Changelog¶
WAPT-2.6 Serie¶
WAPT-2.6.0.16613 (2024-12-10)¶
hash: 4de25b0a
This is a bugfixe release following client feedback.
[SEC] waptcore: update 7zip and python39 to latest version due to security release
[FIX] waptcore: waptcrypto IX509Certificate.IsValid: don’t include a 0.5d threshold. Should fix waptconsole need to be restarted on session expiration. Globally set
CERT_DEPRECATION_THRESHOLD
to 0day[IMP] waptconsole: index audit data by
<section>_<key>
to allow easy access in host overview html template[IMP] waptconsole: edit package valid from, until forced: Add a checkbox to make it easier to clear date. Add hint for N key
[FIX] waptconsole: some temporary files are not deleted when closing application.
[FIX] waptconsole: fix filtering packages in private repos with signer certs issued from a CA and CA is trusted
[FIX] wads: fix regression, missing result assigment in GetRandomPassword for djoin
[NEW] wads: improve managing disk partitioning and formating scripts for wads
[FIX] wads: create wads config: regression in {{ mustache }} being replaced too early. {{random_password}} place holder is now
LOCAL_ADMIN_PASSWORD_PLACE_HOLDER
to avoid confision with mustache[IMP] waptagent: wapt-get add server-request action to trigger a custom an action on server (mostly for debug for now)
[IMP] waptagent: waptself: add “Show all variants” option
[FIX] waptagent: waptself: when searching latest package by package name, don’t take maturity and locale in account.
[UPD] waptagent: wapt-get and wapttray: handle html output for installed packages status
[UPD] waptagent: peercache: restart peercache process on network settings change
[IMP] waptagent:
wapt-get -S
, displays enqueued tasks only if loglevel debug[NEW] waptagent: wapt-get: add local-request debug and automation action. Add
--templatestring
to provide an output specific mustache template. Ex.wapt-get -c "c:program files (x86)waptwapt-get.ini" local-request ping --json --templatestring="{{result}}"
[FIX] waptagent:
wapt-get list-registry
list softwares with empty names too[UPD] waptagent: on windows, don’t ignore softwares with empty names for software inventory and for
need_install
[FIX] waptwua: fix regression in
install_delay
parameter[FIX] waptwua: be safe if no wsus packages records in local db (waptwua regression on fresh install: null variant to string)
[FIX] waptwua: ensure we create
privatecache
directory before downloading cab.[IMP] waptcore: improve
pyldap
module performance for large domains[IMP] waptcore: create temp files and directories in
%TEMP%/wapt
[NEW] waptcore: allow to localize html templates for wapt-get and waptconsole
[FIX] waptcore: fix html viewer onclick handler
[NEW] waptcore: add b64encode, b64decode, sha256, sha1 and md5 mustache helpers.
[IMP] waptcore: waptguihelper: improve searching in waptgrid
[IMP] waptcore: improve testing of LDAP connectivity
[UPD] waptcore: use REALM instead of NetBIOS name in user name mapping
[FIX] waptserver: fix
get_linux_and_macos_agent.py
and remove symlink agent linux (broken in wapttasks)[FIX] waptserver: error when uploading large ISO in uwsgi mode due to
uwsgi_request_buffering
[IMP] waptserver: added
uwsgi_send_timeout
anduwsgi_read_timeout
to 120s instead of 60s to reduce risk of timeous
WAPT-2.6.0.16552 (2024-11-19)¶
hash : 49ddf2d3
This is the first release for WAPT 2.6 serie.
The focus of this release is the security and performance improvement.
Main new features:
Add peercache support for agent to agent package distribution : on a subnet, the first computer to download a package can share the download to other computer from the same subnet
Add support for session_cleanup function to integrate cleanup in user session during package uninstall
Improved support for timezone in WADS
Add support for dark mode in WaptConsole on Windows (dark mode on Linux and macOS was already supported).
Add support for remote assistance through rustdesk, teamviewer, anydesk (need to first install audit packages)
Add support for json output to wapt-get for easier automation
In WaptConsole add manual audit values, such as warranty expiration date, etc.
WaptConsole: automatically match installed software with corresponding package in software inventory tab
WaptConsole: enhanced html templating with possible actions ( HttpGet, HttpPost, Join, Get, Count, Pad, PadLeft Values, Keys )
Customise output of wapt-get command through templates
New technical and security features:
Switch to LDAP SASL GSSAPI Kerberos authentication for Active Directory
Hardening of local wapt service : local waptservice is now listening on https TLS socket, split of local db in public and private db
Support for waptconsole authentication for “Protected Users” group members
WAPT Windows Update now use COM early bindings rather than late binding to avoid being broken by yearly incorrect COM TLB updates from Microsoft
Update of all components
Python 3.9.20 and all Python librairies
OpenSSL 3.1.7
Lazarus 3.2 / FPC 2.3 / mORMot 2.3
Caveat and removal:
waptpython is now a symlink pointing to wapt-get binary. Wapt-get binary does PYTHONPATH and PATH cleanup before startup for security reasons and might behave differently compared to original waptpython if you use if for other use than WAPT.
WAPT now use Python certify certificate bundle by default
removal of dmi / wmi inventory upload. It is now provided through audit data with audit_wmi and audit_dmi packages
if you use non-ActiveDirectory LDAP / Kerberos Authentication, SASL/GSSAPI Kerberos bind may fail
support for Samba Active Directory needs Samba minimum version of 4.16.
if you upgrade from WAPT 2.4, please be sure to read the upgrade procedure, it is required to have verify_cert enabled! If you upgrade from Wapt 2.5 you are ok.
there is a bug during package upload on a uWGSI enabled server. The bug is already fixed in today’s nightly release and will be shipped in Wapt 2.6.1.
dark mode is not yet supported on Windows Server 2k22 and later
Detailed changelog:
[REF] waptservice: removal / cleanup of unused endpoints * check_install package_download waptupgrade install_log enable disable /wapt/<string:input_package_name>
[SEC] waptservice: restrict “show” endpoint on authorized packages * based on selfservice rules
[FIX] waptservice: under macOS keep service running even if session is closed and reopened
[FIX] waptservice : wapttray: fix cpu usage
[SEC] waptservice: set MinProtocol = TLSv1.3 for openssl client
[FIX] waptservice: fix TWaptRepo.FileIsDifferentOnServer if url argument is not relative to repo url.
[NEW] waptservice: Introduce waptwua/uwaptwua.pas, Lazarus porting of waptwua/client.py
[SEC] waptservice: introduce owner on events to filter broadcasting
[SEC] waptservice: https server: be sure to require TLSv1.3 and safe ciphers
[FIX] waptservice: html text is hidden on some linux for waptmessage and waptself
[IMP] waptservice: increase http server threads numbers * as we are keeping connections for long polling, it’s better to allow more threads if we don’t want to wait for free ones. * add waptservice_poll_timeout and waptservice_keep_alive_ms parameters
[IMP] waptservice: when scanning local repo, if Packages index is corrupted, try to recreate it once.
[IMP] waptservice: improve memory leak issue
[IMP] waptservice: try to reduce memory pressure * share the flask Wapt instance * share the sqlite cursor across threads (writes are serialized with lock)
[IMP] waptservice: session_cleanup(): don’t run it if another package with name is still installed.
[NEW] waptservice. Introduce support for per package and user session_cleanup() package hook
[FIX] waptservice: handle in WaptDB.db property getter the case of cross threads access to same WaptDB instance. * reset the sqlite db instance when calling thread is not the create thread * make the db initilization atomic with a lock (prevents ._db to be None for concurrent foreign threads) * store host_uuid as a property of WaptSocketIORemoteCalls to avoid the need of db access. WaptSocketIORemoteCalls is recreated anyway in case of host_uuid change.
[SEC] waptservice: require token for wua local service endpoints
[UPD] waptservice: auth: improve logging
[FIX] waptservice: wapttray: missing token
[SEC] waptservice: removed ‘waptservice_user’,’waptservice_password’ local wapt specific user account (not used) * introduced a allow_local_token decorator to replace most allow_local * added a allow_html (default False) to enable/disable html rendering of local endpoints * /login writes a (optionnaly encrypted) token in user home directory for local auth * /localtoken writes a encrypted token in user home directory for local auth (no groups) on service * allow POST on /login and /localtoken to post secret key * introduce disable_tls parameter. * use TLS for local service http server unless is True * create at each serice startup a new pair of RSA keys in private/localservice.pem and public/localservice.crt for https server * (local client can access public/localservice.crt to validate local server certificate) * host inventory: add a ‘updated_on’ key for dict delta data to know last update date on server.
[NEW] waptservice: allow “forced” download/upgrade/install/remove even if battery is too low
[FIX] waptservice: report of host_metrics peercache_status on Unix platforms
[FIX] waptservice: regression on service startup with Babel configuration * after upgrade of flaskbabel python module
[FIX] waptservice: setuppy not stored properly in private db * audit not working
[BUG] waptservice: linux: add Defaults:wapt !requiretty
[FIX] waptservice: regression on show_message
[UPD] waptservice: try to keep db compatible in case of a revert of agent from to 2.5.5 (becuase of split of private/public data
[FIX] waptservice: waptmessage: when started from cmd, wait for application terminate. * allocate console if -c is provided for html forms json submit * example : waptmessage -c -b PGh0bWw+PGZvcm0gbWV0aG9kPSJTVERPVVQiPjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJ0b3RvIj48aW5wdXQgdHlwZT0ic3VibWl0Ij48L2Zvcm0+PC9odG1sPg== –waptbasedir=”c:program files (x86)wapt” -t 10 -n * honor -t timeout even if no border
[IMP] waptservice: in “nopassword” auth service mode, a single user can be added in self service rules
[IMP] waptservice: cleanup windows PATH on exe startup
[SEC] waptservice: add a openssl.cnf file for win32 exe * to avoid openssl looking in other locations
[SEC] waptservice: disable TLS1 and TLS1.1, disable unsafe ciphers * should comply with CC criteria. * allowed ciphers: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:AES256-SHA
[IMP] waptservice: on windows: removed waptScripts * no more useful for pyscripter * waptpython.exe == original python.exe * waptwapt-get == waptpython.exe (for pyscripter “venv”) * python38.pth does _not_ import site anymore to avoid sys.path erroneous guessing in waptparent folder
[SEC] waptservice: restrict service local https server cert validity to 3 days * waptservice is restarted every 24h, cert is recreated on start. * be sure local clients (wapt-get, waptexit, waptself, etc..L.) provide a secret long enough (>64chars)
[IMP] waptservice: don’t check if personal certificate actually exists on disk to enable/disable actions to avoid excessive file accesses on app idle
[IMP] waptservice: We can now only perform Windows Update scans without having to activate waptwua
[FIX] waptservice: be tolearant at socketio clinet create. sometimes, local db is locked when upgrading.
[FIX] waptservice: migrate host_organizational_unit_dn to public db
[FIX] waptservice: server auth for wapt-get build-waptagent * store host_uuid in public db too
[SEC] waptservice: move waptdb.sqlite to agent private dir at startup of service
[NEW] waptservice: add cheeroot requirement for agent.
[FIX] waptservice: store local licencing cache in public DB
[FIX] waptservice: migrate installed package status to publicdb
[SEC] waptservice: core: move waptdb.sqlite into private wapt dir * add a new waptpublicdb.sqlite in waptdb for session-setup * add setuppy and whole control of package in waptpublicdb.sqlite after each successful install * set package removal_date when not available anymore in repository * set uninstall_date when package is removed (uninstalled)
[SEC] waptservice: moved packages cache dir and waptdb.sqlite to private wapt dir. * renamed package_cache_dir to packages_cache_dir
[IMP] waptservice: better handling of server reauthentication when cookie expires. * don’t free the httpclient, just disconnect the socket * don’t clear ClearCachedAuthInfos on failed login as we can have 2 successive attempts with same certificates and keys
[IMP] waptservice: for backward compatibility, stores uuid, hardware_uuid, hostname in private db too
[IMP] waptservice: keep storing setuppy in private local like before the split of private/public local db * for compatibity with older wapt. Allows to revert to old wapt.
[IMP] waptcore: improve display in html templates: waptmustache: HumanBytes is now default in mormot
[NEW] waptcore macos: create /etc/krb5.conf if not exist when call get_domain_info
[FIX] waptcore: distro has changed operation, change of result to find historical behavior
[FIX] waptcore: fix TWaptPackage.ParseCapabilitiesTargetOs target_os ParseComparisonOperators
[SEC] waptcore: remove python uptime unmaintained module
[SEC] waptcore: removed python netifaces unmaintained module
[IMP] waptcore: switch python 3.9.20
[FIX] waptcore: fix for non pure ascii system cacert files (as seen on rocky linux 9) * we load the file ourself in python because openssl is slow reading the cacert store, 2 bytes at a time when using context.load_verify_locations(cafile=cacert_path())
[FIX] waptcore: fix wakeonlan issuers: networking: calc missing broadcast address from ip and netmask * be tolerant if mac is None in DB
[SEC] waptcore: switch to openssl 3.1.7
[IMP] waptcore: add wine based api-ms-win-core-path-l1-1-0.dll for python-3.9 compatibility on windows 7
[FIX] waptcore: uwaptserverconnection: using proper gssapi lib under linux like macOS
[FIX] waptcore: CheckCodeSigned flags set to WTD_CACHE_ONLY_URL_RETRIEVAL
[NEW] waptcore: introduce T7zLib in mormot for compressed file handling
[NEW] waptcore: waptlicences: sz_extract_all function based on T7zLib
[IMP] waptcore: wmi to json: set datetime as ISO8601 in json
[SEC] waptcore: default storage of params is now private only * instead of being public and private by default. * open 2 transactions on both public and private db if public
[NEW] waptcore: introduce “on_connect” audit_schedule option * one can put audit_schedule : on_connect in package control file to trigger the audit on package each time acgent’s websocket is (re)connnected * we can have several audit schedule : audit_schedule : 1h,on_connect
[IMP] waptcore: Wapt.audit(): add ignore_schedule argument
[IMP] waptcore: harden the audit_schedule decoding with a regexp * add bootup_time in waptutils
[IMP] waptcore: better handling of abort status * avoid OSEXC in logs.
[FIX] waptcore: fix MatchOS for generic linux and unix tags.
