time offset when an event occurs in the given ics or iCal file.
      
Collaboration
       
Version 22.10
       
Fixed Bugs
        
Improved the Server Status Command in regards to its CPU load calculation when the server is running on Windows.
       
Version 22.4
        
Added a new command serverstatus which displays server information such as version, CPU load, memory usage, and more.
      
Configuration
       
Version 21.4
       
Fixed Bugs
        
Unnecessary restart message occurred in the web server dialog of the configuration manager if the HTTP port was changed to not default and the HTTPS port is default
      
CoWork Calls
       
Version 24.4
        
The area of an active call can be opened in a new window if this function is supported by the browser. This window can be freely positioned and resized.
        
During a call, the own participant and those with a video (camera or screen sharing) have a context menu (to be called up with the right mouse button) to control actions. This applies, for example, to switching the camera or microphone on and off. For participants with a video stream, this can be pulled out as an overlay in supported browsers. This overlay can be freely positioned and resized.
       
Version 23.10
        
In the user settings, it can be enabled that the own status displays a phone icon on the user's avatar when the user is involved in a call in any channel.
       
Version 23.4
        
In the configuration you can set whether the audio and video connections are allowed to go through the public client connections or only through configured TURN servers.
       
Fixed Bugs
        
The CoWork Calls WebAPI ignored the preview mode option that prevents accidental execution of destructive operations.
       
Version 22.10
        
Improved the automatic reconnection of calls
        
Added option to set TURN servers which are responsible for negotiating audio and video call connections
        
The overlay of a call from another channel can now be moved to another corner of the window
        
Audio output improved when switching channels: no more interruptions
        
Sounds are played when another participant joins or leaves a call or raises the hand (configurable)
        
Optionally, the entering or leaving of a participant in a call can be announced by voice ( configurable)
        
Audio and video calls are automatically reconnected when the connection to the server is restored, or the page is reloaded by mistake
        
In the channel list, the participants of a call are now listed below the channel
        
The caller view and the call overlay have been further optimized
        
The available reactions within a call can now be defined in the configuration. If all emojis are removed, this feature will also be disabled
        
Layout improvements for calls in the Safari browser
        
Speech recognition when switching with a call to another channel
       
Version 22.4
        
Added support for voice and video calls
        
Allow screen share of multiple screens without participating in a voice call
        
Added support for muting and leaving calls using the WebAPI
      
CoWork Meeting Rooms
       
Version 23.4
        
The details like name, description and icon of meeting rooms can be changed by authorized users.
        
Users with the "Create Meeting Rooms" permission can add additional members to a room via the member list.
       
Version 22.10
        
With CoWork meeting rooms, temporary channels can be set up and external users can be invited. Many use cases such as external support, product demonstrations and the creation of temporary workgroups are possible.
      
DeepL
       
Version 23.10
        
Added obfuscation to storage of DeepL API Key in configuration.
      
Diagnostics
       
Version 23.10
        
The new Web Server Errors panel displays a graph of request errors logged by the server. All web server responses with a status code of 400 or higher are logged and displayed aggregated per day.
        
In the logging panel, the list of selectable threads has been reverse sorted. The log file can thus be filtered to the last up to 100 threads.
       
Fixed Bugs
        
Condition for free disk space returned the wrong boolean value.
       
Version 23.4




    

        
Condition for free disk space returned the wrong boolean value.
       
Version 22.10
        
Added support for a memory dump when running with an OpenJ9 Java VM.
        
Condition for free disk space returned the wrong boolean value.
       
Version 21.10
        
Condition for free disk space returned the wrong boolean value.
      
Discord
       
Version 22.4
       
Fixed Bugs
        
Fixed possible error message "accountID must not be null" in Discord configuration.
       
Version 21.10
        
Discord plugin in category "Task Planner" will be replaced by general Discord plugin. You can find it in Plugin Store category "Communication". If the old plugin was activated, the new one will be installed automatically by the setup
      
Drive
       
Version 24.4
       
Fixed Bugs
        
Sub-elements of paths were not updated when the parent element was renamed to reflect the new path.
      
Embedded Websites
       
Version 23.4
        
Added separate backup and restore option for Embedded Websites.
      
External CoWork Message Sending
       
Version 23.4
        
File results of a Task Planner task are optionally sent as an attachment with the CoWork message.
       
Fixed Bugs
        
Added a helpful link instead of an error message in the task planner dialog in case an external server hadn't been set yet.
      
