#Release Notes

The Webswing version 21.2 comes with improved window undocking, user consent for recording and mirror view, clustering features and stability updates, some security and bug fixes. In this page we list also other changes for minor releases.

#21.2.15 Extended Support

Release date: November 15th 2022

3rd party updates:

• Denial of Service (DoS) [Medium Severity] CVE-2022-42003
• Authorization Bypass [High Severity]CVE-2022-32532
• Authentication Bypass [High Severity]CVE-2022-40664
• Out-of-bounds Write (new) [High Severity]CVE-2022-42920

Admin Console:

• Regular Expression Denial of Service (ReDoS) [Medium Severity]CWE-400

Test Tool:

• Arbitrary Code Execution [High Severity]CVE-2022-42889
• Cross-site Scripting (XSS) [Medium Severity] CVE-2022-36033
• HTTP Request Smuggling (new) [Low Severity]CVE-2022-42252
• Denial of Service (DoS) [High Severity]CVE-2022-38749

#21.2.14 Extended Support

Release date: October 13th 2022

• #679 ping timer deadlock quick fix

3rd party updates:

• Improper Input Validation [High Severity]CVE-2022-3171
• Deserialization of Untrusted Data [High Severity]CVE-2022-42003
• commons-io update to 2.10.0

#21.2.13 Extended Support

Release date: August 5th 2022

• #576: Excessive log when there is no active tab
• #654: System property switch to turn off accessibility

#21.2.12 Extended Support

Release date: 15th July 2022

• Header Injection Vulnerability [Critical Severity] CVE-2022-34914

3rd party updates:

• Prototype Pollution [High Severity] CVE-2022-25878

Test Tool:

• Improper Handling of Case Sensitivity [Low Severity] CVE-2022-22968
• Denial of Service (DoS) [Medium Severity] CVE-2022-22970

SAML2:

• XML External Entity (XXE) Injection [Critical Severity] CWE-611
• Cryptographic Issues [Medium Severity] CWE-310
• Denial of Service (DoS) [Medium Severity] CVE-2022-22970

#21.2.11 Extended Support

Release date: 10th May 2022

• #584: Netbeans paste from history does not work

3rd party updates:

• Webswing Security OIDC - Improper Verification of Cryptographic Signature [High Severity] CVE-2021-22573

#21.2.10 Extended Support

Release date: April 21st 2022

• #576: Excessive log when there is no active tab
• #575: Disable/remove of app in Admin Console kills all instances

#21.2.9 Extended Support

Release date: April 11th 2022

• Fixed 3rd party vulnerabilities (CVE-2022-22965 - TT, SAML2, CVE-2020-36518 - ALL, CVE-2022-22950 - TT, CVE-2021-22060 - TT)
• DirectDraw cache inconsistency fix
• Change document.title according to active window
• DirectDraw js error when resizing
• Mirror not working for touch-enabled sessions
• Window is repainted on browser window move
• Update window decoration when resizable is set on visible window
• Window in undocked tab jumps from negative x position to right side
• Js error when dragging outside browser window in FF
• Option to use grizzly websocket client instead of jdk in Admin Console server
• "C:\Program" is not executable file appears when running with security manager enabled
• Adjustable OpenID Connect SCOPE
• DnD inconsistency of triggered mouse drag event
• Fixed xormode rendering in DirectDraw

#21.2.8

Release date: March 7th 2022

• Fixed 3rd party vulnerabilities (CVE-2022-23181, CVE-2022-0235, CVE-2020-28500, CVE-2021-23337)
• Fixed shutdown hook blocked by shutdown listener
• Provide original file name in DnD upload through drop component
• Hide Logs feature in Admin Console when permission is false
• Fixed optimized diff rendering
• Fixed first render js error when embedded in angular

#21.2.7

Release date: February 3rd 2022

• Clear transfer files from datastore after session ends
• Reconnect button starts websocket twice on iOS
• Java 8 NoSuchMethodException: com.sun.glass.ui.Screen
• Misleading message when stopping Webswing on Linux
• SP should not exit before first server URL is loaded
• NPE fix for QF-Test event replay through CDP
• Fixed allowStatisticsLogging label fix
• RequestFocusInWindow does not work same as in native application
• Fixed access to restricted resources
• Server crash - improved stdin writing
• Subdomain support
• Robot mouse events not targeted to window