[SEC] waptcore: wapt-get / waptexit / wapttray : use TLS and token to access local waptservice. * verify local server cert with public/localservice.crt * get simple token with GetLocalServiceToken calling /localtoken * remove use of cookies in wapt-get and waptself * pass token in Bearer auth header instead of Basic header
[FIX] waptcore: PackageRequest: IsMatching function resulting to wrong result if targeting no OS
[FIX] waptcore: djoin: selecting last AD and DC automatically if available
[NEW] waptcore: waptlicences: add wapt_local_json_get helpers. * wapt_local_json_get(action, authtoken, user, password: str, timeoutms:int =-1 ) -> dict * get_wapt_base_dir() -> str * set_wapt_base_dir(adir: str)
[FIX] waptcore: waptutils: makepath with UNC paths
[IMP] waptcore: imporve reconnection after cookie expiration * don’t free HttpClient too early to avoid Access violation in mormot httpclientsocket. use a secondary parallel http server connection to make the actual login * if acls can’t be refreshed, keep previous one. * if acls are nil, just return False in IsUserActionAllowed
[IMP] waptcore: python certifi: use waptlicences.get_system_cabundle_path() if possible on windows * to have a consistent behaviour between fpc code and python code for the where() and windows CA certicates extraction from system store
[IMP] waptcore: improve waptlicences.waptserver_login * optional get_acls * provides optional login_token * improve randomness of temporary client private key password * improve http_keep_alive for waptserver POST * fix potential AV in GetUserToken
[FIX] waptcore: update python4delphi using code from https://github.com/Alexey-T/Python-for-Lazarus * TODO : use directly the Python-for-Lazarus repo and add our patches on top of it.
[FIX] waptcore: update SanitizeFilename * allow @ ( ) * * disallow / “ and #127 (del) * removed unused IsUnsafeFilename * update waptservice localurl to https
[SEC] waptcore: fix password eching on linux console
[UPD] waptcore: calc default private public dirs from wapt_base_dir
[SEC] waptcore: cleanup of PYTHONPATH when starting agent
[SEC] waptcore: improve randomness of GetRandomPassword in waptcommon
[FIX] waptcore: install package with parameters raise FATAL ERROR : AttributeError: ‘Wapt’ object has no attribute ‘execute’
[FIX] waptcore: allow head method with WaptHttpGetString
[FIX] waptcore: Close ldap connection even if bound failed to avoid socket not being reinitialized
[IMP] waptcore: cleanup * make sure we don’t overflow key and value len when decoding control and packages
[IMP] waptcore: On windows, if current user is system account, use <WaptBaseDir>sslservercacert.pem for cacert.pem file path containg extraction of system store certificates. On windows disable address random for debug. close http connection to reauthorize properly (recrete TLS connection)
[IMP] wapt-get: better handling json output format for some actions.
[IMP] wapt-get: improve console output of tasks events
[IMP] wapt-get: wapt-get build-package: set exit code >0 if bad argument.
[IMP] wapt-get: avoid requesting server uuid when building a package locally
[IMP] wapt-get: wapt-get wua actions in service mode (-S) renamed to waptwua-scan, waptwua-download and waptwua-install * for consistency with direct mode
[FIX] wapt-get: using new global var GssLib_Custom for gssapi
[FIX] wapt-get: wapt-get install/remove/audit –service with multiple packages
[FIX] wapt-get: server password utf8 encoding when types from windows command line. * regression: password not sent to server
[UPD] wapt-get: never ask waptservice username * like before
[UPD] wapt-get: don’t ask user if service auth is in ‘nopassword’ mode.
[SEC] wapt-get: allow to authenticate using kerberos (like waptself) * zerofill password after use.
[SEC] wapt-get: sanitize system PATH on windows before loading python engine
[FIX] wapt-get: wapt-get ping asking for auth * introduce GetLoginLocalServiceToken with encrypted file tokens * ask password if not nopassword service_auth_type
[UPD] wapt-get: propose default current user for auth on local service.
[REF] wapt-get: terminate with Terminate+Exit instead of Halt
[FIX] wapt-get: wapt-get as python substitute stdout not redirected * when invoked from vscode for example. * or invoked like “python ascript.py > out.txt”
[IMP] wapt-get: wapt-get: when invoke as python.exe, switch to interactive prompt if not py filename argument provided
[FIX] wapt-get: typo in print
[NEW] wapt-get: add –peercache swicth to wapt-get launcher for waptservice
[UPD] wapt-get: peercache: add some settings. * peercache_enable, peercache_interface, peercache_server_enable peercache_port peercache_secret peercache_broadcast_timeout_ms * add –peercache wapt-get command line switch to start peercache process (for waptservice daemon) * add wapt-get download action in service mode
[FIX] wapt-get: don’t fail in GetWorkgroupName if smb.conf does not exists
[IMP] wapt-get: provide a waptmemcache.WaptMemcacheClient python interface for client connection to a http waptmemcache local server
[FIX] wapt-get: fix return value for wapt_sources_edit
[IMP] wapt-get: initialize logger level and output for wapt-get –shell * add keypassword arg to waptserver_login
[FIX] wapt-get: set-uuid: removed fallback on private db * set ‘uuid’ param in public db
[FIX] wapt-get: remove private db access on session-setup * migrate ‘uuid’ ‘hostname’ ‘hardware_uuid’ params into public db
[FIX] wapt-get: init python sys.path
[FIX] wapt-get: take in account private_dir for get WaptDBPath. * use “:memory:” if waptdb path does not exists * fix. wapt-get action must not be converted to lowercase as it can be a python source code. * takes in account wapt_base_dir key in [global] section of inifile
[FIX] wapt-get: session-setup: use only waptpublicdb.sqlite ans session DBs
[SEC] wapt-get: use wapt-get.exe as python launcher for waptservice to force system Environment.
[FIX] wapt-get: wapt-get.exe as python runner: strip first sys.argv argument since we expect python script to be first argument and not wapt-get.exe
[UPD] wapt-get: vscode package edit: use <wapt>python.exe as python interpreter
[IMP] wapt-get: allow wapt-get.exe to be used as python.exe * if no argument, run an interactive shell * if wapt-get.exe is named waptpython.exe or python.exe, insert first argument in sys.path at position 0
[IMP] waptwua: removed debug print * fix wapt-get waptwua-xxx tasks report
[FIX] waptwua: refactor waptwua to improve install callback. * avoid potential AV at install if intsall progress callback is defined * specific loglevel for waptwua with loglevel_waptwua
[IMP] waptwua: use early binding on COM object rather than late binding using TLB to avoid issues where Microsoft breaks its own COM API (Patch Status: No Data (Error Code: 0x8002802B and 0x80070422))
[FIX] waptwua: iso date for installs history
[IMP] waptwua: pywaptwua: add update_history to get history of windows updates installs
[FIX] waptwua: download_updates parameters
[FIX] waptwua: Missing host certificate usage resulting in 401 errors
[FIX] waptwua: Could not convert variant of type (Null) into type (Date) in WMI case
[FIX] waptconsole: translation for vispackagewizard
[IMP] waptconsole: displays updates date in localized local time
[IMP] waptconsole: waptserverconnection: imporve reconnection on session expiration
[IMP] waptconsole: auditdata html view: add history and selected rows context data
[IMP] waptconsole: html viewer: when duplicating template, use first filename in TemplateFilenames list. * create template directory if possible. * fallback on user roaming directory. * audit data: allow http link to be opened by double click * html: add proxy for images download
[IMP] waptconsole: update host_audit_debian_upgrades.html
[FIX] waptconsole: fix editing host packages when double click in host’s packages grid * or when downloading package to show embedded files.
[NEW] waptconsole: in Embedded HTML templates: add mustache helpers * {{ Join dictorlist[,”,”] }} -> str join dict keys or list values * {{ JoinValues dictorlist, “key”, “sep” }} -> str join dict[key] values. * {{ Get dict,”key”,DefaultValue }} -> get a the value for a key if exists, else defaultvalue * {{ Count dict }}
[FIX] waptconsole: fix regression in html audit data view : “Invalid Variant type cast” * when built with current fpc compiler. * does not occur when compiled with more recent “3.2 fixes” fpc…
[IMP] waptconsole packages dev grid: order by udpate date desc by default. Folder name fixed on left
[NEW] waptconsole: html audit view: add _host context dict with data from focused host for html template.
[FIX] waptconsole: fix uvisupdatepackagesource position saving
[IMP] waptconsole: add a checbox to ignore signer’s certificate validity dates when re-signing packages * check host package signature and section when re-signing a host package. but ignore certificate validity dates.
[FIX] waptconsole: waptserverconnection: recreate connection in case of local client error (666)
[IMP] waptconsole: try to fix audit history panels splitters
[FIX] waptconsole: when editing a package, wrong message “invalid package”
[IMP] waptconsole: allow RustDesk connection even if no password available (it will ask the final user for allowing current connection)
[NEW] waptconsole login: add shortcuts on translated labels * allow –user= in command line * keep supplied user and password when retrying if login failure
[UPD] waptconsole: don’t ask for personal certificate and predifx if not needed * when no right to sign packages or actions in console, no need to ask prefix or user certificate * when for example console is used only as reporting tool.
[NEW] waptconsole: connect via TeamViewer if available
[NEW] waptconsole: connect via RustDesk if available
[NEW] waptconsole: showing encrypted data in host inventory
[FIX] waptconsole: dynamic configurations with peercache
[SEC] waptconsole: CSPN TOE. disable peercache config in cspn_toe mode
[IMP] waptconsole: package edit: allow on_connect, on_disconnect and a list of schedules in audit_schedule control check * add completion. * moved connect/disconnect events handling in the on_xxx of socketio namespace
[GUI] waptconsole : Using a button instead of a label for opening a cert file when asking for trusted cert
[FIX] waptconsole: rules can’t be named wapt
[IMP] waptconsole: reporting: delay in displaying huge data in grid
[NEW] waptconsole: add reachable column in HostsForSoftware panel * allow to trigger actions on connected hosts
[IMP] waptconsole: Wapt python in waptconsole: use :memory: for publicdbpath
[FIX] waptconsole: Package wizard, adding arm/arm64 arch, debian/redhat based and ubuntu target os
[REF] waptconsole: djoin: little refactoring of GUI
[FIX] waptconsole: ACL for Delete unused KB action
[FIX] waptconsole: missing translation for host description change
[NEW] waptconsole: reporting: F4 shortcut to execute the selected query
[NEW] waptconsole: allowing user to skip update
[IMP] waptconsole: fix cyberwatch template
[FIX] waptconsole: enable make package template action
[NEW] waptconsole: dynamic configuration allowing drop certificates on grid
[GUI] waptconsole: showing full windows version and pretty name when available in host WUA tab
[IMP] waptconsole: error message when building a host package
[UPD] waptconsole: enable autosearch on audit tree view filter
[REF] waptconsole: viswuagroup using now DMWaptConsole.StatusImages16
[UPD] waptconsole: enabling check files menu in secondary repositories if reachable
[NEW] waptconsole: include last_audit_status in per-host packages status overview
[IMP] waptconsole: use default tisgrid Ctrl+Del for row deleteion in wads and dev grids
[IMP] waptconsole: sync log memo content depending on packages status grid column
[IMP] waptconsole: be sure to clean temp auth certificates on relogin
[FIX] waptconsole: regression on using a personal private key with password for login * be sure to have safe return values for some getter on waptserverconnection
[IMP] waptconsole: speed deletion on hosts os deploy
[IMP] waptconsole: update-package: save last used settings
[NEW] waptconsole: host packages actions using Don’t Ask Again option
[FIX] waptconsole: small improvements for multi server handling * try to keep last selected server
[FIX] waptconsole: partial fix for waptconsole multiserver: try to keep last used server when starting. * store a “enabled” property in each section of waptconsole.ini * locate server by server_name instead of server_uuid (which wiuld require an initial ping) * TODO: still a race condition issue when loading private key.
[UPD] waptconsole: allow arbitrary maturities when importing packages
[IMP] waptconsole: sorted products and classifications filters on WUA
[FIX] waptconsole: wapconsole acl form: minor fonts typo in grids
[FIX] waptconsole: validate rules grid after saving
[IMP] waptconsole: enhanced rules editing: allow inline grid editing of rules. * todo: restrict columns which can be edited * todo: factorize rules arguments checks in modal form to apply them on inline edit too.
[FIX] waptconsole: SelectWinRe only for windows
[IMP] waptconsole: update_package: inject certificate and private client key to internal WAPT instance * TODO: ask user to confirm as there are security issues with that “feature”. * better provide a WaptServer api with preconfigured auth.
[IMP] waptserver: introduce pymemcache client to share socket sid between process
[SEC] waptserver session lifetime: be sure to reject expired server side session.
[IMP] waptserver : connection: when login, use a temporary server connection with same paramaters as current in memory server connection * don’t read inifile, use LoadFromServer
[FIX] waptserver: set openssl MinProtocol = TLSv1.2 set nginx ssl_protocols TLSv1.2 TLSv1.3;
[NEW] waptserver: add TOTP 2FA support
[FIX] waptserver: Revert “Use TLS1.3 only for nginx on linux”
[FIX] waptserver: secondary repo: missing hostname and main ip
[IMP] waptserver linux: move waptserver-uwsgi logs to a /var/log/waptserver directory
[REF] waptserver: unused endpoints cleanup
[UPD] waptserver index page auth: use conf[‘login_auth_methods’] param instead of hardcoded list
[UPD] waptserver: remote repo wapthttpserver: listening on two port like Nginx
[IMP] waptserver: add logorotate for waptserver-uwsgi
[SEC] waptserver: add a random response time for auth to mitigate account enumeration
[NEW] waptserver: remote repo : introducing wapthttpserver in WAPT based on mORMot2 THttpProxyServer
[NEW] waptserver: waptservice local http: restrict threads and max clients * add gc debug info
[FIX] waptserver wapt user sudoers: override umask for environments where default umak is not 0022
[IMP] waptserver: add memcached recommends for debian. * add pymemcache python module * useful if server side session in uwsgi (to share sessions between processes)
[IMP] waptserver: on linux: add optional server side session with memcached * need manual tweaking after install: - pip install pymemcached - install memcached debian packages.html - define for example session_memcached=127.0.0.1:11211 in waptserver.ini
[IMP] waptserver: be keen on licences.son access issue
[FIX] waptserver: disable server side session if uwsgi mode * because we don’t have yet a shared storage for server side session data
[FIX] waptserver: run waptserver and wapttasks on windows using wapt-get.exe
[SEC] waptserver: server side sessions: setup a filesystem storage in /opt/wapt/conf/sessions
[FIX] waptserver: configure waptserver on windows using wapt-get.exe instead of waptpython
[IMP] waptserver: use server side session with flask-session for waptserver sessions. * production storage still to be decided
[FIX] waptserver: agent server connection: reassign client certificate and key when recreateconnection requested. * we try to not close the socket and recreate full client instance, unless * in case client auth is changed, we need to eventually take them in account so close tls socket and assign new pathes * fixed a memory leak in client certificate check * set default server connection http keepalive to 60s * set redirectmax to 1
[IMP] waptself: removed DoubleBuffered for the waptself flowpanel * better scrolling fluidity on win7 at least
[FIX] waptself: improve behavior when service is not responding
[FIX] waptself: operation not allowed on sorted list when changing language
[GUI] waptself: improving settings behavior
[FIX] waptself: start to check events after checkupgrades has finished
[FIX] waptself: trigger update after authentication * revert icons cache location to public <wapt>cacheicons * avoid loading too often the icons * add a callback when authenticated * add TimeOutMS parameter for TtriggerWaptserviceAction * wapttray: checkupgrades on cancel
[IMP] waptself: don’t free the poll threads on close, to avoid waiting for opened sockets
[FIX] waptself: memory leak in streamed image
[FIX] waptself: translation package details viewer
[IMP] waptself: fix regression and add downgrade action * use package_uuid for packages install/remove * hangle package_uuid for local package action authorization
[IMP] waptself: improve icons download time
[SEC] waptself: zerofill password memory location.