Field Settings
       
Version 24.4
        
Dropped option "Own Value" + "Multiple Values" for custom fields of type "Selectable Values", only one of both is allowed.
       
Version 22.10
        
Added new Data Type "Date with Time" and "Time"
        
Added option "Ignore timezone" for "Date" and "Date with Time" in order to work with local dates
        
Label and description of predefined and user-defined fields can be translated into multiple languages via the Field Settings dialog
        
Added task in maintenance which will backup all user field settings with translations and custom fields.
      
FTP Transfer
       
Version 22.10
       
Fixed Bugs
        
When using a relative target directory with multiple file results, the target directory was not reset. This resulted in the same directory structure being created for each additional file result within the previous one.
       
Version 22.4
        
When using a relative target directory with multiple file results, the target directory was not reset. This resulted in the same directory structure being created for each additional file result within the previous one.
       
Version 24.4
        
In the diagnostic application, in the System Dumps section, there is a new option to export the SBOM in JSON format.
       
Version 23.4
        
Support for generating a Software-Bill-of-Materials JSON file using the server's ./well-known/sbom URL with an administrative user account.
       
Fixed Bugs
        
Release Notes were not displayed in the HelpCenter.
       
Version 22.10
        
Links that require another plugin to be enabled open the Plugins Store where the required plugin can be activated or loaded.
       
Version 21.10
        
PDF export was not possible from a help page accessed through an untrusted HTTP URL in the browser.
      
HTML Engine
       
Version 24.4
        
Initial Release of the JWebEngine as a plugin.
       
Version 23.10
        
Added placeholders to the HTTP trigger, that are filled by sending multiple optional "parameter" queries. that means, that you can extend the HTTP trigger URL with ?parameter=abc&parameter=def... to fill the placeholders.
       
Version 23.4
        
Added text area field for POST and PUT methods to allow directly sending JSON data with the request
       
Version 22.10
       
Fixed Bugs
        
Fixed access to trigger when set to be available for everyone
       
Version 22.4
        
Added option to add header entries to HTTP action
      
i-net CoWork
       
Version 24.4
        
If i-net CoWork runs within an i-net HelpDesk installation, a new ticket with the content of the message can be created with a menu entry at a message.
        
In the Google Chrome browser, the system's idle detection can be activated in the settings. The "Your device use" permission must then be granted in order to use the detection.
       
Version 23.10
        
Users can react to messages with emojis. The last five emojis are quickly accessible via the context menu.
        
The action "CoWork Online Status" of the Task Planner allows to change the status of the user by e.g. time triggers or CoWork commands.
        
Text files attached to messages get a preview with the first 10 lines. This can be expanded further to show up to 50KB of the file.
        
When pasting text into a new message, it will be added as an attachment if it is more than 4000 characters or 40 lines long.
        
Using the context menu, individual attachments of a message can be removed.
        
Horizontal lines and Markdown tables can be used in message texts.
        
The WebAPI returns reactions on messages and allows to toggle reactions for a logged in user.
        
The WebAPI returns an "Access Forbidden 403" status instead of "Access Denied 401" when a logged-in user does not have access to a team or channel.
        
The WebAPI allows to search for messages using the same syntax as the CoWork application.
       
Version 23.4
        
Scrolling of the messages improved
        
The user's online status is displayed at the messages and at the suggestions for mentions. Displaying the status on the individual messages can be deactivated in the settings.
        
In the menu of a message the user and the time of the message are shown.
        
It is possible to reply to messages. The user of the quoted message is automatically mentioned and gets a notification about the reply.
        
Messages, channels and users for direct messages can be found via the global search bar
        
Management of members of teams and channels has been changed: 
          
Formerly public channels (with no members specified) now have the "All Users" group as a member by default.
          
Teams and channels without members are no longer accessible to all users, now they can be accessed by no one
          
Channels can now be explicitly set to inherit members from the team. Alternatively, a custom selection can be made.
          
Groups no longer need to have CoWork permission explicitly set to be set for memberships. All groups are selectable.
        
Channels support uploading of custom icons
        
Videos will be played inline in the channel.
        
The color markers used to highlight new messages in channels can be set as follows: mentions only, all messages or completely disabled.
        
Using the "Copy Text" action in the context menu, the selected text or the entire text of a message can be copied.
        
In the "Emoji" dialog of the configuration interface, custom emoji can be added via SVG.
        
An extra page with details of logged-in users and created messages has been added for the diagnostic application. Other CoWork plugins can add additional information.
        
