The purpose of this article is to provide the list of issues addressed in the most current cumulative hotfix build for JasperReports Server 8.0.x. The hotfix package itself can be downloaded from https://support.tibco.com/wolken-support/file_structure (requires login).
For more details please review the readme file in the hotfix package.
All the hotfixes are cumulative, meaning that the latest one contains all the fixes included in all the previous hotfix builds for the given product version.
Below is the list of issues addressed by each build/package.
hotfix_JRSPro8.0.4_cumulative_20241204_0508.zip
- JS-73737: RequireJS upgrade to 2.3.7 in JRL Pro JARs (CVE-2024-38998, CVE-2024-38999)
hotfix_JRSPro8.0.4_cumulative_20241202_0206.zip
- JSSEC-105 -Normalizing the URL to avoid path traversal vulnerability
- JS-74002 - Suppressed CVE-2024-45772 due to CVE is false positive for lucene modules except lucene-replicator
hotfix_JRSPro8.0.4_cumulative_20241119_0616.zip
- JS-66473 - HighCharts CVE-2021-29489 (fixed since 8.0.3)
- JS-74002 - Suppressed CVE-2024-45772 due to CVE is false positive for lucene modules except lucene-replicator
hotfix_JRSPro8.0.4_cumulative_20241030_1735.zip
- JS-74009 - [Case #02299589] Upgraded apache-xmlgraphics-fop from 2.7 to 2.10 to fix CVE-2024-28168
- JS-74010 - [Case #02299589] Upgraded commons-io from 2.11.0 to 2.14.0 to fix CVE-2024-47554
hotfix_JRSPro8.0.4_cumulative_20241025_0108.zip
- JSSEC-89 - HTML Injection Vulnerability in Manage Roles Functionality
- JS-73742 - [Case #02300083] Updated Spring from 5.3.37 to 5.3.39 to avoid CVE-2024-38808
- JS-73858 - [Case #02299589] Updated Spring from 5.3.37 to 5.3.39 to avoid CVE-2024-38809
- JS-71565 Added Configurable flag to avoid returning the detailed 404 error message in the response
- JS-73859 - CVE-2023-52070 on JFreeChart- Suppressed as CVE is currently awaiting analysis,no reasonable evidence to determine the existence of a vulnerability
hotfix_JRSPro8.0.4_cumulative_20241017_1028.zip
- JS-73743 - [case #02299756] Resolved CVE-2024-38816 on spring-webmvc by removing unused FileSystemResource package in jrs
- JS-32017 [case #66045 + 3] 'Refresh report with latest data' button pulls data from Ad Hoc cache instead of data source
- JS-73411 - Backport the changes made for Back/Close button
hotfix_JRSPro8.0.4_cumulative_20241014_1134.zip
- JS-71394 - Removed iReport-utils jar as it's replaced by built-in features in JRL
- JS-71799 Updated jboss-modules from 1.3.0.Final to 1.3.11.Final to fix CVE-2014-0093
- JS-71801 - Removed quartz-commonj and quartz-backward-compat jar to fix CVE-2019-13990
- JS-71746 Removed ftpserver-core-1.0.3.jar to avoid CVE-2023-22551
- JS-71935 : updated js-crypto to 3.1.5 to fix CVE-2023-33201, CVE-2023-33202
- JS-71754 - Updated jjwt-api jar from 0.11.2 to 0.11.5 and json jar from 20231013 to 20240303 to avoid CVE-2023-5072
hotfix_JRSPro8.0.4_cumulative_20240902_0811.zip
- JS-68641 Enhanced Scheduler to handle Duplicate Jobs at the time of upgrade
hotfix_JRSPro8.0.4_cumulative_20240807_0953.zip
- JS-71031 - JDBC Connection leaks leading to Connection Pooling problems and high JVM memory usage
hotfix_JRSPro8.0.4_cumulative_20240722_0812.zip (AND EARLIER)
- JS-62936 [case 02035710] Buildomatic takes a very long time to export large number of users
- JS-64596 Jasperserver failed to start when installed using "js-install minimal"
- JS-64551 [case #02066165] - JSON validation error when refreshing a report
- JS-63364 Selecting cascading input controls values after scrolling resets position back to the top of list
- JS-64756 Upgrade Log4j to 2.17.1 version to fix CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105
- JS-65348 [Case #2087115] Cannot save view if same field is used in measure and field calculations
- JS-65258 [case #02065852] - Data Chooser performance issue when clicking on "View as Tree"
- JS-65501 [case 02093962] Query generator creates aggregate expression for sum calculated field in the adhoc crosstab in 8.0.1 JRS
- JSS-3212 [case #02077765] Faulty email hyperlinks in tagged PDFs
- JS-65580 Resolve CVE-2022-22965 in JasperReports Server across all supported versions
- JS-65239 [case 02083861] Encode report export file names
- JS-65495 [case #2091501] JRS 8.0 IC fails to load when parameter value is injected from URL
- JS-56746 [case 01826463] Add "IF EXISTS" or "IF NOT EXISTS" to the MySQL upgrade scripts to the sections where something is deleted
- JS-64614 [case 01908246] XSS. Set default configuration in /WEB-INF/applicationContext-rest-services.xml to prevent browser rendering of the rest-api responses in html & xml format by restricting content type headers
- JS-65535 [case 02085967] selectedValues Input Control request generate SQL query with NULL values
- JS-32446 [case 01949706] Errors saving tabular report with shared / global reference to subreport
- JS-65947 [case 02102938] Incorrect chart date/time values for timezones
- JS-66025 [case 02102613] IS_IGNORE_PAGINATION input control is not taking effect
- JS-64375 [case 02051860] Adhoc View Column is Changing When Exporting or Saving as Report.