[FIX] waptself: improve authentication for domain users
[IMP] wads: naming properly config file to wapt-get.ini
[NEW] wads: wads & wgetwads: using now config file parameter
[FIX] wads: deployment with login
[FIX] wads: making change_host_wads_status function safer at server side
[IMP] wads: taking care of function failure
[NEW] wads: setting TimeZone and DateTime
[FIX] wads: double set of RequireDerivedFormResource
[NEW] wads: winpe: now loading configuration from dynamic default configuration if available
[IMP] wads: wads import from wapt inventory: use main uuid
[NEW] wads: listing of format scripts to enable its use again
[IMP] wads: letting the user retrying login/password 3 times to avoid restarting the device
[FIX] wads: secondary repos: sort rules by sequence number in GetSecondaryRepo
[FIX] wads: fix wads registration dmi informations
[FIX] wads: handle fallback and reachability tests for secondary repos rules. * still to be tested
[NEW] wads: use WinRE file when making the personalized WinPE, if exists
[IMP] setuphelpers: macos: mount_dmg, install_dmg with new powerful params
[IMP] setuphelpers: introduce check_msi_signature helper in waptlicences module
[IMP] setuphelpers: install_exe_if_needed & install_msi_if_needed timeout 600seconds
[FIX] setuphelpers: fix setuphelpers service_list on linux
[FIX] setuphelpers: incorrect version number return with get_file_properties
[FIX] setuphelpers: PinToTaskbar methods compatible with windows 7
[NEW] setuphelpers: add get_battery_infos() helper
[IMP] setuphelpers: _netfirewallrule() improvements for more accurate prints and adds remote_addresses option
[SEC] setuphelpers: absolute path to msiexec.exe in install_msi_if_needed
[NEW] setuphelpers: Introduce new reg_delete_subkeys in waptutils.py and recursive parameter in registry_deletekey
[SEC] setuphelpers: add absolute path for some windows setuphelpers
[FIX] setuphelpers: detect_file_encoding() was not initialized from setuphelpers
[SEC] setuphelpers: calling absolute path for all run commands
[SEC] setuphelpers: calling absolute path for all run or run_notfatal commands
[IMP] setuphelpers: add run_powershell_script to windows setuphelpers
[IMP] waptsetup: debian waptsetup-gui package: removed xdg-utils, desktop-file-utils depends
[NEW] waptsetup: agent configration and setup: add a checkbox for peercache enable.
[IMP] waptsetup: create waptsetup: check url before trying to ping
[REM] waptsetup: removed German language deletion (translation was not maintained)
[UPD] waptsetup: removed check of wapt-get.exe in old c:wapt
WAPT-2.6.0-16552-rc5 (2024-11-18)¶
hash: 49ddf2d3
This is the fifth release candidate of WAPT 2.6. This release is for testing and qualification purpose. Unless there is a show-stopping bug creeping out during this release candidate it should be the final release for wapt 2.6.
Changes since wapt 2.6-rc4 :
[FIX] waptcore: don’t check bound domain in get_allowed_domain_usergroups and be sure be sure AllowedGroups is initialized in get_authorized_user_groups
[FIX] waptcore: fix write_user_protected_file for darwin
[UPD] wapt-get: show user self service groups
[FIX] waptserver: be tolerant on host inventory rollback
[FIX] waptserver: regression on add_host requiring auth even if host is already in database we allow registration if host data is signed with a trusted certificate
[FIX] waptserver: be sure to force update server if wapt installation has been rollbacked or reset
[FIX] waptserver: update_ws_db : make a snapshot copy of ws_connections dict before updating the DB to have a stable dict
[FIX] waptwua: add a PyWuaContextManager class instance to manage the restore of wuauserv status after operations instead of global threadvar which could not be reentrant
[UPD] waptwua: allow to scan and install using websocket even if waptwua is disabled but disable scheduled downloads or installs don’t hide banned updates during scan if waptwua is not enabled
[FIX] waptwua: regression on apply_waptwua_settings_to_host for wuauserv Auto start mode
[FIX] waptwua: moved and rewritten TEnsureWuaServRunningCtx with direct win32api
[FIX] waptservice: be sure to not have zero reconnect_delay for socketio
[FIX] waptwua ensure_running context helper: disable wuauserv service before stopping it try to fix wuauserv stays in manual mode instead of disabled mode after scan.
[FIX] waptagent: try to merge json config but don’t fail if read only access to ini file or db
[FIX] waptagent: be case insensitive to locate user session in Lsa fix LinuxImpersonate and write_user_protected_file to restrict read access to owner only.
[FIX] waptagent: avoid trying to read or write in private db if not needed
when merging dynamic json configs into wapt-get-ini
when resetting forced host_organizational_unit_dn
don’t merge json into ini by default
merge only in main Wapt instance in wapt-get and waptservice task manager
[FIX] waptconsole: displays checkboxes for boolean in hosts grid
[FIX] don’t write wapt_install_id too early, as this will trigger an integrity constraint violation on wapt_params table when upgrading structure. collision with existing id
[FIX] waptwua: prefix kb article with “KB” to match with allowed or forbidden kbds entries in wapt-get.ini
[FIX] waptwua: forbidden_updates list rule not taken properly in account
[IMP] waptwua: taken in account {UpdateId}_{version} as well as {UpdateId}
[FIX] waptconsole: av when multi selection of groups
[IMP] waptconsole: allow self service to add or remove packages on multiple groups
[IMP] waptconsole: list only common packages if multiple groups are selected.
[UPD] waptagent: breaking change: service_auth_type “nopassword” is renamed to “filetoken”
“filetoken” auth method makes use of a encrypted (temporary key) token created by waptservice in the user’s profile with restricted ACLs
it works only if the user has a local profile directory writable for LOCAL SYSTEM
filetoken is same as nopassword.
- [IMP] waptagent: use ‘USERNAME’ environ variable for GetUserName on windows as USERNAME is not coherent when using LOCAL SYSTEM context.
For example : to get proper machine username LAP-HT-PC$ instead of autorite ntsystème when running as local system
[IMP] waptcore: cleanup of pyldap get_allowed_domain_usergroups
[IMP] waptservice: use mormot pyldap get_authorized_user_groups to check domain ldap group. Use kerberos auth. Should handle nested groups
WAPT-2.6.0-16518-rc4 (2024-11-08)¶
hash : bb3a435f
This is the fourth release candidate of WAPT 2.6. This release is for testing and qualification purpose.
Changes since wapt 2.6-rc3 :
[IMP] waptselfservice: allow local_login in self when no network
[FIX] waptselfservice: clear packages cache when changing user.
[IMP] waptcore: introduce a ‘wapt_install_id’ value in inventory to detect machine reinstall. It should help to remove server side obsolete data like wua
[IMP] wapt-get: don’t require auth for ‘update’,’update-status’,’upgrade’,’waptwua-scan’,’waptwua-download’,’waptwua-install’, ‘tasks’, ‘ping’
[FIX] waptagent: local_login with ad groups if ad is reachable
[IMP] wapt-get: txt template for wapt-get list and search
[IMP] waptcore: add mustache helpers LocalDate and LocalTime
[UPD] wapt-get –service: require a user token only for actions ‘packages’,’download_icons’,’package_details’,’install’,’remove’,’download’,’forget’,’audit’
[FIX] EnableMsWindowsUpdateService and DisableMsWindowsUpdateService. Add pywaptwua python helper
- [FIX] waptself authentication as a different user as current session user.
Return directly base64 encrypted token if explicit external authentication (system, ldap, kerberos) is successful else return base64 encrypted token in a local user profile file.
[FIX] waptagent: not write token in profile when use /login
- [FIX] waptconsole: fix editing some packages in Host Packages (and Package overview) grids by double clicks.
Allow filtering on targeted machines by double click on count or machines columns in Host packages and packages overview grids.
[FIX] disabling enterprise options in waptagent build.
[IMP] waptconsole: removed Show WAPT packages checkbox
[FIX] removed wmi and dmi options in dynamic config dialog
WAPT-2.6.0.16231-rc3 (2024-11-06)¶
hash : a0966b0c
This is the third release candidate of WAPT 2.6. This release is for testing and qualification purpose.
Changes since wapt 2.6-rc2 :
use <user_home_directory>/.config/wapt to store local service auth token
[FIX] create token directory if it does not exists yet
[NEW] add waptlicences ‘render_mustache” helper
[FIX] wapttray: don’t raise exception if unable to get GetLocalServiceToken(service not yet started)
[FIX] wapttray: get a new token if current one is not valid anymore (in case service is restarted)
[FIX] replace python kerberos auth module with mORMot kerberos auth module. It fixes some SSO auth issues on Linux in multi-AD environment.
remove ldd linkage macos for kerberos
remove ldap3
Remove sspilib
handle auth_context from waptserver_login in waptserver_request
remove kerberos import
[UPD] WAPT.register_computer() with kerberos: use mormot kerberos / laz WpatServer connection
makes use of waptlicences.waptserver_request() with try_kerberos=True
introduce waptlicences.waptserver_request()
waptserver_request(config_filename, action:str, method:str=”GET”, data:str=None, auth_context:dict=None, user:str=None, password:str=None, try_kerberos:bool=False, additional_headers:str=None) -> dict
returns a dict with content http_status headers and size keys
[FIX] waptwua NEED-SCAN on windows
issue with file datetime in UTC when DST is active
pywaptwua: returns summary_status as a dict
add LocalDateTime Fist, Last, Slice mustache helpers.
fix pyldap DvToPy
add some type hints
auth_module_ad: removed sid convert to str as SID is now returned as readable str by pyldap
[FIX] wads message at boot for wapt install
[FIX] binary Sid not printed properly or retrieved in search_result
closes #9556
[FIX] being coherent with min length password in postconf (10 chars)
pwd import for darwin
use <user_home_directory>/.config/wapt to store local service auth token
create dirs recursively for token if it does not exist yet
waptservice: uses newly introduced get_profile_path_from_logged_on_sessions(username) to get user profilepath on windows
for #9559
use Lsa to get user <-> sid mapping from cached credentials store
[FIX] waptutils: path for user_config_directory under macOS
waptserver: removed unused /wapt-group endpoint
[UPD] waptexit store authtoken in a common location
add a OnGetAuthToken callback for TPollWaptserviceThread
to be able to reset authtoken in a central location when service is restarted
improve waptself and wapttray reconnection when service is restarted
don’t raise exception if unable to get GetLocalServiceToken
return “” instead
[NEW] add waptlicences ‘render_mustache” helper
WAPT-2.6.0.16231-rc2 (2024-10-30)¶
hash : cdf64165
This is the second release candidate of WAPT 2.6. The release is for testing and qualification purpose.
Changes since wapt 2.6-rc1 :
[FIX] add missing uwsgi binary on wapt Linux server
[FIX] fix selfservice auth when Active Directory domain controller cannot be contacted using lsass.exe local caching.
[FIX] waptconsole : fix corner case during authentication when using user client certificat for authentication after ACL certificate configuration
[FIX] waptcore : fix
WAPT/control
file signature when having multi line description with more than 1 leading space indentation[FIX] waptconsole : add missing serial number in compter grid.
[IMP] waptconsole: better consistency in acl “view” for wsus/selfservice/config packages (allow read but not modify action like on base type packages)
[IMP] waptsetup: python.exe is now a hardlink pointing to wapt-get.exe
[FIX] waptagent: on macos, fix execute bit on binary
[FIX] waptserver: use signing/sealing cryptographic protection by default instead of TLS for Active Directory connexion
[FIX] wads: fix WADS templates for 24h2
WAPT-2.6.0.16446-rc1 (2024-10-22)¶
hash: 71150fcb
This is the first release candidate of WAPT 2.6. This release is for testing and qualification purpose.
Main new feature:
switch to LDAP SASL GSSAPI Kerberos authentication for Active Directory
hardening of local wapt service : local waptservice is now listening on https TLS socket, split of local db in public and private db
add support for session_cleanup function to integrate cleanup in user session during package uninstall
tech preview : peercache available to
better support for timezone in WADS
add support for dark mode in WaptConsole on Windows (dark mode on Linux and macOS was already supported)
add support for remote assistance through rustdesk, teamviewer, anydesk (need to first install audit packages)
WAPT Windows Update now use COM early bindings rather than late binding to avoid being broken by incorrect COM TLB updates from Microsoft
support for waptconsole authentication for “Protected Users” group members
add support for json output to wapt-get
add manual audit values, such as warranty expiration date, etc.
automatically match installed software with corresponding package in software inventory tab
enhanced html templating with possible actions ( HttpGet, HttpPost, Join, Get, Count, Pad, PadLeft Values, Keys )
customise output of wapt-get command through templates
Update of all components
Python 3.9.20 and all Python librairies
OpenSSL 3.1.7
Lazarus 3.2 / FPC 2.3 / mORMot 2.3
Caveat and removal:
waptpython is now a symlink pointing to wapt-get binary. Wapt-get binary does PYTHONPATH and PATH cleanup before startup for security reasons and might behave differently compared to original waptpython if you use if for other use than WAPT.
WAPT now use Python certify certificate bundle by default
removal of dmi / wmi inventory upload. It is now provided through audit data with audit_wmi and audit_dmi packages
if you use non-ActiveDirectory LDAP / Kerberos Authentication, SASL/GSSAPI Kerberos bind may fail
support for Samba Active Directory needs Samba minimum version of 4.16.