Automatic playback of gif animations and videos can be customized in the settings.
        
Links to web pages in messages additionally generate a preview with title, description and image if the web page contains appropriate Open Graph or Twitter metatags.
       
Version 22.10
        
Added support for the creation of temporary meeting rooms.
        
Added support for emoji
        
Integrated idle detection with a configurable delay. Will switch from online to away when absent
        
A marker is now displayed to indicate new messages
        
CoWork reconnects to the server without reloading the whole page
        
The Task Planner trigger "CoWork Command" is able to split the parameters into single values to be referenced via placeholder in jobs and actions
        
Drafts are saved per channel and also synchronize across multiple devices
        
Links in messages can be copied via a click in the context menu
        
Smaller thumbnails are generated for images. Attachments are cached in the client for up to 30 days.
        
Improved focus handling for touch devices
       
Version 22.4
        
Added link to the bottom of the message list to jump to the latest message with one click
        
Changed markdown editor to better support major browsers
        
Added Task Planner trigger to add CoWork commands that will execute a Task Planner task
        
Added Task Planner action to send a message in a specific channel
        
Redesign of members list in channel
        
Images can now be opened with a click as larger preview
        
Added badge to the task bar entry when there are unread messages
      
ImageIO Extension
       
Version 22.4
       
Security Fixes
        
Library update to fix CVE-2021-23792.
      
Mail Support
       
Version 24.4
        
PGP support added including the ability to use private keys with passphrases. Incoming encrypted emails can be decrypted using the private key, and outgoing emails to addresses whose public keys we have are encrypted. Public keys included in incoming emails are automatically imported.
       
Version 23.10
        
Added an advanced configuration property to determine which server name is being used for the EHLO mail command. When using a private network server alongside a public mail server, it may be necessary to provide a publicly determinable server name in order to avoid higher spam score values or potential rejection of emails by the mail server.
       
Version 23.4
        
Support for S/MIME signature and encryption of email messages
      
Maintenance
       
Version 23.10
        
Backups can be selected from the server, e.g. when they can not be uploaded in the web interface due to their size (>2GB).
       
Version 22.10
        
When changing data of multiple users at once, custom user fields which accept multiple values can now be set to multiple values instead of only one as before.
        
The User Accounts section of the Maintenance application allows to deactivate multiple users at the same time.
       
Fixed Bugs
        
Fixed a rare error that could occur when changing data of users on custom user fields whose keys were purely numbers.
       
Version 22.4
        
The User Accounts section of Maintenance allows to set user data for multiple users at the same time. This can be helpful for when entire departments or groups of users have changed addresses or other information.
       
Version 21.10
        
Problems with backup of large files from a database persistence (MongoDB, AzureCosmosDB) occurred
      
Microsoft Teams
       
Version 23.4
       
Fixed Bugs
        
Simple line breaks were incorrectly displayed in the browser version of MS Teams.
       
Version 22.10
        
Improved the configuration page to link to the store if the token authentication plugin needs to be installed.
        
The task planner template "Microsoft Teams" would incorrectly insert the server's URL if it did not end on a slash.
      
Notifications
       
Version 22.10
        
The default language for notifications created in the Configuration application is English. When opening and saving existing notifications, an automatic update of the default language is made in this dialog.
        
Notifications sent to the operating system require interaction from now on if the notification is critical. This feature is available only if it is supported by the browser and the operating system.
       
Version 22.4
        
Added support for Web-Push notifications. A hint is displayed when the browser requests permission to show the notifications.
       
Version 21.10
       
Fixed Bugs
        
Permanent notifications must be kept in the notification center, even though they are displayed by the operating system
      
OAuth / OpenID Authentication
       
Version 24.4
        
Added Sing in with Apple as authentication provider. Note: you have to be enrolled in the Apple Developer Program to set up the authentication connection.
       
Version 23.10
        
For Google and Microsoft Azure login the settings from the plugin oauth.connection can be used.
       
Version 23.4
        
Also imports the avatar for new users when they log in to Azure.
        
Also adds a system login for Azure and ADFS users so that users can be merged with a possible LDAP import.
       
Fixed Bugs
        
When logging in a new OAuth user, the metadata, such as email, last name, first name, and avatar were not applied. The user was displayed only with the ID, instead of a display name.
       
Version 22.10
        
When logging in a new OAuth user, the metadata, such as email, last name, first name, and avatar were not applied. The user was displayed only with the ID, instead of a display name.
       
