WARNING: Version 5.4 of Kibana has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
5.4.1 Release Notes
edit5.4.1 Release Notes
editAlso see Breaking changes in 5.0.
Security fix
editThe time series visual builder that was released in 5.4.0 is vulnerable to
a cross-site scripting attack (XSS), where a malicious user could embed
HTML into markdown documents that could result in JavaScript being
executed in other users' browsers. This could be abused to steal sensitive
information or to perform destructive actions on behalf of other users.
5.4.1 fixes this vulnerability by no longer allowing HTML in markdown documents.
X-Pack security[ESA-2017-07] (#11770)
Beginning in Kibana 5.3.0, the discovery app in Kibana is vulnerable to an
cross-site scripting attack (XSS) that would allow an attacker to inject
JavaScript into other user’s browsers via Elasticsearch documents. This was
made possible by the field formatters plugin API and how it handled
compiling of template values in the discover doc table.
Versions 5.3.3 and 5.4.1 include a fix for this vulnerability
by changing the binding and compilation behavior for field formatters.
Thanks to Thomas Gøytil for reporting this issue.
X-Pack security[ESA-2017-08] (#11911)
Bug fixes
edit- Core
-
- Formatted output is now non-bindable #11911
- Dev Tools
- Dashboard
-
-
Fix a bug that prevented the dashboard from loading if any visualizations on the dashboard could not be found #11324
- A bug was introduced in 5.2 where if a visualization on a dashboard could not be found, it would throw an error and prevent the entire dashboard from loading. We’ve fixed this so the rest of your dashboard will continue to load and function properly.
-
- Discover
- Management
-
-
Report shard failures in the field_capabilities response #11450
- The Kibana field_capabilities API will now include any shard failures in its response so that the user is notified when an error has occurred while creating an index pattern or refreshing a pattern’s fields.
- Prevent refresh fields error from breaking index patterns management page #11885
-
- Visualize
-
- Fix spelling in time series visual builder #11212
-
Fix missing icons in Visualize listing. #11243
- When we implemented the new Visualization Wizard UI, we switched from using font icons to SVG images to represent each visualization type. However, we forgot to update the Visualize landing page table to use these SVG images.
-
Fix missing border of PaginatedTable rows in Firefox #11452
- When we added the ability to select filters from within a table, we applied relative positioning to the table rows. This isn’t supported in Firefox, and had some odd visual results.
- Return Boom errors directly to the browser for Time Series Visual Builder #11656
- Fixing heatmap black squares #11489
- Fix duplicate chart title #11594
- Should not throw error when fitting on empty data. #11620
- fix zoom settings #11707
- geo_centroid should not be available as a metric #11630
- Disable scroll zooming on the map. #11825
- Remove HTML support from Markdown for Time Series Visual Builder #11770