Release notes

RUNTIME-48 - SFlowNodeNotFoundException: Quartz’s Trigger associated to a Boundary timer does not get deleted when the process instance terminates

RUNTIME-1802 - Search fields don’t work when search term contain special characters

RUNTIME-1811 - "jaasAuthenticationService" and "authenticationService" beans not created if custom authentication service is configured

RUNTIME-1833 - SanitizerFilter removes html tags from HTTP payload

RUNTIME-1848 - ArchivedTasks filter on type is generating java.lang.ClassCastException

RUNTIME-1860 - Access Control panel is displayed in all subscription editions even when the feature is not active

RUNTIME-1884 - 'password' attribute silently removed from org.bonitasoft.engine.identity.impl.UserImpl class

STUDIO-4515 - NPE generated during project migration

RUNTIME-1824 - Filter on "caller" does not work when searching for ArchivedProcessInstance

RUNTIME-1828 - ArchivedProcessInstance are not deleted when not root process instances

RUNTIME-1832 - Initialize Keycloak CryptoIntegration to fix java.lang.RuntimeException: java.lang.IllegalStateException: Illegal state. Please init first before obtaining provider

RUNTIME-1833 - SanitizerFilter should be disabled by default to avoid data loss when updating. Please visit the HTML sanitizer filter article to evaluate the risks.

RUNTIME-1835 - SInvalidExpressionException generated when a parameter is used from within a groovy script

RUNTIME-1844 - Update tomcat to 9.0.87

CVE-62 - Regular Expression Denial of Service (ReDoS) in AngularJS (CVE-2024-21490)

CVE-63 - Upgrade Apache Tomcat version (fixing CVE-2024-24549)

RUNTIME-407 - Open Cases Administrator call API/bpm/case performance slowness in 2021.1-0617

RUNTIME-1816 - New sanitize filter makes payloads with "null" attribute values fail

RUNTIME-1818 - [Kerberos SSO] - IOException: conf/login.conf (No such file or directory)

RUNTIME-1820 - [SAML SSO]: Decrypt of encrypted assertion fails with error: java.lang.NoSuchMethodError: 'org.codehaus.stax2.ri.SingletonIterator org.codehaus.stax2.ri.SingletonIterator.create(java.lang.Object)'

RUNTIME-1821 - Docker image fails to start with JMX_REMOTE_ACCESS=true

CVE-56 - X-Frame-Options and Content-Security-Policy header is missing on some URLs.

RUNTIME-1725 - graphical issue with admin living app

RUNTIME-1802 - Search fields don’t work when search term contain special characters

RUNTIME-1811 - "jaasAuthenticationService" and "authenticationService" beans not created if custom authentication service is configured

CVE-58 - Some UI screens in administration panel have been secured against stored XSS attacks. We also introduced a backend input validation to prevent storing XSS attacks in the database.
We would like to thank both Tomas Castro Rojas and Mohammad A’mir for reporting this high severity issue to us.

UID-727 - Invalid js minification

STUDIO-4478 - BPMN Export text as CDATA

STUDIO-4483 - BonitaMarketplace: NPE generated in the log file when the HTTP response’s entity-body is empty

STUDIO-4490 - Exception at runtime: the Call activity is wrong in the process-design.xml generated

UID-723 - Update to 7.15: Web browser’s disk and memory caches break the product and custom pages

CVE-50 - Removing from the packaged maven repository an old vulnerable log4j library which wasn’t executed

RUNTIME-1733 - Update several dependencies

RUNTIME-1753 - ClientAbortException: java.io.IOException: Broken pipe errors in runtime logs

RUNTIME-1775 - Bad java modules permissions for Hazelcast

RUNTIME-1784 - REST API authorisation: renaming of 'process_categories' permission breaks permissions after update to 7.15 or 8.0

RUNTIME-1785 - OIDC SSO: "Basic" authentication header is encoded in 8-bit and is not compatible with some IdPs

CVE-4 - Path-relative style sheet import

RUNTIME-1642 - [Admin App][Process details] Visual glitch in the categories label