Version 22.4
        
Added optional tenant for Microsoft Azure authentication.
      
OAuth Connections
       
Version 22.4
        
Added support for OAuth 2.0 authentication for emails for Office 365 (modern authentication) and Gmail.
      
PDF Viewer
       
Version 24.4
        
Initial Release of the PDF Viewer. The viewer can be used as a rendering format, much alike the HTML Viewer.
        
The viewer is called using init=pdfviewer when requesting a report. It will only be useful in an online browser when rendering reports.
        
The viewer takes care of loading the requested report, as well as handling prompt request.
        
It should be noted, that the viewer will display reports only when they have finished rendering. The state of loading the PDF is provided from the viewer.
        
PDFs displayed in the viewer can be saved and printed, if natively supported by your modern browser.
        
Using a prompt on refresh option you can modify the prompt input when reloading a report using the menu.
        
Report files with group information will render an outline on the left side. You can select an outline entry to jump to the page and section - which is highlighted. Clicking the entry again removes the highlight from the document.
        
A separate text search is not provided by the viewer, since the browser has a much more powerful search. However, you can select and copy highlighted text from the document.
       
Security Fixes
        
Security Update for CVE-2024-4367
          
If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.
      
Remote GUI
       
Version 24.4
        
If the product login is activated and users log in with the user name and password stored there, they can have a reset link sent to them in case they have forgotten their password. To do this, the user must have entered an e-mail address and e-mail dispatch must be configured on the server.
       
Fixed Bugs
        
Some HTML editor actions in dialogs could not be used in Firefox browser.
       
Version 23.10




    

        
Fixed data buffer length for ajax and websocket requests
        
Corrected timeout handling for websocket connections with broken VPN connections
       
Security Fixes
        
Security Update for CVE-2023-45818
          
TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimming functions before being stored in the undo stack. If the HTML snippet is restored from the undo stack, the combination of the string manipulation and reparative parsing by either the browser's native DOMParser API (TinyMCE 6) or the SaxParser API (TinyMCE 5) mutates the HTML maliciously, allowing an XSS payload to be executed. This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring HTML is trimmed using node-level manipulation instead of string manipulation. Users are advised to upgrade. There are no known workarounds for this vulnerability.
        
Security Update for CVE-2023-48219
          
TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. his vulnerability has been patched in TinyMCE versions 6.7.3 and 5.10.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.
       
Version 23.4
        
Added magnifying glass icon in the search bar to increase the visibility of the search function.
        
In the company info dialog of the configuration, it is possible to set to whom the installation hint for the application as a PWA is displayed. Guests and other special user accounts never get the hint displayed.
       
Version 22.10
        
The search bar has been updated to use CodeMirror for better overall keyboard support
        
Upgraded library momentjs to version 2.29.4 due to CVE-2022-24785 and CVE-2022-31129
        
Upgraded library tinymce to version 5.10.2 to include latest bugfixes
       
Version 22.4
        
Optimization of the connection recovery from the browser to the server
       
Version 21.10
        
Moved file service check to temp folder instead of working directory
      
Script Authentication
       
Version 21.10
       
Fixed Bugs
        
Fixes badly formatted cookies sent to the login script.
      
Setup Wizard
       
Version 24.4
        
When execution of setup is required, it displays a banner for that in all applications.
       
Version 23.4
        
When installing on a drive other than C:\ (Windows) then the program data directory can be changed during the setup.
       
Version 22.4
        
Setup now works properly when updating a single or multiple plugins via the plugin store. Duplicate executions and confusing messages will be avoided.
        
When updating the product-core plugin, Setup now updates all updateable plugins from the store.
      
Statistics
       
Version 23.4
        
The event log backup job can optionally include previously archived event entries when using a file persistence.
       
Version 21.10
        
Date and time values now respect the client's time zone when displayed
        
Memory for user and reports now store 20,000 entries as maximum to limit memory consumption
      
Store
       
Version 24.4
        
Up to 5 teasers are displayed at the top of the store, which are automatically rotated through.
        
The description of plugins, as well as the changelog and migration information is added to the documentation in the help.
        
Setup will no longer update plugins automatically when only a minor update of the core product (i.e. 22.4.120 to 22.4.198) was performed.
       
Version 23.10
        
The store now shows a link to the full changelog and migration information history in the plugin details.
        
In the plugin changelog history you can select a specific version to jump to that section.
        
In the help, when opening the release information page, there is now a dropdown to select a version from which, up until the current one, the release changes are displayed.
       