Detailed changelog:
[REF] waptservice: removal / cleanup of unused endpoints * check_install package_download waptupgrade install_log enable disable /wapt/<string:input_package_name>
[SEC] waptservice: restrict “show” endpoint on authorized packages * based on selfservice rules
[FIX] waptservice: under macOS keep service running even if session is closed and reopened
[FIX] waptservice : wapttray: fix cpu usage
[SEC] waptservice: set MinProtocol = TLSv1.3 for openssl client
[FIX] waptservice: fix TWaptRepo.FileIsDifferentOnServer if url argument is not relative to repo url.
[NEW] waptservice: Introduce waptwua/uwaptwua.pas, Lazarus porting of waptwua/client.py
[SEC] waptservice: introduce owner on events to filter broadcasting
[SEC] waptservice: https server: be sure to require TLSv1.3 and safe ciphers
[FIX] waptservice: html text is hidden on some linux for waptmessage and waptself
[IMP] waptservice: increase http server threads numbers * as we are keeping connections for long polling, it’s better to allow more threads if we don’t want to wait for free ones. * add waptservice_poll_timeout and waptservice_keep_alive_ms parameters
[IMP] waptservice: when scanning local repo, if Packages index is corrupted, try to recreate it once.
[IMP] waptservice: improve memory leak issue
[IMP] waptservice: try to reduce memory pressure * share the flask Wapt instance * share the sqlite cursor across threads (writes are serialized with lock)
[IMP] waptservice: session_cleanup(): don’t run it if another package with name is still installed.
[NEW] waptservice. Introduce support for per package and user session_cleanup() package hook
[FIX] waptservice: handle in WaptDB.db property getter the case of cross threads access to same WaptDB instance. * reset the sqlite db instance when calling thread is not the create thread * make the db initilization atomic with a lock (prevents ._db to be None for concurrent foreign threads) * store host_uuid as a property of WaptSocketIORemoteCalls to avoid the need of db access. WaptSocketIORemoteCalls is recreated anyway in case of host_uuid change.
[SEC] waptservice: require token for wua local service endpoints
[UPD] waptservice: auth: improve logging
[FIX] waptservice: wapttray: missing token
[SEC] waptservice: removed ‘waptservice_user’,’waptservice_password’ local wapt specific user account (not used) * introduced a allow_local_token decorator to replace most allow_local * added a allow_html (default False) to enable/disable html rendering of local endpoints * /login writes a (optionnaly encrypted) token in user home directory for local auth * /localtoken writes a encrypted token in user home directory for local auth (no groups) on service * allow POST on /login and /localtoken to post secret key * introduce disable_tls parameter. * use TLS for local service http server unless is True * create at each serice startup a new pair of RSA keys in private/localservice.pem and public/localservice.crt for https server * (local client can access public/localservice.crt to validate local server certificate) * host inventory: add a ‘updated_on’ key for dict delta data to know last update date on server.
[NEW] waptservice: allow “forced” download/upgrade/install/remove even if battery is too low
[FIX] waptservice: report of host_metrics peercache_status on Unix platforms
[FIX] waptservice: regression on service startup with Babel configuration * after upgrade of flaskbabel python module
[FIX] waptservice: setuppy not stored properly in private db * audit not working
[BUG] waptservice: linux: add Defaults:wapt !requiretty
[FIX] waptservice: regression on show_message
[UPD] waptservice: try to keep db compatible in case of a revert of agent from to 2.5.5 (becuase of split of private/public data
[FIX] waptservice: waptmessage: when started from cmd, wait for application terminate. * allocate console if -c is provided for html forms json submit * example : waptmessage -c -b PGh0bWw+PGZvcm0gbWV0aG9kPSJTVERPVVQiPjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJ0b3RvIj48aW5wdXQgdHlwZT0ic3VibWl0Ij48L2Zvcm0+PC9odG1sPg== –waptbasedir=”c:program files (x86)wapt” -t 10 -n * honor -t timeout even if no border
[IMP] waptservice: in “nopassword” auth service mode, a single user can be added in self service rules
[IMP] waptservice: cleanup windows PATH on exe startup
[SEC] waptservice: add a openssl.cnf file for win32 exe * to avoid openssl looking in other locations
[SEC] waptservice: disable TLS1 and TLS1.1, disable unsafe ciphers * should comply with CC criteria. * allowed ciphers: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:AES256-SHA
[IMP] waptservice: on windows: removed waptScripts * no more useful for pyscripter * waptpython.exe == original python.exe * waptwapt-get == waptpython.exe (for pyscripter “venv”) * python38.pth does _not_ import site anymore to avoid sys.path erroneous guessing in waptparent folder
[SEC] waptservice: restrict service local https server cert validity to 3 days * waptservice is restarted every 24h, cert is recreated on start. * be sure local clients (wapt-get, waptexit, waptself, etc..L.) provide a secret long enough (>64chars)
[IMP] waptservice: don’t check if personal certificate actually exists on disk to enable/disable actions to avoid excessive file accesses on app idle
[IMP] waptservice: We can now only perform Windows Update scans without having to activate waptwua
[FIX] waptservice: be tolearant at socketio clinet create. sometimes, local db is locked when upgrading.
[FIX] waptservice: migrate host_organizational_unit_dn to public db
[FIX] waptservice: server auth for wapt-get build-waptagent * store host_uuid in public db too
[SEC] waptservice: move waptdb.sqlite to agent private dir at startup of service
[NEW] waptservice: add cheeroot requirement for agent.
[FIX] waptservice: store local licencing cache in public DB
[FIX] waptservice: migrate installed package status to publicdb
[SEC] waptservice: core: move waptdb.sqlite into private wapt dir * add a new waptpublicdb.sqlite in waptdb for session-setup * add setuppy and whole control of package in waptpublicdb.sqlite after each successful install * set package removal_date when not available anymore in repository * set uninstall_date when package is removed (uninstalled)
[SEC] waptservice: moved packages cache dir and waptdb.sqlite to private wapt dir. * renamed package_cache_dir to packages_cache_dir
[IMP] waptservice: better handling of server reauthentication when cookie expires. * don’t free the httpclient, just disconnect the socket * don’t clear ClearCachedAuthInfos on failed login as we can have 2 successive attempts with same certificates and keys
[IMP] waptservice: for backward compatibility, stores uuid, hardware_uuid, hostname in private db too
[IMP] waptservice: keep storing setuppy in private local like before the split of private/public local db * for compatibity with older wapt. Allows to revert to old wapt.
[IMP] waptcore: improve display in html templates: waptmustache: HumanBytes is now default in mormot
[NEW] waptcore macos: create /etc/krb5.conf if not exist when call get_domain_info
[FIX] waptcore: distro has changed operation, change of result to find historical behavior
[FIX] waptcore: fix TWaptPackage.ParseCapabilitiesTargetOs target_os ParseComparisonOperators
[SEC] waptcore: remove python uptime unmaintained module
[SEC] waptcore: removed python netifaces unmaintained module
[IMP] waptcore: switch python 3.9.20
[FIX] waptcore: fix for non pure ascii system cacert files (as seen on rocky linux 9) * we load the file ourself in python because openssl is slow reading the cacert store, 2 bytes at a time when using context.load_verify_locations(cafile=cacert_path())
[FIX] waptcore: fix wakeonlan issuers: networking: calc missing broadcast address from ip and netmask * be tolerant if mac is None in DB
[SEC] waptcore: switch to openssl 3.1.7
[IMP] waptcore: add wine based api-ms-win-core-path-l1-1-0.dll for python-3.9 compatibility on windows 7
[FIX] waptcore: uwaptserverconnection: using proper gssapi lib under linux like macOS
[FIX] waptcore: CheckCodeSigned flags set to WTD_CACHE_ONLY_URL_RETRIEVAL
[NEW] waptcore: introduce T7zLib in mormot for compressed file handling
[NEW] waptcore: waptlicences: sz_extract_all function based on T7zLib
[IMP] waptcore: wmi to json: set datetime as ISO8601 in json
[SEC] waptcore: default storage of params is now private only * instead of being public and private by default. * open 2 transactions on both public and private db if public
[NEW] waptcore: introduce “on_connect” audit_schedule option * one can put audit_schedule : on_connect in package control file to trigger the audit on package each time acgent’s websocket is (re)connnected * we can have several audit schedule : audit_schedule : 1h,on_connect
[IMP] waptcore: Wapt.audit(): add ignore_schedule argument
[IMP] waptcore: harden the audit_schedule decoding with a regexp * add bootup_time in waptutils
[IMP] waptcore: better handling of abort status * avoid OSEXC in logs.
[FIX] waptcore: fix MatchOS for generic linux and unix tags.
[SEC] waptcore: wapt-get / waptexit / wapttray : use TLS and token to access local waptservice. * verify local server cert with public/localservice.crt * get simple token with GetLocalServiceToken calling /localtoken * remove use of cookies in wapt-get and waptself * pass token in Bearer auth header instead of Basic header
[FIX] waptcore: PackageRequest: IsMatching function resulting to wrong result if targeting no OS
[FIX] waptcore: djoin: selecting last AD and DC automatically if available
[NEW] waptcore: waptlicences: add wapt_local_json_get helpers. * wapt_local_json_get(action, authtoken, user, password: str, timeoutms:int =-1 ) -> dict * get_wapt_base_dir() -> str * set_wapt_base_dir(adir: str)
[FIX] waptcore: waptutils: makepath with UNC paths
[IMP] waptcore: imporve reconnection after cookie expiration * don’t free HttpClient too early to avoid Access violation in mormot httpclientsocket. use a secondary parallel http server connection to make the actual login * if acls can’t be refreshed, keep previous one. * if acls are nil, just return False in IsUserActionAllowed
[IMP] waptcore: python certifi: use waptlicences.get_system_cabundle_path() if possible on windows * to have a consistent behaviour between fpc code and python code for the where() and windows CA certicates extraction from system store
[IMP] waptcore: improve waptlicences.waptserver_login * optional get_acls * provides optional login_token * improve randomness of temporary client private key password * improve http_keep_alive for waptserver POST * fix potential AV in GetUserToken
[FIX] waptcore: update python4delphi using code from https://github.com/Alexey-T/Python-for-Lazarus * TODO : use directly the Python-for-Lazarus repo and add our patches on top of it.
[FIX] waptcore: update SanitizeFilename * allow @ ( ) * * disallow / “ and #127 (del) * removed unused IsUnsafeFilename * update waptservice localurl to https
[SEC] waptcore: fix password eching on linux console
[UPD] waptcore: calc default private public dirs from wapt_base_dir
[SEC] waptcore: cleanup of PYTHONPATH when starting agent
[SEC] waptcore: improve randomness of GetRandomPassword in waptcommon
[FIX] waptcore: install package with parameters raise FATAL ERROR : AttributeError: ‘Wapt’ object has no attribute ‘execute’
[FIX] waptcore: allow head method with WaptHttpGetString
[FIX] waptcore: Close ldap connection even if bound failed to avoid socket not being reinitialized
[IMP] waptcore: cleanup * make sure we don’t overflow key and value len when decoding control and packages
[IMP] waptcore: On windows, if current user is system account, use <WaptBaseDir>sslservercacert.pem for cacert.pem file path containg extraction of system store certificates. On windows disable address random for debug. close http connection to reauthorize properly (recrete TLS connection)
[IMP] wapt-get: better handling json output format for some actions.
[IMP] wapt-get: improve console output of tasks events
[IMP] wapt-get: wapt-get build-package: set exit code >0 if bad argument.
[IMP] wapt-get: avoid requesting server uuid when building a package locally
[IMP] wapt-get: wapt-get wua actions in service mode (-S) renamed to waptwua-scan, waptwua-download and waptwua-install * for consistency with direct mode
[FIX] wapt-get: using new global var GssLib_Custom for gssapi
[FIX] wapt-get: wapt-get install/remove/audit –service with multiple packages
[FIX] wapt-get: server password utf8 encoding when types from windows command line. * regression: password not sent to server
[UPD] wapt-get: never ask waptservice username * like before
[UPD] wapt-get: don’t ask user if service auth is in ‘nopassword’ mode.
[SEC] wapt-get: allow to authenticate using kerberos (like waptself) * zerofill password after use.
[SEC] wapt-get: sanitize system PATH on windows before loading python engine
[FIX] wapt-get: wapt-get ping asking for auth * introduce GetLoginLocalServiceToken with encrypted file tokens * ask password if not nopassword service_auth_type
[UPD] wapt-get: propose default current user for auth on local service.
[REF] wapt-get: terminate with Terminate+Exit instead of Halt
[FIX] wapt-get: wapt-get as python substitute stdout not redirected * when invoked from vscode for example. * or invoked like “python ascript.py > out.txt”
[IMP] wapt-get: wapt-get: when invoke as python.exe, switch to interactive prompt if not py filename argument provided
[FIX] wapt-get: typo in print
[NEW] wapt-get: add –peercache swicth to wapt-get launcher for waptservice
[UPD] wapt-get: peercache: add some settings. * peercache_enable, peercache_interface, peercache_server_enable peercache_port peercache_secret peercache_broadcast_timeout_ms * add –peercache wapt-get command line switch to start peercache process (for waptservice daemon) * add wapt-get download action in service mode
[FIX] wapt-get: don’t fail in GetWorkgroupName if smb.conf does not exists
[IMP] wapt-get: provide a waptmemcache.WaptMemcacheClient python interface for client connection to a http waptmemcache local server
[FIX] wapt-get: fix return value for wapt_sources_edit
[IMP] wapt-get: initialize logger level and output for wapt-get –shell * add keypassword arg to waptserver_login
[FIX] wapt-get: set-uuid: removed fallback on private db * set ‘uuid’ param in public db
[FIX] wapt-get: remove private db access on session-setup * migrate ‘uuid’ ‘hostname’ ‘hardware_uuid’ params into public db
[FIX] wapt-get: init python sys.path
[FIX] wapt-get: take in account private_dir for get WaptDBPath. * use “:memory:” if waptdb path does not exists * fix. wapt-get action must not be converted to lowercase as it can be a python source code. * takes in account wapt_base_dir key in [global] section of inifile
[FIX] wapt-get: session-setup: use only waptpublicdb.sqlite ans session DBs
[SEC] wapt-get: use wapt-get.exe as python launcher for waptservice to force system Environment.