- JS-65763 [case #2099441,+1] Non Standard US Date format is not working with date field in JRS 7.9 cascading IC
- JS-61493 [case 01929557] chart.events.load not called on report exports
- JS-66422 [case 02112895] In 8.0 the initial full page Loading message is no longer shown
- JS-66373 - Visualize.JS keeps authenticating with same credentials even if they have been changed
- JS-64596 Jasperserver failed to start when installed using "js-install minimal"
- JS-66441 Visualize.js - running Dashboard with configured non-US (non-default) date filter shows "Specify a valid value for type Date."
- JS-64844 [case 02076333] Filter value is missing in Adhoc report due to case sensitivity
- JS-66503 [Case #02083480] Dashboard does not show the updated data, you have to refresh the dashboard to get the updated data
- JS-66732 [Case #02120647] Slow Adhoc export with markup="html" in the Adhoc report template
- JS-65876 [case #2100210]Dashboard Hang When No Data Is In The Report
- JS-64045 [case 02116978] Creating report from adhoc view (attached) gives 500 error with duplicate declaration of parameter
- JS-66815 [case #2126619]Domain calculate field working in 7.5.2 but failed in JRS 8.0.2 with aggregate function error
- JS-66770 [case #2124123]Getting "Missing property" error when saving ad hoc view with filter in JRS 7.5.2 and 8.0.2
- JS-66820 Visualize: wrong data on mouse over for Gauge chart types adhoc view
- JS-66831 Client side code of Ad Hoc Designer and Viewer should check "Content-Type: application/repository.adhocDataView" header in case-insensitive mode
- JS-65887 Update JARs to avoid CVE's in JRS 8.0.1
- JS-67000 Upgrade pgjdbc for CVE-2022-3119
- JS-66757 commons-configuration2 JAR flagged for critical CVE-2022-33980
- JS-67139 restricting JNDI service name to not allow ldap://host
- JS-66745 - removing Xalan dependency (using saxon for xslt)
- JS-65388 - upgrading Apache FOP to version 2.7
- JS-67275 missing validation for Dashlets url
- JS-67268 upgrading commons-text to version 1.10.0 to address CVE-2022-42889
- JS-67049 users can read errors from /jasperserver-pro/rest_v2/contexts
- JS-67337: [Case #02140888] Theme not applied when sessionDecorator=no is added in the url
- JS-67556 Oracle DB - report takes about 17 minutes to acquire connection
- JS-67181 [case 02135517] - Input controls validation failure on JRS 7.9
- JS-67502 Users can read errors from /jasperserver-pro/rest_v2/connections
- JS-60038 Fixes issues in Ad Hoc View Crosstab with Time Balance
- JS-67566 [case #2147839] DDL for JIAccessEvent.resource_uri not being big enough to contain all the URI information. Increased size of JIAuditEvent.resource_uri, JIAuditEventArchive.resource_uri and JIReportMonitoringFact.report_uri to 451. SQLServer upgrade bugs
- JS-67482 getting java.lang.NoClassDefFoundError com/simba/athena/shaded/apache/logging/log4j/core/util/SystemClock during JRS startup
- JS-57052 [case 01843572 +1] exception occurs using ad hoc filter on datetime from AWS Redshift
- JS-65375 Report book: cannot select tabs beyond the displayed ones
- JS-66985 Performance issue in Chrome browser when executing report with big html output
- JS-64895 Ad Hoc Report Excel / XLSX export no longer displays AM/PM in date timestamp format
- JS-67541 stripTags and unescapeHTML components in Prototype 1.7.3 in JasperReports Server
- JS-67825 [case 02137904] CSRF at jasperserver-pro/log_settings.html
- JS-67466 EURO Symbol used in adhoc column formatting is not visible in dashboard
- JS-67846 [case #02153841 ] Reports not working without disabling SQL validation in 8.0.3
- JS-67716 [Case #02147733]Some column names for adhoc view are seen in German when used in dashboard for English users
- JS-67732 [case #2151198] Chart images as attachments in reportExecutions REST service
- JS-66331 fixed permission issue for ROLE_USER by passing existing context while fetching resource