Security Fixes
        
Plugin sideload is disabled if permissions are not restricted in the system.
       
Version 22.4
        
Allow navigating through screenshots with the cursor keys. Escape key will close the preview.
       
Version 21.10
        
The plugin store is new and replaces the configuration of the plugins in the configuration
        
New versions and features are requested from the public plugin store and can be installed
        
On future updates, the setup will automatically update all activated plugins from the store
      
SVG image embedding
       
Version 24.4
        
Added JSVG library to render SVG files, e.g. for report files.
        
Added compatibility level option for previous version 23.10 that allows to switch back to the Batik SVG renderer.
       
Version 23.10
        
Updated the internal Batik libraries to version 1.16.
       
Version 22.10
        
Updated the internal Batik libraries to version 1.14.
      
System Core
       
Version 24.4
        
The bundled Eclipse Temurin Java VM was updated to version 21.0.3.
        
Added support for Java version 22
       
Fixed Bugs
        
User search result entries will avoid displaying the same value in the top and bottom lines.
        
Fixes broken Digist authentication with Chrome browser.
        
Fixed a bug breaking the User Manager web interface if the country of the server is not valid.
        
Fixed a bug with searching digits and number data types which has produce the error: IllegalArgumentException: Empty left and right operand in search condition
        
Fixed a deadlock with OpenJ9 Java VM when starting the server via API.
        
Fixed embedded fonts for .NET viewer (error message: Could not create font with ID 1).
        
OAuth authentication (Azure) with Safari browser was not possible
        
Permission check for the WebAPI has not worked in connection with the default Windows Authentication
        
URL was wrong after signup with any OAuth authentication provider like Azure and if a reverse proxy (like default.aspx for IIS) was used
       
Security Fixes
        
Security Update for CVE-2024-30172
          
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
       
Version 23.10
        
When searching "Date field:<date", the day of the date is no longer included in the search result.
        
Added DynamoDB persistence property TablePrefix.
        
All web server responses with a status code of 400 or higher are stored in an additional event log. They can be checked with the statistics and diagnostics plugins.
        
The order of authentication providers without settings can be changed in the Configuration Manager.
        
Added security.txt configuration option. The content of this option will be sent to clients requesting the /.well-known/security.txt file.
        
The guest account no longer has administrative permissions for security reasons, even if there are no restrictions on permissions (systempermission.enabled=false). Administrative permissions of the guest account must be explicitly activated if required (guest.full.permissions=true).
        
Does not override the system property "javax.net.ssl.trustStoreType" if already set.
        
Security Update for CVE-2023-35116
          
An issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.
        
Security Update for CVE-2018-1002208
          
SharpZipLib before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
        
Security Update for CVE-2021-32840
          
SharpZipLib is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry ../evil.txt may be extracted in the parent directory of destFolder. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.
        
Security Update for CVE-2023-5072
          
Denial of Service in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. 
        
Security Update for CVE-2023-44487
          
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
        
Security Update for CVE-2023-22102
          
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
        
Security Update for CVE-2023-34062
          
In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack.
          
Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources.
        
Security Update for CVE-2024-25710
          
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.
        
Security Update for CVE-2024-22201
          
Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
        
Security Update for CVE-2023-51775
          
The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
        
Security Update for CVE-2024-30172
          
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
       
Version 23.4
        
Eventlog entries are also written in Recovery Manager.
        
Configuration action in Login category added to reset authentication group members.
        
Security Update for CVE-2022-36033
          
jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks option is enabled, HTML including javascript: URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable SafeList.preserveRelativeLinks, which will rewrite input URLs as absolute URLs - ensure an appropriate Content Security Policy is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
        
Security Update for CVE-2020-13946
          
In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.
        
Security Update for CVE-2022-42003
          
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
        
Security Update for CVE-2022-31684
          
Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
        
Security Update for CVE-2022-41946
          
pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either PreparedStatement.setText(int, InputStream) or PreparedStatemet.setBytea(int, InputStream) will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.
        
Security Update for CVE-2021-37533
          
Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https:*issues.apache.org/jira/browse/NET-711.
        
Security Update for CVE-2022-23494
          
tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user. This vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements. Users are advised to upgrade to either 5.10.7 or 6.3.1. Users unable to upgrade may ensure the the images_upload_handler returns a valid value as per the images_upload_handler documentation.
        