[FIX] wapt-get: wapt-get.exe as python runner: strip first sys.argv argument since we expect python script to be first argument and not wapt-get.exe
[UPD] wapt-get: vscode package edit: use <wapt>python.exe as python interpreter
[IMP] wapt-get: allow wapt-get.exe to be used as python.exe * if no argument, run an interactive shell * if wapt-get.exe is named waptpython.exe or python.exe, insert first argument in sys.path at position 0
[IMP] waptwua: removed debug print * fix wapt-get waptwua-xxx tasks report
[FIX] waptwua: refactor waptwua to improve install callback. * avoid potential AV at install if intsall progress callback is defined * specific loglevel for waptwua with loglevel_waptwua
[IMP] waptwua: use early binding on COM object rather than late binding using TLB to avoid issues where Microsoft breaks its own COM API (Patch Status: No Data (Error Code: 0x8002802B and 0x80070422))
[FIX] waptwua: iso date for installs history
[IMP] waptwua: pywaptwua: add update_history to get history of windows updates installs
[FIX] waptwua: download_updates parameters
[FIX] waptwua: Missing host certificate usage resulting in 401 errors
[FIX] waptwua: Could not convert variant of type (Null) into type (Date) in WMI case
[FIX] waptconsole: translation for vispackagewizard
[IMP] waptconsole: displays updates date in localized local time
[IMP] waptconsole: waptserverconnection: imporve reconnection on session expiration
[IMP] waptconsole: auditdata html view: add history and selected rows context data
[IMP] waptconsole: html viewer: when duplicating template, use first filename in TemplateFilenames list. * create template directory if possible. * fallback on user roaming directory. * audit data: allow http link to be opened by double click * html: add proxy for images download
[IMP] waptconsole: update host_audit_debian_upgrades.html
[FIX] waptconsole: fix editing host packages when double click in host’s packages grid * or when downloading package to show embedded files.
[NEW] waptconsole: in Embedded HTML templates: add mustache helpers * {{ Join dictorlist[,”,”] }} -> str join dict keys or list values * {{ JoinValues dictorlist, “key”, “sep” }} -> str join dict[key] values. * {{ Get dict,”key”,DefaultValue }} -> get a the value for a key if exists, else defaultvalue * {{ Count dict }}
[FIX] waptconsole: fix regression in html audit data view : “Invalid Variant type cast” * when built with current fpc compiler. * does not occur when compiled with more recent “3.2 fixes” fpc…
[IMP] waptconsole packages dev grid: order by udpate date desc by default. Folder name fixed on left
[NEW] waptconsole: html audit view: add _host context dict with data from focused host for html template.
[FIX] waptconsole: fix uvisupdatepackagesource position saving
[IMP] waptconsole: add a checbox to ignore signer’s certificate validity dates when re-signing packages * check host package signature and section when re-signing a host package. but ignore certificate validity dates.
[FIX] waptconsole: waptserverconnection: recreate connection in case of local client error (666)
[IMP] waptconsole: try to fix audit history panels splitters
[FIX] waptconsole: when editing a package, wrong message “invalid package”
[IMP] waptconsole: allow RustDesk connection even if no password available (it will ask the final user for allowing current connection)
[NEW] waptconsole login: add shortcuts on translated labels * allow –user= in command line * keep supplied user and password when retrying if login failure
[UPD] waptconsole: don’t ask for personal certificate and predifx if not needed * when no right to sign packages or actions in console, no need to ask prefix or user certificate * when for example console is used only as reporting tool.
[NEW] waptconsole: connect via TeamViewer if available
[NEW] waptconsole: connect via RustDesk if available
[NEW] waptconsole: showing encrypted data in host inventory
[FIX] waptconsole: dynamic configurations with peercache
[SEC] waptconsole: CSPN TOE. disable peercache config in cspn_toe mode
[IMP] waptconsole: package edit: allow on_connect, on_disconnect and a list of schedules in audit_schedule control check * add completion. * moved connect/disconnect events handling in the on_xxx of socketio namespace
[GUI] waptconsole : Using a button instead of a label for opening a cert file when asking for trusted cert
[FIX] waptconsole: rules can’t be named wapt
[IMP] waptconsole: reporting: delay in displaying huge data in grid
[NEW] waptconsole: add reachable column in HostsForSoftware panel * allow to trigger actions on connected hosts
[IMP] waptconsole: Wapt python in waptconsole: use :memory: for publicdbpath
[FIX] waptconsole: Package wizard, adding arm/arm64 arch, debian/redhat based and ubuntu target os
[REF] waptconsole: djoin: little refactoring of GUI
[FIX] waptconsole: ACL for Delete unused KB action
[FIX] waptconsole: missing translation for host description change
[NEW] waptconsole: reporting: F4 shortcut to execute the selected query
[NEW] waptconsole: allowing user to skip update
[IMP] waptconsole: fix cyberwatch template
[FIX] waptconsole: enable make package template action
[NEW] waptconsole: dynamic configuration allowing drop certificates on grid
[GUI] waptconsole: showing full windows version and pretty name when available in host WUA tab
[IMP] waptconsole: error message when building a host package
[UPD] waptconsole: enable autosearch on audit tree view filter
[REF] waptconsole: viswuagroup using now DMWaptConsole.StatusImages16
[UPD] waptconsole: enabling check files menu in secondary repositories if reachable
[NEW] waptconsole: include last_audit_status in per-host packages status overview
[IMP] waptconsole: use default tisgrid Ctrl+Del for row deleteion in wads and dev grids
[IMP] waptconsole: sync log memo content depending on packages status grid column
[IMP] waptconsole: be sure to clean temp auth certificates on relogin
[FIX] waptconsole: regression on using a personal private key with password for login * be sure to have safe return values for some getter on waptserverconnection
[IMP] waptconsole: speed deletion on hosts os deploy
[IMP] waptconsole: update-package: save last used settings
[NEW] waptconsole: host packages actions using Don’t Ask Again option
[FIX] waptconsole: small improvements for multi server handling * try to keep last selected server
[FIX] waptconsole: partial fix for waptconsole multiserver: try to keep last used server when starting. * store a “enabled” property in each section of waptconsole.ini * locate server by server_name instead of server_uuid (which wiuld require an initial ping) * TODO: still a race condition issue when loading private key.
[UPD] waptconsole: allow arbitrary maturities when importing packages
[IMP] waptconsole: sorted products and classifications filters on WUA
[FIX] waptconsole: wapconsole acl form: minor fonts typo in grids
[FIX] waptconsole: validate rules grid after saving
[IMP] waptconsole: enhanced rules editing: allow inline grid editing of rules. * todo: restrict columns which can be edited * todo: factorize rules arguments checks in modal form to apply them on inline edit too.
[FIX] waptconsole: SelectWinRe only for windows
[IMP] waptconsole: update_package: inject certificate and private client key to internal WAPT instance * TODO: ask user to confirm as there are security issues with that “feature”. * better provide a WaptServer api with preconfigured auth.
[IMP] waptserver: introduce pymemcache client to share socket sid between process
[SEC] waptserver session lifetime: be sure to reject expired server side session.
[IMP] waptserver : connection: when login, use a temporary server connection with same paramaters as current in memory server connection * don’t read inifile, use LoadFromServer
[FIX] waptserver: set openssl MinProtocol = TLSv1.2 set nginx ssl_protocols TLSv1.2 TLSv1.3;
[NEW] waptserver: add TOTP 2FA support
[FIX] waptserver: Revert “Use TLS1.3 only for nginx on linux”
[FIX] waptserver: secondary repo: missing hostname and main ip
[IMP] waptserver linux: move waptserver-uwsgi logs to a /var/log/waptserver directory
[REF] waptserver: unused endpoints cleanup
[UPD] waptserver index page auth: use conf[‘login_auth_methods’] param instead of hardcoded list
[UPD] waptserver: remote repo wapthttpserver: listening on two port like Nginx
[IMP] waptserver: add logorotate for waptserver-uwsgi
[SEC] waptserver: add a random response time for auth to mitigate account enumeration
[NEW] waptserver: remote repo : introducing wapthttpserver in WAPT based on mORMot2 THttpProxyServer
[NEW] waptserver: waptservice local http: restrict threads and max clients * add gc debug info
[FIX] waptserver wapt user sudoers: override umask for environments where default umak is not 0022
[IMP] waptserver: add memcached recommends for debian. * add pymemcache python module * useful if server side session in uwsgi (to share sessions between processes)
[IMP] waptserver: on linux: add optional server side session with memcached * need manual tweaking after install: - pip install pymemcached - install memcached debian packages.html - define for example session_memcached=127.0.0.1:11211 in waptserver.ini
[IMP] waptserver: be keen on licences.son access issue
[FIX] waptserver: disable server side session if uwsgi mode * because we don’t have yet a shared storage for server side session data
[FIX] waptserver: run waptserver and wapttasks on windows using wapt-get.exe
[SEC] waptserver: server side sessions: setup a filesystem storage in /opt/wapt/conf/sessions
[FIX] waptserver: configure waptserver on windows using wapt-get.exe instead of waptpython
[IMP] waptserver: use server side session with flask-session for waptserver sessions. * production storage still to be decided
[FIX] waptserver: agent server connection: reassign client certificate and key when recreateconnection requested. * we try to not close the socket and recreate full client instance, unless * in case client auth is changed, we need to eventually take them in account so close tls socket and assign new pathes * fixed a memory leak in client certificate check * set default server connection http keepalive to 60s * set redirectmax to 1
[IMP] waptself: removed DoubleBuffered for the waptself flowpanel * better scrolling fluidity on win7 at least
[FIX] waptself: improve behavior when service is not responding
[FIX] waptself: operation not allowed on sorted list when changing language
[GUI] waptself: improving settings behavior
[FIX] waptself: start to check events after checkupgrades has finished
[FIX] waptself: trigger update after authentication * revert icons cache location to public <wapt>cacheicons * avoid loading too often the icons * add a callback when authenticated * add TimeOutMS parameter for TtriggerWaptserviceAction * wapttray: checkupgrades on cancel
[IMP] waptself: don’t free the poll threads on close, to avoid waiting for opened sockets
[FIX] waptself: memory leak in streamed image
[FIX] waptself: translation package details viewer
[IMP] waptself: fix regression and add downgrade action * use package_uuid for packages install/remove * hangle package_uuid for local package action authorization
[IMP] waptself: improve icons download time
[SEC] waptself: zerofill password memory location.
[FIX] waptself: improve authentication for domain users
[IMP] wads: naming properly config file to wapt-get.ini
[NEW] wads: wads & wgetwads: using now config file parameter
[FIX] wads: deployment with login
[FIX] wads: making change_host_wads_status function safer at server side
[IMP] wads: taking care of function failure
[NEW] wads: setting TimeZone and DateTime
[FIX] wads: double set of RequireDerivedFormResource
[NEW] wads: winpe: now loading configuration from dynamic default configuration if available
[IMP] wads: wads import from wapt inventory: use main uuid
[NEW] wads: listing of format scripts to enable its use again
[IMP] wads: letting the user retrying login/password 3 times to avoid restarting the device
[FIX] wads: secondary repos: sort rules by sequence number in GetSecondaryRepo
[FIX] wads: fix wads registration dmi informations
[FIX] wads: handle fallback and reachability tests for secondary repos rules. * still to be tested
[NEW] wads: use WinRE file when making the personalized WinPE, if exists
[IMP] setuphelpers: macos: mount_dmg, install_dmg with new powerful params
[IMP] setuphelpers: introduce check_msi_signature helper in waptlicences module
[IMP] setuphelpers: install_exe_if_needed & install_msi_if_needed timeout 600seconds
[FIX] setuphelpers: fix setuphelpers service_list on linux
[FIX] setuphelpers: incorrect version number return with get_file_properties
[FIX] setuphelpers: PinToTaskbar methods compatible with windows 7
[NEW] setuphelpers: add get_battery_infos() helper
[IMP] setuphelpers: _netfirewallrule() improvements for more accurate prints and adds remote_addresses option
[SEC] setuphelpers: absolute path to msiexec.exe in install_msi_if_needed
[NEW] setuphelpers: Introduce new reg_delete_subkeys in waptutils.py and recursive parameter in registry_deletekey
[SEC] setuphelpers: add absolute path for some windows setuphelpers
[FIX] setuphelpers: detect_file_encoding() was not initialized from setuphelpers
[SEC] setuphelpers: calling absolute path for all run commands
[SEC] setuphelpers: calling absolute path for all run or run_notfatal commands
[IMP] setuphelpers: add run_powershell_script to windows setuphelpers
[IMP] waptsetup: debian waptsetup-gui package: removed xdg-utils, desktop-file-utils depends
[NEW] waptsetup: agent configration and setup: add a checkbox for peercache enable.
[IMP] waptsetup: create waptsetup: check url before trying to ping
[REM] waptsetup: removed German language deletion (translation was not maintained)
[UPD] waptsetup: removed check of wapt-get.exe in old c:wapt
WAPT-2.5 Serie¶
WAPT-2.5.5.15697 (2024-09-11)¶
hash: 20422a0b
This is a bugfix releases.
[FIX] waptconsole wads: Fixed a bug with djoin
[UPD] waptcore: upgrade lib OpenSSL to 3.1.7, upgrade python to 3.8.20
[FIX] correction of the login on wads which no longer worked
[IMP] waptserver: on Linux: use TLS1.3 AND use TLS1.2 for nginx on linux
WAPT-2.5.5.15691 (2024-07-18)¶
hash: 84dca83d
This is a bugfix releases. The main change is the use of an generic Linux Python build (one per architecture) on Linux. The generic Linux Python build allows to use the same WAPT agent on different deb and rpm based distribution.