- JS-60865 [Case - 01917827] Presence of only subtitle for a highchart in a report does not render chart in dashboard
- JS-67903 [case #02155667] Domain based Input control search not working in 8.x
- JS-63544, JS-68680 [case #02045165] Update role-based authorisation for /reportresource** servelet
- JS-68699 Upgraded moment and moment-timezone libraries
- JS-68564: Performance - Big Repository - client side rendering is blocked by parsing tree items
- JS-68260 Ad hoc view containing long text or email ID with long text is overlapping into next column when added to dashboard
- JRL-1820: Chrome Version 111 breaks export of HTML5 charts and dashboards
- JS-68291: Report Input Control "Save" option is not visible even having read+write+delete permission
- JS-68951 Upgraded commons-fileupload-1.4 to commons-fileupload-1.5 and commons-io-2.8.0 to commons-io-2.11.0 to avoid CVE-2023-24998
- JS-69058 Upgraded json-smart-2.4.7 to json-smart-2.4.10 to avoid CVE-2023-1370
- JS-68679 Upgraded commons-net-3.3 to commons-net-3.9.0 for CVE-2021-37533
- JS-67510 Upgraded batik-1.14 to batik-1.16 to avoid CVE-2022-42890
- JS-69067: Dashboard with an Ad Hoc Chart doesn't refresh the chart on No Data if the calc function is Count Distinct
- JS-69125: Running the report is showing the error for Safari 16.x browser
- JS-69037: Jasperadmin can see specific of error message in report using no permission attribute
- JS-67181 [Case #02135517] Input controls validation failure on JRS 7.9
- JS-24285: Relative date range values are not displayed correctly in reports
- JS-61440 Cascading input control date format validation issue
- JS-69099: [case 02177521] Input control validation failure for IC based on an Oracle Date column
- JS-69023 [case #02170494] Changing data type of field in domain schema getting changed automatically to earlier data type on importing.
- JS-68208: [case 02128995] Stack trace not being returned from error on the UI
- JS-67600: [case 02148501] Ad Hoc views cannot be opened if they have a calculated field with an IF that returns two different data types
- JS-69351: Issue with column header of table component when expanding a dashlet and then scrolling
- JS-69548 [Case# 02180063] Dashboard is not bringing the expected results
- JS-69454: Issue with report rendering and jasperserver ui with Mobile Mode on iPad device
- JS-69438: add Java 17 Runtime Support
- JS-69716: [case 02193513] Drill down repository hyperlinks in reports don't work in dashboards for different org users
- JS-67587 [case #02146373] Calculated measure from domain showing wrong calculation
- JS-69053 [case 02135517] - Facing an "The character '' is an invalid XML character" error once we run an export command that includes audit reports
- JS-69575 JRS API for rest_v2/contexts does not work properly with empty sets in Domain
- JS-69507: [Case #02185601] - IC Queries sent multiple times to data source
- JS-69982: Input control values are not updated in report even after updating list of values/query
- JS-70493 [Case #2207116] Ad Hoc input control has incorrect Selected items
- JS-70544: Update hotfix 8.x help url
- JS-70861: [Case# 02218745][Case# 02218763] - Upgrading activemq to fix CVE-2023-46604
- JS-70896: Upgrading snappy-java to fix CVE-2023-34455 and CVE-2023-34454
- JS-68714 [Case #02153498] Getting resource.of.type.not.found error intermittently while running multiple Report versions using Visualize.js
- JS-65398 [case #02089334] Allow HTML in Maps/Charts Pro tooltips
- JS-70648 [case #2214530] Use UUID for autogenerated report names in temp
- JS-71129 Added validation to restrict file extension for Repository file upload
- JS-71130 Added Adhoc Function validator
- JS-70906 [Case #02159689] Duplicate Reports Showing in UI
- JS-71128 enhance escaping
- JS-71333 Add custom 400 error page (bad request)