Security Update for CVE-2022-41915
          
Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling DefaultHttpHeadesr.set with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the DefaultHttpHeaders.set(CharSequence, Iterator<?>) call, into a remove() call, and call add() in a loop over the iterator of values.
        
Security Update for CVE-2023-22551
          
The FTP (aka "Implementation of a simple FTP client and server") project through 96c1a35 allows remote attackers to cause a denial of service (memory consumption) by engaging in client activity, such as establishing and then terminating a connection. This occurs because malloc is used but free is not.
        
Security Update for CVE-2023-24998
          
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
        
Security Update for CVE-2022-45688
          
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
        
Security Update for CVE-2022-45688
          
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
        
Security Update for CVE-2024-30172
          
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
       
Version 22.10




    

        
Installer for macOS using Apple Silicon is available
        
The bundled Eclipse Temurin Java VM is version 17.0.6
        
Added support for DynamoDB persistence
        
Added support for the HTTP header Forward (RFC 7329) for use with reverse proxies.
        
Database Persistence accepts any configuration scope (USER or SYSTEM) and can also run as a non-root account.
        
Added option to disable the "Stay logged in" feature for all users.
        
Security Update for CVE-2020-36518
          
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
        
Security Update for CVE-2022-24823
          
Netty is an open-source, asynchronous event-driven network application framework. The package ''io.netty:netty-codec-http'' prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own ''java.io.tmpdir'' when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
        
Security Update for CVE-2021-23792
          
The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
        
Security Update for CVE-2022-21363
          
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
        
Security Update for CVE-2020-11023
          
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
        
Security Update for CVE-2022-2191
          
In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.
        
Security Update for CVE-2022-2047
          
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
        
Security Update for CVE-2022-31160
          
jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling ''.checkboxradio( "refresh" )'' on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the ''label'' in a ''span''.
        
Security Update for CVE-2022-31197
          
PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the ''java.sql.ResultRow.refreshRow()'' method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. '';'', could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the ''ResultSet.refreshRow()'' method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the ''refreshRow()'' method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as ''42.2.26'' and ''42.4.1''. Users are advised to upgrade. There are no known workarounds for this issue.
        
Security Update for CVE-2022-31129
          
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
        
Security Update for CVE-2022-36033
          
jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including ''javascript:'' URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default ''SafeList.preserveRelativeLinks'' option is enabled, HTML including ''javascript:'' URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable ''SafeList.preserveRelativeLinks'', which will rewrite input URLs as absolute URLs - ensure an appropriate [[https:*developer.mozilla.org/en-US/docs/Web/HTTP/CSP|Content Security Policy]] is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
        
Security Update for CVE-2022-42003
          
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
        
Security Update for CVE-2022-31684
          
Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
        
Security Update for CVE-2021-37533
          
Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https:*issues.apache.org/jira/browse/NET-711.
        
Security Update for CVE-2022-23494
          
tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user. This vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements. Users are advised to upgrade to either 5.10.7 or 6.3.1. Users unable to upgrade may ensure the the images_upload_handler returns a valid value as per the images_upload_handler documentation.
        
Security Update for CVE-2022-41915
          
Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling DefaultHttpHeadesr.set with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the DefaultHttpHeaders.set(CharSequence, Iterator) call, into a remove() call, and call add() in a loop over the iterator of values.
        
Security Update for CVE-2023-24998
          
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
       
Version 22.4
        
The bundled AdoptOpenJDK 17 was updated to Eclipse Temurin Java VM 17.0.4.1.
        
Two factor authentication supported.
        
Prevent side load of plugins for wrong application version.
        
It is now supported to use Web-Push notifications.
        
MeetUp has grown up, is called i-net CoWork and is now also available as a separate product.
        
Fixed a thread bug that allowed a user to run single requests in another users security context.
        
Security Update for CVE-2021-37136
          
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack.
        
Security Update for CVE-2021-37137
          
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
        
Security Update for CVE-2020-21913
          
International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp.
        
Security Update for CVE-2021-4126
          
No information available.
        
Security Update for CVE-2021-43797
          
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
        
Security Update for CVE-2021-41182
          
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. A workaround is to not accept the value of the altField option from untrusted sources.
        
Security Update for CVE-2021-41183
          
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. A workaround is to not accept the value of the *Text options from untrusted sources.
        
Security Update for CVE-2021-41184
          
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. A workaround is to not accept the value of the of option from untrusted sources.
        