#21.2.6

Release date: January 11th 2022

• Fixed 3rd party vulnerabilities (CVE-2021-22569, CWE-400,CVE-2021-44832, CVE-2021-22060)
• Do not send accessToken in websocket URL parameter
• Fixed server crash if session stops processing stdin
• Admin Console optimizations for 300+ apps configured
  • use partial messages between AC and WS
  • better synchronization of AC registration in WS
  • selector layout with scrollbar on overflow
  • single REST handler for all applications in AC
• Fixed DirectDraw font issue after page refresh
• Support secret key from file instead of system properties
  • automatic padding of short key
• Fixed javaFileListFlavor issue in DnD
• SwingClassLoader fails to load package.info
• Execute scripts defined in loginPartial.html
• Fixed script websocket URL reloader
• Robot mouse press and release events deprecated masks support
• Support Admin Console with Security NONE
• Fixed transfer folder not cleared if contains variables
• Add Cache-control: no-store header to REST responses

#21.2.5

Release date: December 22nd 2021

• Fixed log4j vulnerabilities - CVE-2021-45046 and CVE-2021-45105
• Extended security module API by access to app configuration and active sessions count
• Fix of Keycloak security module
• Fix login form to accept % in password field

#21.2.4

Release date: December 13th 2021

• Fixed critical log4j vulnerability - CVE-2021-44228.

#21.2.3

Release date: December 6th 2021

• Fixed 3rd party vulnerabilities
  • CWE-20
• Webswing Demo application deadlock on startup
• Per-pixel translucency support
• DnD upload - filter drop components that are not showing
• Update log level for resiient process message
• setVisible on hidden JMenuItem doesn't cause repaint
• Admin malfunctions when naming application starting with the word "http"
• DirectDraw CPU optimization
• Deadlock when initializing treelock
• Empty page at the end of the print preview
• Undock improvements
  • Improved hidden windows search
  • Fixed sizing of re-opened undocked windows
  • Switch beforeunload event to unload event to support user-defined cancellable beforeunload
• Wrong vmArgs config causes broken server

#21.2.2

Release date: November 10th 2021

• Rendering optimizations
• Fixed session logs in Admin Console

#21.2.1

Release date: November 6th 2021

• Fixed 3rd party vulnerabilities
  • CVE-2021-22118 in Test Tool
  • CVE-2021-33037 in Test Tool
  • CWE-502 in Test Tool
• Undock improvements
  • Reopen windows from closed primary tab if there are any undocked windows open
  • Fixed focus on size change
  • Resize canvas to fit undocked window when user resizes the window before javascript initializes
  • Send location update only when necessary
  • Force activate window when changing bounds from javascript, to close open combobox popup
  • Reopening undocked window should not change page title
• Admin console improvements
  • Show number of all browser connections (including undocked) in admin console overview
  • Overview server cards tooltips
  • Improved style of modals, icons and tables
  • Added scroll to top/bottom to tables
• Test tool improvements
  • fixed key input handlers
  • fixed destroying instance
  • auto-scroll to assertion when creating and testing
  • improved component search method
• Extended Audit logs with more events
• Fixed SAML2 security module for Java 8
• Masking passwords in session startup log
• Fixed download of empty file triggered on folder directory URL
• Run configuration provider methods with extension context classloader
• Fixed missing modifiers on scroll events
• Fixed support of defining multiple transfer directories
• Fixed evaluation banner
• Fixed maximizing NetBeans platform app at startup
• Fixed javascript FilesManager progress counter issues
• Session pool resilience - ConcurrentModificationException when disconnecting multiple undocked connections
• Fixed Admin Console websocket URL reloader race condition
• Webswing demo improvements and fixes

#21.2

Release date: October 9th 2021

Changes:

• Server Extendability API
• PNG Rendering with High DPI (Java 11)
• Server security API optimization
• Webswing&Admin on a single web server
• Rendering optimization and improved performance for low bandwidth network
• Session Pool Resilience
• Load Balancer - new algorithm and additional configuration
• Drag&Drop to Swing file support
• Clipboard synchronization
• New demo app
• New Admin Console
• Setting transferDir programmatically

#Versioning

Since 2020 Webswing uses a new versioning scheme. Every year there are 2 major releases. This year we have released 21.1 & 21.2. We will release 22.1 in Q1 and 22.2 in 2022 Q3.