[FIX] waptconsole: fix hardware treeview filtering does not show keys with
NULL
values[IMP] waptconsole: improve search ldap groups with pagination for larger domains
[FIX] waptconsole: fix potential Access violation when importing a package from sources with dependencies
[FIX] waptconsole: fix export to CSV / XLS of
NULL
or empty cells[FIX] waptconsole: htmlviewer: ensure templates path is created when editing template
[IMP] waptconsole: improve GUI for waptupgrade (Linux and macOS)
[IMP] waptconsole: improve waptserver reconnection
[FIX] waptcore: add python waptcrypto
SSLPKCS12.save_as_p12
. Don’t create a pkcs#12 bundle on register anymore (to avoid potential CVE-2024-26130)[FIX] waptcore: fix
get_domain_info()
ldap result does not need .items call anymore[IMP] waptcore: remove dist from agent and server rpm package names
[FIX] waptcore: fix
type_debian()
andtype_redhat()
. It should now better match for any Debian / Redhat derivatives[IMP] waptcore: add
impacted_process
in waptupgrade packages[IMP] waptcore: on Linux, use generic python build build with generic linux python
[FIX] waptcore: fix get_domain_info unix using pyldap
[NEW] waptcore: add pyldap cldap_get_best_ldap_controller, cldap_get_ldap_controller cldap_get_domain_info helpers
[FIX] waptcore: fix
pyldap
memory leaks and double free issue[FIX] waptcore: mormot2 better handling of 0 byte zip file
[FIX] waptagent: setup: fix write to
default_global instead
ofglobal
ifdefault_global
section is not empty[FIX] waptagent: fix getting current user domain for wapt self service
[FIX] waptagent: waptself: fix some memory leaks
[FIX] waptagent: be sure to not try to call windll.iphlpapi on non windows OS (might be called on non windows os when
reconfig_on_network_change = True
)[IMP] waptagent: allow to use selfservice features on command line to improve usability for visually challenged users. As standard user, using
wapt-get install -S tis-packagename
,wapt-get
will authenticate using Kerberos with the local service and install the package[IMP] waptserver: improve nginx configuration for large network:
sendfile_max_chunk
-> 1m[IMP] waptserver: add
/homepage_kerberos
URI for SSO authentication on waptserver home page[IMP] waptserver: rpm waptserver and waptagent: removed dependencies
policycoreutils-python-utils
,postgresql-server
,postgresql-contrib
. Installation of dependencies is already covered in the documentation. It allows more transparent upgrades.[IMP] waptserver: add a requests rate limitation on nginx if
rate_limit
server parameter is True[IMP] waptserver: restrict list of Ad OU, Ad Sites, Ad Groups based on user perimeters acls.
[IMP] waptserver: on Linux: use TLS1.3 for nginx on linux
[FIX] waptserver: on Linux, fix for non conventional
umask
, reset right onPackages
after recreation[FIX] waptserver: on Windows, fix typo in InnoSetup server installer
[NEW] waptserver: add script get_linux_and_macos_agent.sh (for download waptagent linux and macos form linux server)
[IMP] waptserver: linux: logrotate with limit in log files (waptserver and waptserver-uwsgi systemd scripts)
[IMP] waptserver: add
/opt/wapt/waptserver/scripts/testing-ldap-connectivity.sh
to check and validate LDAP configuration on WaptServer[IMP] waptserver: improve web interface of waptserver (for linux and macos, download and config)
[FIX] setuphelpers: Invalid IPinnedList interface version detection for
pin_to_taskbar()
function[FIX] setuphelpers: fix regression “ImportError: cannot import name ‘get_computer_domain’ from ‘setuphelpers’ (/opt/wapt/setuphelpers.py)””
[IMP] setuphelpers: reduced
GetBiosInfos
WAPT-2.5.5.15640 (2024-06-20)¶
hash: 7265bc7e
This is a bugfix releases. Among other things, it fixes a minor memory leak that could become major in certain corner cases.
[FIX] waptcore: fix memory leak in DVToPyObject
[FIX] waptcore: fix linux create waptagent on command line: fix GetApplicationVersion on unix (erroneous spaces in waptupgrade filename)
[FIX] waptcore: fix wapt-scanpackages “path should be string, not None” for ssl_client_crls server config parameter
[UPD] waptcore: upgrade lib OpenSSL to 3.1.6, SQLite to 3.46.0, 7zip lib to 24.6.0, Psycopg2 to 2.9.9
[NEW] waptcore: add support for Ubuntu 24.04
[NEW] waptcore: rework Python 3.8.19 install to be distribution agnostic
[FIX] waptserver: fix update websocket status table (update_ws_db) for SQL queries in reporting
[UPD] waptserver: increase max size of computer_ad_site and computer_ad_ou for computer with very long DN in Active Directory
[FIX] waptserver: require admin or register_host acl for add_host endpoint
[FIX] waptconsole: allow a simple user with ‘view’ acl to change its password if password is manages by the wapt server htpasswd file (auth method ‘passwd’ only)
[FIX] waptconsole: avoid starting gettasksstatus thread if no personal certificate
[FIX] waptconsole licence status: in case of network failure, dont’t retry to get licences data too often
[IMP] setuphelpers: Add implicit names for install scripts for automatic completion in PyScripter and VSCode
- [NEW] setuphelpers: on windows add new helpers
pin_to_taskbar()
(available on win7, win8, win10), unpin_from_taskbar()
,list_taskbar_pins()
- [NEW] setuphelpers: on windows add new helpers
[NEW] setuphelpers: add
waptlicences.get_battery_infos()
helper[FIX] wads: allow wads in http even though
force_https=True
[FIX] waptagent self service: don’t allow to remove a package if use is not allowed to remove parent packages whose depend on it
[UPD] waptself: reset frame status progress bar and buttons if uninstall is not allowed
WAPT-2.5.5.15602 (2024-05-22)¶
hash: 2793e726
This release is implements a few fixes after user feedback since 2.5.5.15556.
The main issue were:
failure in self service login which was failing for users that had no entry in WAPT ACL table
overwrite of let’s encrypt https certificate in some cases
Details of changelog entries:
[FIX] waptagent: waptsetup use_random_uuid from json config
[FIX] waptagent: reporting [install_status] property not found
[FIX] waptagent: fix use_random_uuid which didn’t work properly when coupled with dynamic config
[IMP] waptagent: add a buggy bios uuid 03000200-0400-0500-0006-000700080009
[FIX] waptagent: fix waptagent use_random_uuid regression
[FIX] waptagent: dynamic config editor: be tolerant if a pem from json is empty * but this should not happen
[FIX] waptagent: waptsetup: don’t cleanup agent’s
<wapt>\templates
folder on install.[FIX] waptagent:
wapt-get add-licence
ask explicitly for server auth Same RequireServerAuth hook added for list-available-config, upload-package, build-waptagent[UPD] waptagent: waptsetup: removed the ability to cleanup the current agent configuration. Some users wrongly select this option without knowledge of the actual consequences (removed all config, certificates, etc…)
[UPD] waptagent: vscode package edit: use
<wapt>\Scripts\python.exe
as python interpreter. Don’t createpython.exe
link in<wapt>
folder.<wapt>
folder is currently in system PATH and some people expect that “python” in cmd launches the first found system wide “python” instead of wapt python.[FIX] waptagent: missing manifest for python substitute.
python.exe
win32api.GetVersionExe() returning 6.2 for win10.fix regression on debug runwaptserver command
fix regression on debug runwaptservice.bat command
[FIX] waptagent: websocket client: be sure to not use a
HTTP_PROXY
from environment when no proxy is defined in config. There is a bug in websocket module which does not follow thetrust_env=False
parameter from requests.Session.[IMP] waptagent:
wapt-get build-waptagent
: takes in account defaultmaturity
from command line or ini file. Setforced_install_on
tonow
like in waptconsole[FIX] waptserver: ldap server auth failed for selfservice if user has no acls on wapt server. Revert “[SEC] waptserver: for /login, if user has no acls at all, reject authentication even if raw authentication is successful”
[IMP] waptcore: use
get_system_cabundle_path
from lazarus waptlicences module. On windows, if current user is system account, use<WaptBaseDir>\ssl\server\cacert.pem
forcacert.pem
file path containg extraction of system store certificates. Share the same logic between python code and lzarus code[SEC] waptcore: waptlicences.waptserver_login: user password not cleared in memory on function exit Fix last commit (ask temporary client private key password on relogin)
[FIX] waptcore: regression: use default pyscripter editor if None defined in ini file.
[FIX] waptcore: memleak in waptserverconnection.login when opening a connection to the server
[FIX] waptcore: fix memleak in waptcrypto TX509CertificatesChainHelper.InitFromPEM
[IMP] waptserver: allow POST requests for import_host_from_inventory
[IMP] waptserver: linux postconf: keep old server certificate CN and subjectAltName attributes when generating a new children certificate. Prevent the case where the actual linux server name is not a valid dns name. In this case, we created a bad certificate previously.
[FIX] waptconsole: trim user edited text in grids for trailing space or leading space
[FIX] waptconsole: fix “file not opened” error in waptconsole MSI package wizard.
[FIX] waptconsole: fix portable application template in package wizard
[UPD] waptconsole: takes in account –config -c argument to set a specific configuration file
[FIX] waptconsole: fix access violation if tisgrid (when refreshing wads hosts grid)
[NEW] waptconsole: add an action (hidden by default, can be added to toolbar) to export wapt hosts inventory to wads hosts inventory.
[NEW] waptconsole: Add an action in hosts popup menu to export selected hosts to Wads inventory.
[FIX] waptconsole: ad treeview focused node color on Linux
[FIX] waptconsole: fix translation of “forced install on”
[FIX] setuphelpers: regression on setuphelpers
get_powershell_str()
. Progress was returned in output beacuse of stderr redirected to stdout[IMP] wads: wgetwads calc wads.exe url using rules.json and GetSecondaryRepo like in wads instead of requesting waptserver with a redirect?
[IMP] wads: use http:// by default instead of https for the proposed url of secondary repositories There is no easy way to distribute a server CA for secondary repositories
[FIX] wads: when calculating secondary repo URL on server, keep the protocol of default URL only for IPXE /api/v3/get_host_ipxe endpoint. For other cases, we keep the proto of the rule. (forward_proto=False)
WAPT-2.5.5.15556 (2024-04-24)¶
hash: bc556ed5
Note
This version has a few issues. Please do no use and use the next one.
This is a bugfix and security hardening release.
Noteworthy items:
for security hardening, standard Python interpreted python.exe is now replaced by a Lazarus wrapper calling
python38.dll
that restrict thePATH
,PYTHOHPATH
andVENV
auto discovery to avoid looking outside of the WAPT install directory.
Caveats:
wapt-get edit package does not load vscode editor (code.cmd is no more in default windows PATH as PATH is cleaned up).
python
winsys.dialogs
module can not be loaded on windows:winsys.dialogs.x_dialogs: (1813, 'LoadIcon', 'The specified resource type cannot be found in the image file.')
. The module winsys is not used by WAPT itslef anymore or by packages on the WAPT store, but may be used in internally developed packages.in vscode, the python launcher is still the original waptpython.exe. Using wapt-get.exe as launcher does not work and is fixed in master/2.6. This means debugging in vscode does not match exactly what will be done in waptservice as wapt-get.exe cleans up python
PYTHONPATH
and windows systemPATH
, and wapt-get.exe provides pyldap and waptlicences python modules.
Details of fixes and improvements:
[FIX] waptagent: update of cacert.pem from windows certstore in win64 system32 localappdata .certifi
[FIX] waptagent: macOS: improve pre and post install scripts in install macOS agent to improve upgrade handling of WAPT
[FIX] waptagent: republish ‘repositories’ url list in host_info
[FIX] waptagent: waptwua: ignore corrupted wua rules json file (empty file, or not json file)
[FIX] waptagent: macos: stopping waptservice before install
[FIX] waptagent: macos: fresh install of agent service file WAPT on macOS.
[FIX] waptagent: wapt-get: init sys.path for linux / darwin
[IMP] waptagent: macos: avoid calling mac_ver too frequently as system version is unlikely to change without a restart of waptservice.
[FIX] waptagent: linux: try to create
.config
user dir fortoken_file
[FIX] waptagent: linux: fix password echoing on linux console
[FIX] waptagent: wapt-get server password utf8 encoding when types from windows command line.
[FIX] waptagent: waptwua: fix install_date info
[UPD] waptagent: default httpkeepalive to 2s
[UPD] waptagent: service: socket client, retry accessing to waptdb at startup in case db is locked by other processes.
[FIX] waptagent: fix NetLocalGroupGetMembers
[IMP] waptagent: windows: local_group_members now use get_user_from_sid
[FIX] waptagent: Fix domain_controller_address
[IMP] waptagent: create cache for sid to username mapping, use Domain information from history (registry, gpupdate)
[FIX] waptagent: install_updates disable install if not waptwua_enabled
[SEC] waptagent: improve randomness of temporary client private key password
[UPD] waptagent: improve wapt agent logs
[FIX] waptagent: wapt-get check-licences : be tolerant if waptdb.sqlite is readonly (not admin mode)
[UPD] waptagent: agent logs: keeps log in one file per executable and limit its size to 4Mb
[FIX] waptagent: wapt-get --service action: don’t use ‘admin’ default user.
[SEC] waptagent: waptsetup.exe: be sure to run commands from explicit locations
[FIX] waptagent: waptstarter: set repo_url and install tranquilit trusted cert for packages
[FIX] waptagent: service: selfservice rules merging: merge issue if group names are not lowercase
[NEW] waptagent: waptwua: add forced install checkboxes for wsus rules packages and self service rules packages
[NEW] waptagent waptwua: Add user_locale in waptwua params
[IMP] wapagent: wapt-get: add a debug ldap search tool (lds action): wapt-get lds “filter”
[csv-list-of-attributes]
. If given filter arg does not start with'('
, search with(|(CN=%)(mail=%)(name=%)(sn=%)(givenName=%))
filter[SEC] waptcore: wapt-get is now the python launcher for service and server
Scriptspython.exe is now a symlink to wapt-get.exe
Scriptspython.exe is the python launcher for pyscripter.
[IMP] waptcore: buildwaptpackage: don’t try to compress files known to be already compressed (‘.msi’,’.jpg’,’.zip’,’.z’,’7z’,’.png’,’.gz’, etc.)
[IMP] waptcore: use
wapt-get --hide
for session-setup on windows[FIX] waptcore: wapt-get linux: remove line ending trick as it force buffering of output.
[IMP] waptcore: use wapt-get.exe instead of waptpython.exe as python loader in waptagent and waptserver services
windows system contains only windows and wapt directories
make sure sys.path contains only modules provided by wapt.
waptlicences and pyldap modules are provided directly by wapt-get.exe
wapt-get.exe can be used instead of waptpython.exe with pyscripter for example.
[IMP] waptcore: wapt-get: when windows PATH cleanup, keep all
c:\windows\*
PATH parts[FIX] waptcore: wapt-get: load properly the config from -c command line option
[FIX] waptcore: updated sanitize_filename in python to match what is done in fpc code SanitizeFilename (allow
@ ( )
, disallow/ "
and#127
(del))[SEC] waptcore: update Python to 3.8.19
[FIX] waptcore: switch python4delphi to python-for-lazarus for mac arm64 compatibility.