Security Update for CVE-2020-36518
          
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
        
Security Update for CVE-2022-24785 and CVE-2022-31129
          
Upgraded library momentjs to version 2.29.4.
       
Version 21.10




    

        
The bundled AdoptOpenJDK 11 was updated to version 11.0.15
        
Java 17 supported
        
Update of old versions is now limited. If you are using an unsupported old version, an update to an intermediate version is required
        
It is allowed to create a Let's Encrypt certificate with a callback to the HTTPS port. Problems with redirect to HTTPS and if the server runs only on HTTPS are solved
        
Added QR code to the error page, linking to a help page which may have further details
        
Different ports, configured in the configuration Web Server dialog, use different HTTP sessions
        
An error message occurred during setup if redirect to HTTPS is enabled
        
The plugins dialog in the configuration of the server was replaced by the Plugin Store
        
Fixed a thread bug that allowed a user to run single requests in another users security context.
        
Security Update for CVE-2021-29425
          
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like ''%%"//../foo", or "\..\foo"%%'', the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value
        
Security Update for CVE-2021-28165
          
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame
        
Security Update for CVE-2021-28169
          
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application
        
Security Update for CVE-2021-34428
          
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
        
Security Update for CVE-2021-21409
          
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final
        
Security Update for CVE-2021-31812
          
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions
        
Security Update for CVE-2021-36090
          
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package
        
Security Update for CVE-2021-35517
          
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package
        
Security Update for CVE-2021-37714
          
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes
       
Version 21.4
        
Memory management for systems with a large heap (>= 4 GB) was improved
        
The version number of plugins now consists of 3 parts
        
The plugin "Web Server Defender" added to protects against DoS and account hacking using brute force
        
The cookie attribute "SameSite" can now be set. The default value is Lax
        
Search bar and ticket views now also support an OR search with the keywords "or", "||" and "|"
        
Embedded web pages now also supports the linking (redirect) of web pages. Additional rights management based on "users and groups" memberships
        
Generic OpenID Connect (OIDC) authentication provider added
        
Azure OpenID Connect (OIDC) authentication provider added
        
Sample plugin for Custom OAuth provider added
        
Jetty version updated because of:
          
CVE-2020-27216
            
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability
          
CVE-2020-13956
            
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution
          
CVE-2020-27218
            
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request
          
CVE-2020-27223
            
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of &#8220;quality&#8221; (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values
        
*Guava version updated to 30.1 because of CVE-2020-8908** 
          
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured
        
Cron-utils updated to version 9.1.3 because of ​https://nvd.nist.gov/vuln/detail/CVE-2020-26238
        
Security Update for CVE-2020-1967
          
Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f)
        
Security Update for CVE-2021-20328
          
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server&#8217;s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don&#8217;t use Field Level Encryption
      
Task Planner
       
Version 24.4
        
The file system action has been converted into a completely new "Save file" action, which now supports the integration of other sources, such as the Drive plugin.
        
The Move Ownership page in Maintenance now supports resetting the chosen settings on the page.
       
Fixed Bugs
        
In rare cases, the server could hang during setup when there were many different complex tasks.
       
Version 23.4
        
Adds the {initiator} placeholder to the server stop trigger, which contains the display name of the user who restarted the server.
        
Tasks executed using the /api/taskplanner/execute endpoint are temporarily stored for the user, allowing them to access them later. If the tasks are not accessed again via the WebAPI within 60 seconds, they will be automatically removed.
        
In the task planner maintenance section, it was not possible to move tasks away from deactivated users.
       
Version 22.10
        
The parallel execution of one and the same task is now in general allowed
        
Manually starting a task while it is running is now possible
        
PUBLIC-API: To distinguish between multiple executions the TaskEvent and HistoryEntry now contains executionID, a unique ID for the execution.
        
PUBLIC-API: TaskPlanner's execute-method now return a CompletableFuture to allow more control over actions after the execution.
        
PUBLIC-API: New method cancelTaskExecution(GUID,GUID,boolean) to cancel a single running execution of a task instead of all running executions.
        
Added Low Memory Trigger to notify administrators of this critical situation.
        
PUBLIC-API: TimeTriggerFactory's generic type is now Trigger as it can return different types of trigger: TimeTrigger and TimeTriggerForCustomSettings
        
Fixed loading of large lists of tasks in the UI
        
Fixed bug endlessly showing task as running with 0% or 100% progress although there was no execution.
        
The license check of the Reporting Plus license for the Task Planning application was incorrect.
        
The option custom in time triggers works correctly.
       