RUNTIME-1679 - We can’t set a timezone to bonita containers

RUNTIME-1713 - Apply debounce to official pages using a search box

RUNTIME-1364 - Search users triggers API call for each keystroke

RUNTIME-1716 - [Bonita cluster]: Hazelcast Kubernetes discovery not working

STUDIO-4468 - Some of shortcuts in script editor not working in Debian 10/11

RUNTIME-30 - Deleting process definition does not remove associated process supervisor, process category mapping

RUNTIME-38 - hasContent column stays as TRUE after using deleteContentOfArchivedDocument method

RUNTIME-1049 - Error message not explicit in Portal when creating a user with password policy enforced

RUNTIME-1701 - Event USER_CREATED is never raised

RUNTIME-1704 - Process supervisor mapping cannot be deleted

RUNTIME-1708 - REST API/bpm/activityVariable generates InvalidDefinitionException: Java 8 date/time type java.time.LocalDate

STUDIO-4454 - Changing tabs in expression editor duplicates the expression

STUDIO-4455 - Deploying an organisation fails if a parent and child process instances are still running in the Studio’s engine Tomcat

STUDIO-4458 - Custom page name conflict not detected at deploy

STUDIO-4460 - Fix ArrayIndexOutOfBoundsException when resolving variables context in the Groovy script editor

STUDIO-4461 - Improve pre 2022.1 project dependencies migration with better detection of dependencies with classifier

STUDIO-4462 - Fix Validate action getting stuck when diagrams contains Subprocess event figures.

UID-437 - Improve hotzone of the fx button

RUNTIME-369 - Uploaded file names are not XSS proof

RUNTIME-747 - Improve ronustness for concurrent BDM install/update requests

RUNTIME-1016 - Connection Pool attribute named testWithIdle is wrong in bonita template and default files

RUNTIME-1591 - Fix java.security.NoSuchAlgorithmException: ECDSA KeyFactory not available when using SSO with OIDC

RUNTIME-1639 - Fix Bonita Admin app case list to keep the selected filter when going "back"

RUNTIME-1645 - OIDC client adds port 0 to redirect-uri-path configured in keycloak-oidc.json when using HTTPS

RUNTIME-1648 - Page permission warning is not implemented in resource page

RUNTIME-1650 - Missing authentication method client_credential_post for token request with OIDC

RUNTIME-1656 - Process list filter remain empty in user case list

RUNTIME-1657 - [Security] Update several dependencies for 2022.2-u3 (7.15.3)

RUNTIME-1662 - OIDC front channel logout is not working

RUNTIME-1663 - In a Bonita cluster, configuration updates are not effective unless all the nodes are stopped at once, then restarted one after another

RUNTIME-1666 - Process variables information missing in case details section for archived cases

RUNTIME-1668 - Error message displayed when mapping 6th role to process actors

RUNTIME-1672 - An HTTP call to portal back-end generates a wrong redirect instead of an error

RUNTIME-1680 - Dynamic permission DownloadDocumentPermissionRule - user doesn’t have access to downloaded document

RUNTIME-1688 - The X-Frame-Options header set in bonita pages no longer allows to specify authorized origins for parent frames

RUNTIME-1699 - CSRF Token Validation Filter and RestAPI Authorization Filter copy multiparts requests content in memory

RUNTIME-1700 - Some parameters from JAVA_OPTS environment variable (Docker image) are not taken into account

RUNTIME-1701 - Event USER_CREATED is never raised

STUDIO-4451 - Fix Dependency remote lookup failure when central is not reachable

STUDIO-4452 - Fix refresh validation so that Groovy script validation marker does not disappear

UID-716 - Fix missing keys in localization.json asset

RUNTIME-1555 - Fix selection in Users mapped to process manager profile: when selecting one user in search list, all users were selected

RUNTIME-1566 - Fix Logger configuration failure with Bonita docker image

RUNTIME-1567 - Fix layout deployment: the permissions corresponding to the 'resources' in page.properties are now added into the compound-permissions-mapping-internal.properties

RUNTIME-1580 - [Security] Version update of several dependencies for 2022.2-u2 (7.15.2)