[FIX] waptcore: wapt-get install/remove/forget/audit –service with multiple packages. Initialize logger level and output for wapt-get –shell
[SEC] waptcore: workaround for buggy mimetypes module
[UPD] waptcore: add a updated_on information on dict host inventory
[SEC] waptcore: replace dangerous python uptime with mormot function. Remove uptime lib
[FIX] waptcore: waptlicences add encrypt_aes_pkcs7 and decrypt_aes_pkcs7
[FIX] waptcore: be sure to send new audit data even if host clock is in future
[FIX] waptcore: don’t keep cached
cacert.pem
if filesize on disk is null[FIX] waptcore: in some cases, there could no audit_data if never sent to server (None compared to str)
[REM] waptcore: remove build upload in vscode and pyscripter project file. Build-upload should now be done through the waptconsole as there are many cases where it does not work in dev user context.
[NEW] waptcore: add update_package file reference on psproj for easier access
[UPD] waptcore: update mormot2 for the use of
.test
in IsDirectoryWritable() (reduced risk of EDR false positive)[UPD] waptcore: when updating CRL, check new CRL before replacing it
[IMP] waptcore: force usage of mormot.core.os.GetTickCount64 for Windows 2008/XP compatibility
[NEW] waptcore: introduce pltis_pyldap module to replace python ldap3 module for better AD LDAP support
[UPD] waptcore: wapt
persistent_dir
handling in dev mode. Persistent_source_dir is always defined and =dev directory. Persistent_dir=persistent_source_dir when package_uuid is None. On package remove, be sure to not deletepersistent_dir
if path does not start with agent private/persistent path[IMP] waptcore: update copyright date… we are now in 2024
[FIX] waptcore: invalid waptupgrade package control signature if forced_install_on is unchecked
[FIX] waptconsole: fix combo layout: removed maxheight 21 for linux layout
[FIX] waptconsole: fix offline export/import of missing wsus cab
[IMP] waptconsole: add audit and forced install action in host packages status overview popup menu
[IMP] waptconsole: fix wads search hosts
[FIX] waptconsole : fix update_package support on Linux
[SEC] waptconsole: don’t keep server user encrypted password in wapt-get memory
[SEC] waptconsole: don’t keep an the encrypted user server password in memory anymore
[FIX] waptconsole: when editing control file in waptconsole, don’t refresh control edit content if focused. This fix the issue of not able to type a space at the end of a line
[FIX] waptconsole update package source form: allow to upload if update_package function return True
[FIX] waptconsole: on Windows, proxy configuration or store token may not be properly kept saved in configuration file when console is closed.
[FIX] waptconsole: update_package_sources gui: be sure to have WaptBaseDir in python path (otherwise it prevent update_package from working on linux platform)
[FIX] waptconsole: better handle decrypt/encrypt checkbox in audit data to avoid wrong refresh
[FIX] waptconsole import proprietary packages: redirect to web page for licence validation
[NEW] waptconsole: provide re-signing option in wads iso listing (useful when old adminsys is gone for example)
[NEW] waptconsole: provide re-signing option on wads host configuration (useful when old adminsys is gone for example)
[IMP] waptconsole: restore right click on wads host configuration to edit config
[UPD] waptconsole: add secondary shortcut Ctrl+Shift+U for forced update and restore Ctrl+U for update shortcut
[IMP] waptconsole: improve usability of the context menu in the private repository to update selected packages from selected store. Now it is redirected to the import from internet gui with proper settings to see the updates available.
[IMP] waptconsole: handling enterprise or entreprise spellings in packages tags.
[UPD] waptconsole grids: increase max width
[NEW] waptconsole: add context menu to re-sign wads driver bundles (handy when older sysadmin is gone and one need to re-sign with own key)
[IMP] waptconsole: wads more permissive import from csv with just minimal values “hostname”;”mac_addresses”
[UPD] waptconsole: createwaptagent: show a warning if there are no SubjectAltNames on server certificate * don’t save initialdir
[UPD] waptconsole: disable autosearch in import packages from internet
[UPD] waptconsole: multiserver mode: when a specific server is selected, use settings from its section. It is useful when different private keys are used depending on server. If server specific settings used are a merge of section specific settings and [global] section settings.
[IMP] waptconsole: save secondary repos grid settings
[SEC] setuphelpers: waptconsole update-package: don’t provide
GetPrivateKeyPassword
andGetWaptServerAuth
hooks to waptconsole python scripts anymore. This can lead to password leaks if used inproperly[FIX] setuphelpers: regression on run_powershell with bad xml output
[IMP] setuphelpers: backport reg_delete_subkeys and run_powershell_script. Use absolute path for run_powershell system32WindowsPowerShellv1.0powershell.exe
[IMP] setuphelpers: unregister_uninstall now includes empty_names to make sure the registry is cleaned up as expected
[IMP] wads: switch
copy_winpe_x64_in_tftp_folder
to True[FIX] wads: require client side ssl authentication for
rule.json
only iflogin_on_wads=True
[FIX] wads: GetSecondaryRepo random response. Order rules by sequence, initialize IsMatching to False. Handle no_fallback and check reachability with test to
<repohost>/wads/hash.json
[FIX] waptserver: don’t force to lowercase wapt-get first argument as it can be a filename
[FIX] waptserver: better handling of local cookies: set
SESSION_COOKIE_PATH
to application uri path[FIX] waptserver: windows install: use wapt-get.exe as python wrapper for postinstall scripts
[SEC] waptserver: windows setup: use absolute paths for winsetup.py
[FIX] waptserver: pylicences: takes in account waptbasedir
[SEC] waptserver: for /login, if user has no acls at all, reject authentication even if raw authentication is successful
[SEC] waptserver: in secure mode, the server session token is regenerated at each server startup
[SEC] waptserver: You should not respond immediately to everyone even if the answer is correct, otherwise brute force is available by calculating the response time. Add _dns_sid_ttl for sid
[IMP] waptserver: purge old unreferenced packages record from database after scanning repository. Remove records for the no more available packages and no longer referenced by hosts inventories.
[FIX] waptserver: uswgi mode: bad path for uwsgi_params -> will be in wapt/conf/uwsgi_params only now. missing PROTO forwarding ($scheme -> HTTP_X_FORWARDED_PROTO -> X-Forwarded-Proto)
[FIX] waptserver: typo in waptserver config url on index page
[SEC] waptserver: use uuid4 instead of uuid1 for server_uuid
[SEC] waptserver: htpasswd: use sha256_crypt as default password scheme, change 600 access mode on htpasswd file on linux.
[SEC] waptserver: waptserversetup.exe: be sure to run commands from explicit locations
[FIX] waptserver: Remove check computer_fqdn with kerberos when register, problem with linux and mac
[FIX] waptserver: on index page: use original request http protocol for the agent configuration download URL. Fix URL in http instead of https.
[FIX] waptserver: nginx config: forward the original http protocol for redirects. It fixes waptdeploy trying to download using http instead of https
[UPD] waptserver: postconf linux: if current server certificate is self signed, is CA and has no subjectAltNames. Use it as a CA and recreate a child certificate with subjectAltNames for nginx server. There is an issue with some https client if server certificate has no subjectAltNames. Verification is failing.
[FIX] waptserver: regression on loading existing session secret_key from waptserver.ini. When use_uwsgi=True, secret_key is shared between all waptserver processes
[UPD] wads: set time when ptcode: upgrade mormot2 for SetSystemTime feature.
[IMP] wads: add template desktop linux ubuntu 22.04.01
[UPD] wads: djoin add dnsHostName and servicePrincipalNames attribute when creating machine account. Allow add groups to machines by default
[IMP] wads: open import template folder on templates path
[NEW] wads: new debian desktop templates with graphical interface dans djoin integration
WAPT-2.5.4.15342 (2024-02-16)¶
hash: 6215c9da
This is a minor bugfix release, upgrade is not necessary unless you happen to have the corresponding bug.
[FIX] Better handling of non-standard http/https port in during Kerberos authentication. WAPT Agent authentication could fail is the https port was non standard (like 8443 for example) when using Microsoft Active Directory. There is no issue if you use Samba Active Directory, the problem happens only with Microsoft Active Directory.
WAPT-2.5.4.15337 (2024-02-14)¶
hash: 01a4eee0
This is the fourth release of WAPT 2.5 serie.
It fixes a bug in the console that prevented to update waptagent due to a too strict certificate check The signature validity was checked on today’s date rather than the date of the signature itself.
Other minor fixes are listed below.
[UPD] waptcore: check waptsetup.exe hash using waptbinaries.sha256 and code signing cert when wapt-get build-waptagent
[UPD] waptcore: codesigning certificate is now a EV code signing certificate.
[UPD] waptdeploy: by default, disable the check of codesigning certificate (waptdeploy check fingerprint by default). Codesigning could fail on older Windows with non-up-to-date root CA or internet access. Previous behavior can be force-enabled with –disablechecksignature=0
[UPD] waptcore: accept to read RSA384 and RSA512 X509 certificates in all the wapt code
[FIX] waptconsole: fix proper WADS status icon
[FIX] waptexit: fix splitter position
[FIX] waptconsole: fix splitter position in configuration form
[FIX] waptserver: during host package signer check: be tolerant if host_capabilities is not known yet
[FIX] wapt-get: no stdout when run with stdout redirection (be sure to finalize, else we don’t have final stdout (wapt-get through paramiko ssh))
[FIX] waptconsole: when building agent, check of waptsetup.exe hash signature fails because of Tranquil IT certificate expiration add AllowExpiredCertificate to signature checking, with default value AllowExpiredCertificate=True for waptbinaries.sha256 hashs check.
[FIX] waptcore: missing locales for HostCapabilities.from_string_filter
[FIX] waptconsole: reload python config after editing console config
[FIX] waptconsole: fix bug in update source package when loading / offloading python engine in the console
[IMP] waptconsole: add support to search ldap groups interactively in wads djoin gui
[FIX] waptselfservice: fix self service system on linux and macos
[FIX] waptserver: fix upgrade from wapt<2.3. (don’t alter packages table if it has been recreated in upgrade process)
[IMP] waptserver: removed host certificate cache (not used anymore as nginx is doing the job)
[IMP] waptcore: in reporting update hostwebsocket table from in memory status info before executing reporting query if this table name is found in query text. Introduce ‘update_websocket_reporting_table’ server config parameter
[FIX] waptcore: wapt on Linux, set i386 architecture for debian i686 agent packages
[FIX] waptcore: make TWaptRepo index by package name case sensitive to be consistent with other parts of Wapt
[FIX] waptcore: add is_local_user on macOS
WAPT-2.5.3.15292 (2024-02-07)¶
hash: 24c6e7c0
This is the third release of WAPT 2.5 serie. It includes fixes since the 2.5.2 version.
[SEC] Openssl library upgraded to 3.1.5
[FIX] reporting: fix delimier when exporting report data, fix json list display
[FIX] audit data: improve display of audit data (hide irrevelent info, fix json list display)
[REF] remove deprecated unused get_websocket_auth_token endpoint that may create overload during upgrade from 2.4 to 2.5
[FIX] fix wapt-get build-upload, maturity parameter was not taken into account
[FIX] potential access violation on waptconsole on Linux when editing machine description
[FIX] fix djoin layout, domain part could be hidden
[FIX] fix user client ssl auth forwarding when using uwsgi (machine where not impacted)
[FIX] waptexit: fix closing before launching upgrade if wua is enabled
race condition setting WaitingCountdown to false
removed dangerous kill thread
localhttp jsonget timeout set to the wapt-get.ini setting (10s by default)
[UPD] agent waptcrypto: skip the loading of badly formed x509 certificates from waptssl
they are ignored so that a corrupted certificate don’t prevent trusting the other good certificates
[FIX] waptsetup not taking config name and hash from filename
filename must have the form waptsetup-test123456_dbef360b08b929cde6cfa7b3df12b81331db42a4af0df02439890907b812d5d5.exe
[UPD] waptdeploy: forward config_name and config_hash from waptsetupurl
waptsetupurl must refer to a URL like http://srvwapt.mydomain.lan/wapt/waptsetup-test123456_dbef360b08b929cde6cfa7b3df12b81331db42a4af0df02439890907b812d5d5.exe
file must start with waptsetup-
config_name and config_hash are separated with an underscore and must ot be empty
config_hash string must be 64 chars length
one can explicitely set config name and hash with waptdeploy arguments –config_name=xxxx and –config_hash=xxxxx
[IMP] store host description into wapt db for non windows platform
allow to add a description to linux and mac hosts in waptconsole.
[IMP] shell syntax highlighting for wads linux scripts
[UPD] use reset-config-from-url in debian debconf example
[FIX] waptupgrade linux: small fix for version logging
fix support for intel i686 in buildlib (i386 is the same as i686 on debian)
add log for check auth (for fail2ban)
[UPD] wapt-get: enable logging configuration from command line –loglevel
[FIX] waptconsole: Try kerberos login before regular login and only if none password supplied
[UPD] waptconsole: improve certificate trust when importing package.
[UPD] wapconsole manifest: remove useless longPathAware and add security asInvoker
adding asInvoker disable the Uac virtualization which causes beahaviour inconsistencies between win32 and win64
longPathAware is not handled properly by the fpc rtl
[FIX] waptserver postconf: when upgrading structure, don’t try do get null host_capabilities
[IMP] waptconsole wads djoin: add list of computer groups, OU filter and sort OU by name
[IMP] wads: retry 5 times download of iso in case of failure
[REF][FIX] wads : improve re-connection in case of drivers download failure
recreate socket in case of drivers download error
add command line tests actions ‘download-extract-iso <iso_sha256>’ < and ‘download-drivers <driver_bundle_name>’
don’t URLEncode GetMachineInfos data (they are POSTed)
removed wadslogic methods parameters which are already properties
made methods public to allow testing
removed steps test at beginning of each step to allow testing individual steps
download of iso in c:tmp subdir
improved default notification on console. blank line before overwriting next step status to avoid garbage
[IMP] WADS: errors are now sent back to the server
[IMP] update login form caption with selected configuration for password managers.