Version 22.4
        
Placeholders are grouped if they start with the same prefix
        
Added the option custom in time triggers.
        
A maintenance module is provided for batch moving Task Planner tasks from one user to another.
        
Fixed visibility of Task Planner triggers, jobs, and actions (based on a user's permissions) to be in sync with the visibility of help sections for these triggers, jobs, and actions.
       
Version 21.10
        
Long running tasks were sometimes displayed as 'INCOMPLETE'
        
Correction of identical file names in the file actions for multiple identical jobs with parameter placeholders in one task.
       
Version 21.4
        
New Task Planner Job added to determine the free disk space in the working directory, cache and persistence directories. A threshold for minimum available disk space can be defined to trigger actions when there is not enough disk space left
        
Triggering of time-trigger interval 'Two Weeks' was in wrong week at the beginning of a new year.
      
Themes
       
Version 24.4
        
Adding 7 new themes
       
Version 23.4
       
Fixed Bugs
        
Fixed spelling mistake in "Dark Forest" theme
       
Version 22.10
        
Removed experimental Material Blue theme
      
Token Authentication
       
Version 23.10
       
Fixed Bugs
        
When accessing the server using HMAC token authentication, the system failed to log the user token's last access time.
       
Version 21.10
        
Added Plugin "Token Authentication".
        
Enables Web API access using access tokens. It allows users to create access token as another means of authentication into their account - but with restricted access scopes.
        
Support added for HMAC token authentication like used from MS Teams
      
Two-Factor Authentication
       
Version 24.4
        
Two-factor authentication can be deactivated for certain server IP addresses.
       
Version 23.10
        
2FA emails are now sent to all stored email addresses of the user and not only to the first address.
       
Version 22.10
        
A second factor can be made mandatory in the login settings of the server configuration. If there is no second factor set for a user, it is required to be set up after a fresh login.
       
Version 22.4
        
Plugin added to support two factor authentication.
      
Users and Groups
       
Version 24.4
        
Before irrevocably deleting a user, an dynamic overview is shown of which types of data are connected to this user and will be gone if the deletion is performed.
       
Version 23.10
        
Added additional permission to read information from the Users and Groups Manager using the WebAPI. This allows read-only restricted access to search for users and return minimal information about them.
       
Version 23.4
        
Added Web API Extension for Users and Groups, that allows to search for either user or groups and display detail information about them.
       
Version 22.4
        
Added apply button to the edit dialog of a user or group. This allows to save the changes without closing the edit dialog.
        
The avatar of users can be changed in the users and groups application with a click on the avatar image of the selected user
       
Version 21.10
        
Per URL parameter s search phrases can now be passed to Users and Groups in the web interface
        
A new warning message appears when removing the last group member in a sub-group which will inherit memberships
        
In the preview it is possible to switch the view to show inherit entries for permissions, allowed actions and resources
        
Added a new label to allowed actions and permissions that tells if it is granted and if it is inherit
      
Web API
       
Version 22.10
        
Opened up the WebAPI UI to be available for public requests, such as the Task Planners HTTP trigger, allowing to run the trigger from the browser.
        
Added input field for the current URL, restricting editing to variable parts that require IDs
        
Added JSON area to send custom JSON to a request URL
        
Added selection for HTTP method and send key to re-submit the request
        
Added ability to remember ID-token in the current web API session and automatically fill them until page is refreshed
       
Version 21.10
        
Update of the permission handling to determine if a user has access to API endpoints
      
Web Server
       
Version 23.10
        
Added option the security section of the webserver configuration to control embedding the application using X-Frame-Options.
       
Version 23.4
       
Security Fixes
        
Security Update for CVE-2023-44487
          
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
       
Version 22.10
        
Added placeholders for start and expiration date of the HTTPS certificate that is currently being used. The placeholders can then be used in Task Planner actions.
        
Changed Jetty server from version 9.4.x to 10.0.x.
        
Added support for HTTP/2 protocol.
        
Allowed Cross Origins is now called Allowed Origins
        
If Allowed Origins is set, it will send CORS headers that also include the external visible URL. 
          
The server now checks that it is addressed using any of the given values from either the external visible URL or the Alowed Origins
          
The server checks HTTP/s as well as WS/s connections
       
Version 22.4
        
An optional web context of the web server can be set if the server should not run in the root context.
      
Windows Authentication
       
Version 24.4
        
Support for the Negotiate authentication protocol has been added. This means that Kerberos login is supported.