RUNTIME-1582 - Fix New ProcessPermissionRule granting access to ANY user provided the process has pending tasks

RUNTIME-1590 - Fix Users having access to overview of process when they are not involved in it

RUNTIME-1625 - Fix REST API extension matching when url start with a / in page.properties

RUNTIME-1630 - Fix bonita/portal/custom-page : HTTP status 500 Internal error + NPE

RUNTIME-1633 - Fix translation in admin user app

STUDIO-4425 - Fix Welcome page incorrectly displayed

STUDIO-4426 - Fix Type lost on condition after variable removal

STUDIO-4437 - Fix SNAPSHOT external lib not displayed in "add dependency" in process configuration

UID-346 - Fix Not translated messages in Upload widget

UID-711 - Fix Currency widget: issue with negative values

RUNTIME-145 - Fix User creation on the fly when role doesn’t exist

RUNTIME-278 - Fix LDAP Synchronizer failures when the username LDAP attribute value’s changes case (uper/lower)

RUNTIME-578 - Fix [admin-case-list] undefined for William Jobs in Started by column when using technical user

RUNTIME-626 - Fix Waiting events of Start events not created when process is deployed using BCD and has a .bconf file

RUNTIME-752 - Fix Error 404 resulting in blank task list

RUNTIME-1269 - Fix LDAP Synch: group synchronisation failure when use_paged_search=true and one LDAP group search returns more than one page of results

RUNTIME-1431 - Fix Instantiation REST service Exposing the groovy script after an exception

RUNTIME-1434 - Fix custom user information truncated in admin app

RUNTIME-1476 - Fix Default dynamic permissions: process deployers, process initiators and process managers should access GET bpm/process

RUNTIME-1477 - [admin-case-details] improve display of Started by information

RUNTIME-1478 - [admin-task-details] improve display of Executed by information

RUNTIME-1485 - Fix [SSO] Allow the usage of any claim of the ID token for the OIDC adapter to fetch the username value from

RUNTIME-1486 - Fix [Rest API Extension][Java] Archetype generating bad InputStream management code

RUNTIME-1489 - [Security] Version update of several dependencies for 2022.2-u1 (7.15.1)

RUNTIME-1527 - Fix Platform API resources access should not need an API session along with the platform session

RUNTIME-1545 - Fix [SSO] OIDC auto detect bearer only option breaking json requests

RUNTIME-1552 - Fix [SSO] OIDC bearer requests blocked by CSRF protection

RUNTIME-1559 - Fix LDAP Synch: when number of members in an Active Directory group > MaxValRange, last page of members not synchronised

RUNTIME-1562 - Fix Session invalidated when accessing the license page in admin application

STUDIO-4399 - Fix synchronize project open/close action

STUDIO-4400 - Fix [Organization] Password resolution

STUDIO-4419 - Fix failed to Load EMF ressource when trying to open an imported .bpmn file

RUNTIME-211 - Fix access to a non existing token in an app raise a 403 instead of a 404

RUNTIME-334 - Fix REST API ../API/identity/user/-1?d=professionalData as it returns the list of users

RUNTIME-335 - Fix REST API ../API/identity/user/-1 as it returns a APIMissingIdException

RUNTIME-864 - [Security] Several dependencies updates for 2022.2 (7.15.0)

RUNTIME-869 - Fix [Admin App]: BPM process: The 2 Popups to Disable and Enable installed process do not close

RUNTIME-978 - Fix organisation import does not update 'lastUpdate' field in user entries

RUNTIME-1011 - Fix processId in URL not taken into account in admin case list

RUNTIME-1147 - Fix office to PDF connector is not working on a 2022.1-u0 docker enterprise image

RUNTIME-1248 - Fix [Admin App]: Case list should not display the "view diagram" icon if the feature is not available

RUNTIME-1273 - Fix [Admin App]: BPM pages should be editable in subscription editions

RUNTIME-1275 - Fix bonita-sp- maven-repository 7.13.x contains extra files

RUNTIME-1408 - Fix slow REST API extension requests due to a java sycnhronized block