- JS-71131 Enhanced role-based checks for accessing scheduled job messages
- JS-71332 Improve Data Source URL validation
- JS-71300 [case #8415] - Added and changed the mapping and validation for contentResource
- JS-70477 [Case #02204119] JRS 8.0.4 Reports failed with Input controls validation error in Adhoc Report when the filters applied
- JS-71174 Add option to prevent usage of Localhost or 127.0.0.1 for data source URL's
- JS-71620 [CASE-8436] removing ion-java and upgrading aws-java-sdk-ec2 to 1.12.653 to fix CVE-2024-21634
- JS-71262 [CASE-8436] CVE-2023-31826 on nevado-jms-1.3.2-JS.jar
- JS-71087 Prevent updating the creation date for a report job
- JS-71687 - [02234034] upgrading snowflake-jdbc to 3.14.4 to fix CVE-2021-22573
- JS-70795 CVE-2023-5072 on json-20090211.jar
- JS-71295 Added new implementation for TilesConfigurer & SpringLocaleResolver class in jrs to avoid CVE-2023-49735
- JS-71591 - [02234034] downgrading elasticsearch driver x-pack-sql-jdbc to 7.17.18 to fix CVE-2020-28491
- JS-71689 CASE-8436 - CVE-2021-22569 on infinispan-core-10.1.8.Final.jar in SQE
- JS-71852 - Upgraded postgresql-42.5.4.jar to postgresql-42.5.5.jar to fix CVE-2024-1597
- JS-71914 - JSON 20231013 upgrade caused String <-> Object conversion issue
- JS-71742 Update Spring And Spring Security jars to avoid CVEs
- JS-71847 - Upgrade ehcache to 2.10.10.18.17 to resolve CVE-2020-36518 and CVE-2023-36478
- JS-71181 Improve Organization propagation on user edit
- JS-71980 - fix for the legacy html component in the report viewer
- JS-71949 - [02226484] Upgraded commons-compress 1.21 to 1.26.0 to fix CVE-2024-25710
- JS-72073 - [02226484 02234034] fixing CVE-2024-22259, upgrading Spring to 5.3.33
- JS-72074 - [02226484 02234034] fixing CVE-2024-22257, upgrading Spring Security to 5.7.12
- JS-71744 Upgraded batik from 1.16 to 1.17 to avoid CVE-2022-44729 and CVE-2022-44730
- JS-71747 Updated grizzly from 2.3.25 to 2.4.4 to avoid CVE-2017-1000028
- JS-71749 Upgraded guava from 30.1.1-jre to 33.0.0-jre to avoid CVE-2020-8908 and CVE-2023-2976
- JS-71753 Upgrading jackson jar from 2.15.0 to 2.16.1 to avoid multiple CVE's
- JS-71743 Update accessors-smart-2.4.9 to accessors-smart-2.5.0 to avoid cve
- JS-71755 - removed jmx-logger-log4j-0.3.1.jar to fix CVE-2019-17571 Log4j 2 has built-in support for JMX
- JS-72442 - Upgrading Spring from 5.3.33 to 5.3.37 to avoid CVE-2024-22262
- JS-71579 can't pass MongoDB connection options after schema was autogenerated
- JS-71233 - Upgrading mongo-java-driver-3.10.2.jar to 3.12.14 to fix CVE-2021-20328
- JS-72091 - Fixed the issue of bypassing the password change dialog by updating the sequence of UserPreferencesFilter in the filter chain, introduced a new property called passwordExpirationInDays for UserPreferencesFilter, that takes value from passwordExpirationProcessingFilter, to redirect requests to the password change screen in case of password expiration. Also, added a 401 response in the case of basic authentication
- JS-72164 - [02226484] CVE-2024-29133 & CVE-2024-29131 upgrading commons-configuration2 to 2.10.1,js-crypto to 3.1.2.1 and org.owasp.esapi to 2.5.3.1
- JS-72608 - Fixing JS-72180 and JS-71042. Making key more unique by adding tenant, user and datasource url. Changes to controlLogicCacheManager bean to control cachePerTenant (true) and cachePerUser (false); Reduced defaults on engineCache to 5 min
- JS-72181 - [02249038] fix WS-2021-0646, Update Lucene JARs to 8.11.3
- JS-71565: a validation was added to know if a resource not found exception will be returned, if so, then we scape the return message
- JS-72030 - [CASE-8376] - Jar Uploads should be controlled by OS user only
- JRL-1923: Unpaginated CSV export uses a wrong time zone
- JS-73027: Fixed RepoLogEvent clean-up query issue caused by the Hibernate upgrade
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now