[FIX] waptconsole: after edit config, auth login dialog was shown repeatedly
[UPD] postconf: removed the option to disable client side ssl auth
[UPD] waptself:
terminate threads earlier in the close event instead of terminate app.
missing task description
little refactor of local auth callback
[IMP] waptconsole: enable autofilter in edit package grids
don’t enable OLE for drop to avoid ole dropsite initialization
don’t check CA usage by default for create new certificate
show CA cert in filemanager in import package form if one clicks on path label
[UPD] cleanup wapt-get
removed unused anymore CreateWaptSetup / CreateWaptAgent
takes in account –wapt-server-url , –wapt-repo-url in wapt-get.exe code
add –service_auth_type for wapt-get.exe
make –user=xxx equivalent to –waptservice-user=xxx or –WaptServiceUser=xxx
[UPD] update mormot2 for better wget resume
avoid appending error data from server to current in progress payload
Small fixes¶
[FIX] waptconsole gui: don’t activate grid editor on right-click
[UPD] waptconsole hosts grid: make columns up to fqdn fixed on the left
tisgrid and sogrid: DragType default dtVCL
removed toAcceptOLEDrop from MiscOptions by default
[FIX] wapt-get install: don’t print “Installing…” twice
WAPT-2.5.2.15207 (2024-01-15)¶
hash: ed70d8c7
This is the second release of WAPT 2.5 serie. It includes many fixes since the 2.5.1 version.
As for WAPT 2.5.1, the focus of this release is the security and performance improvement. Now the client SSL auth is configured by default to enhance the security of the server, protecting both the repository and the API endpoints used by the agent. On the performance front, the upload of inventory updates from the agent to the server are more atomic to avoid unnecessary bandwidth and cpu consumption.
Upgrade notes:
It is not required anymore to have verify_cert enabled like in WAPT 2.5.1, even if it is strongly encouraged to enable it.
When upgrading, the websocket protocol is incompatible between the WAPT 2.4 version and WAPT 2.5 version. Due to this incompatibility, the connectivity status will be DISCONNECTED while the client does its waptagent upgrade. Upgrade is done by default in the next two hours. The waptupgrade package has to be assigned to all computers before hand.
The support of reverse proxy (WAF, etc.) doing TLS interceptions or TLS terminaison is no longer supported. If you have a reverse proxy in front of the WAPT server, it has to be configured as a simple TLS forwarding proxy based on SNI (cf. ngx_stream_core_module on nginx server for example).
The waptserver webpage for waptagent download is not enabled by default anymore. Please check the corresponding documentation.
In order to avoid machine UUID lower/upper caps mismatch, now machine UUID are sent in lower case if there is no pre-existing uppercase registered host.
The function from waptcrypto import encrypted_data_str has been moved to from setuphelpers import rsa_encrypted_data_str.
WMI and DMI inventory are now supported by default through auditing packages tis-audit-wmi and tis-audit-dmi. You can force dmi/wmi support directly in the waptagent, but it is less efficient and not recommended.
If you are calling api endpoints in scripting, beware that client certificate authentication is now mandatory.
Other highlights:
Add waptserver and waptagent support for debian 12 arm64.
Support for dark mode on Linux and macOS is now on par with light mode. Dark mode on Windows is not yet supported though.
The download speed was throttled due to a bug in the WAPT Console. Now download is done at full speed in the console.
In all the grids of WAPT console you can now create pie charts based on selected data.
For more clarity, date / time are displayed in localized local time instead of UTC.
In the process of security hardening of WAPT, the unit test coverage has been improved, the code base has gone through some cleanup and integration tests have been expanded.
You can now add custom audit data to create custom fields with hand typed data (for example warranty expiry date, etc).
To make inventory upload more efficient and avoid overloading the server, when installing / updating packages, the update status of waptagent is sent at the end of the upgrade cycle of the agent.
2 cmd.exe black screens were showing on opening a user session to execute WAPT session-setup scripts. We have been informed that some users where attempting to close the windows before the scripts completed. Now, the WAPT session-setup scripts execute without displaying the black screens on users opening their Windows session.
WAPT Console¶
[FIX] waptconsole: add ability to get server certificate chain through proxy
[FIX] waptconsole: add filtering on both ADGroups and ADSites
[FIX] waptconsole: default selection of repo when importing
[FIX] waptconsole: better handling dynamic configurations certificates path when adding a new config
[FIX] waptconsole: better support for host tags and packages target_os with os version condition
[FIX] waptconsole: fix acls signature checking
[FIX] waptconsole: fix dynamic configuration: server certificate combobox
[FIX] waptconsole: fix login error if changing server config file after a failed login.
[FIX] waptconsole: handle proxy for mustache http handlers in html viewer
[FIX] waptconsole: improve darkmode in TisGrid HTML cells
[FIX] waptconsole: improve importing package from package file
[IMP] signature check on importing packages from store
[NEW] waptconsole: Add a filter in import packages to filter packages compatible with registered hosts
hosts compatibility (show last compatible version)
package newest only and newest than mine and compatible with my hosts.
[FIX] waptconsole: improve dynamic configuration wizard layout for Linux
[FIX] waptconsole: improve password complexity description
[FIX] waptconsole: tasks polling: make socket receive timeout longer than poll timeout
[FIX] waptconsole: tasks polling: reset LastEventId in case of failure to fix wrong display history
[FIX] waptconsole: multi server support, some fixes to better support TLS client auth.
[FIX] waptconsole: show BIOS revision
[FIX] waptconsole: use OpenURL to start web browser on URL instead of OpenDocument (for Linux support).
[FIX] waptconsole: user certificate fingerprints in ACLS mismatch.
[FIX] waptconsole: verifying subnet in remote repo rules and refuse if ipsubnet/mask pair is incorrect
[FIX] waptconsole: very slow when using a proxy to access repo or server with verify_cert=1
[IMP] waptconsole: ask for trusted cert on import package
[IMP] waptconsole: don’t display the update popup when checking newer waptagent version under Linux / macOS
[IMP] waptconsole: grid: persist Custom Expressions in grid settings between sessions
[IMP] waptconsole: import packages: add some progress feedback
[IMP] waptconsole: improve check cert before import package
[IMP] waptconsole: improve loading WAPT Console time and some saved properties
[IMP] waptconsole: improve certificate graphical and textual display UI/UX
[IMP] waptconsole: invalidate trusted signers cache on package index refresh
[IMP] waptconsole: testing if the bundle path is writable on local filesystem on updates.
[IMP] waptconsole: verify cert before importing package in local repo
[NEW] waptconsole: showing proper panels with repo_rules_enable or repo_sync_enable
[NEW] waptconsole: improve form to validate and trust certificate for external repositories
[UPD] waptconsole: add Signer sha256 fingerprint of package in private repo grid.
[UPD] waptconsole: Better explanation for enable_reposync parameter in dynamic configurations.
[NEW] waptconsole: add checkbox in waptsetup form to force install of WaptUpgrade package
[NEW] waptconsole: display/hide Tabs and Features in “View” menu to make it easier to find
[NEW] waptconsole: add support for pie chart in waptconsole grids
[NEW] waptconsole: option to enable autofilters on grid similar to
[NEW] waptconsole: server certificate pinning in preferences
[NEW] waptconsole: warnings if no CA defined for https server or package verification from store
[UPD] waptconsole: add sha1 fingerprint in certificates grid
[UPD] waptconsole: comestic improvments : increase row height of certificates grid
[UPD] waptconsole: disable http request helper in mustache html frame viewer by default.
[UPD] waptconsole: edit host: filter packages with the host_packages_filter string
[UPD] waptconsole: edit packages layout: remove top panel scrollbox
[UPD] waptconsole: handle “update_server_status_on_connect” in waptconsole json config wizard
[UPD] waptconsole: hide windows update and banned columns in software inventory tab
[UPD] waptconsole: import packages: add a trusted_signer column
[UPD] waptconsole: import packages. Improve filter on packages compatibles with my hosts
[UPD] waptconsole: include custom expression filter on grids.
[UPD] waptconsole: renamed display setting “debug mode” into “advanced display and grid settings
[IMP] waptconsole: improve import queries from wapt store in reporting
[UPD] waptconsole: allow export for newly converted dvgrid (audits and reports)
[FIX] waptconsole: reports saving and report tabs closing issues
[UPD] waptconsole: reporting: add an option to filter result grid rows on same selected values
[UPD] waptconsole: save MRU of search edit combobox
[UPD] waptconsole: set default position of forms into first FHD screen. (to avoid lost forms on non existent second screen)
[UPD] waptconsole: sort by os_name,os_version if inventory grid sort is on os_name
[UPD] waptconsole: tasks list: add some columns. Reduce count of default visible columns
[UPD] waptconsole: update grids autofilters to keep custom expressions visible
[UPD] waptconsole: use computer fqdn for RDP connection to allowNLA Kerberos
[UPD] waptconsole: add a http_keep_alive_ms parameter in waptconsole.ini to improve console http requests latency.
[UPD] waptconsole WaptRepo class: add CheckControlSignature attribute to force checking control signature when loading packages Index.
[UPD] waptconsole: use domain_name for host html template domain.
[FIX] waptconsole: fix import reports/queries from url and file
[FIX] waptconsole: set splitter to color clDefault for better dark mode handling
[FIX] waptconsole: disable kerberos by default when building the agent
[FIX] waptconsole: update dynamic config form layout
[NEW] waptconsole: added “Remove custom column” item for column popup menu in grids
[FIX] waptconsole: avoiding importing packages twice if already downloaded
[UPD] waptconsole: grid colors: add guessed default chart colors from well known status label
[FIX] waptconsole : dynamic json config. don’t add empty repo_url, wapt_server, profiles to [global]
[FIX] waptconsole. Clipboard not working under Linux GTK
[IMP] waptconsole: introduced Chart most used values
[IMP] waptconsole: updating grids after importing packages
[UPD] waptconsole: default columns for WUA in Inventory
[UPD] waptconsole: add p12 file filter for private key password change
[UPD] waptconsole: always enable privatekey password change menu
[UPD] waptconsole: private key password form: Add certificate file path in windows title to ease use of passwords manager auto fill
[UPD] waptconsole: more helpful message when no certificate is defined in configuration
[FIX] waptconsole: dynamic config wizard: server cert not saved properly
[UPD] waptconsole custom audit data edit
[FIX] waptconsole: audit data editing in grids
[UPD] waptconsole: re enable “don’t check certificate” when building a custom agent
WAPT Server¶
[NEW] waptserver: add homepage_enable parameter in waptserver.ini to enable/disable waptserver homepage
[NEW] waptserver: add login_on_homepage parameter in waptserver.ini to require or not authentication on waptserver homepage
[NEW] waptserver: add UseSslClientAuth option in waptserver windows setup.
[UPD] waptserver: default CRL expiration set to 10 days
[UPD] waptserver: try to reload nginx if CRL updated
[UPD] waptserver: more meaningful waptserver error when trying to upload a host package which is not trusted by the target host.
[UPD] waptserver: linux postconf: add a question “Authenticate Agents using https client certificate (recommended)”
[UPD] waptserver: on linux: add a sudo rule to allow wapt user to reload nginx
[UPD] waptserver: waptpackage update_packages_index: rewrite Package zip file only if has actually changed
[UPD] waptserver: windows waptservice and waptserver angelize daemons: use json format as it is more mormot compatible
[FIX] waptserver: api logs: decode properly request args when gzipped
[FIX] waptserver: db model : be sure unique id sequences are bigint
[FIX] waptserver: db model revert “unlogged” to “logged” on status tables.
[FIX] waptserver: in connection auth callback, avoid double call to callback.
[FIX] waptserver: during hostgroups handling, entry.depends must be splitted by ‘,’
[FIX] waptserver: repos rules, removed legacy endpoints /sync.json /rules.json
[FIX] waptserver: update_file_tree_of_files for upload_file and merge_stripped_package
[FIX] waptserver: windows waptserversetup: use previous nginx cert CN to guess server name when upgrading.
[IMP] waptserver: during Linux server postconf, stop if kerberos ans spnego packages are not installed
[SEC] waptserver: forbid missmatch subject_alt_names in cert and computer_fqdn
[SEC] waptserver: when kerberos mode, verify add_host_kerberos when use auth_result
[UPD] waptserver: add a certbot letsencrypt route in nginx config
[FIX] waptserver: multiple fixes for uwsgi support
[FIX] waptserver: fix postconf kerberos and not exist subject_alt_names
WAPT Agent¶
[SEC] waptagent: add page hashes when siging windows binaries for tests with IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY (force windows to check exe signatures)
[SEC] waptagent: waptselfservice : prevent ntlm use for local auth system
[UPD] waptagent: include “update_server_status_on_connect” in waptagent json config.
[UPD] waptagent: add wapt-get delete-param for debugging purpose
[UPD] waptagent: auto convert wua error with : https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-error-reference
[UPD] waptagent: waptagent upgrade: install this package as soon as agent see it -> Install waptupgrade package as soon as agent see it
[UPD] waptagent: force update if there was some valid_from, valid_until, force_install in future in previous update
[UPD] waptagent: take in account wapt_base_dir ini file in [global]
[UPD] waptagent: add an option “update_server_status_on_connect=1” to update server status when websockets reconnects.
[UPD] waptagent: waptsetup windows: hide console when running wapt-get session-setup ALL on login
[UPD] waptagent: waptself: notify_server_on_finish for self service actions
[NEW] waptagent: GetLocalAppdataFolder for UNIX
[NEW] waptagent: -l param for WAPT Message loading dynamic logo
[NEW] waptagent: wapt-get: add get-params to get local db params as json with wildcards
[FIX] waptagent: waptservice: check_auth_groups: handle multiple authorization headers for local auth
[FIX] waptagent: waptself: default position on first monitor (X low enough…) to avoid AV when getting monitor DPI
[FIX] waptagent: append min_os_version and max_os_version = os_version to PackageRequest initialized from agent’s OS tags.
[FIX] waptagent: improve wua status install when and error happens
[FIX] waptagent: in waptservice, in case of server auth failure on update_server_status, try re-register only if last successful register is older than 2 hours
[FIX] waptagent: kill task waptexit.exe before installing it
[FIX] waptagent: python WaptRemoteRepo init if config is None.
[FIX] waptagent: regression with urllib3 when verify_cert=False.
[FIX] waptagent: remove erroneous extra arg installed_by for WaptPackageInstall
[FIX] waptagent: reset_host_uuid if uuid was present in section ‘default_global’
[FIX] waptagent: use proper dmidecode under MacOS with intel processor
[FIX] waptagent: wapt-get –service ping stucked sometimes during waptsetup last step.
[FIX] waptagent: waptserver login_self_service: unsupported media type
[FIX] waptagent: waptservice tasks not executed in the right order
[FIX] waptagent: waptwua client https certificate auth and proxies support
[FIX] waptagent: fix empty configuration handling when first starting service without config on Linux
[FIX] waptagent: on linux/macos ensure app ini filename directory exists
[IMP] waptagent: do not fill the organization attributes in machines CSR
[FIX] waptagent: waptsetup fix guessing config name and config hash from filename
[FIX] waptagent: waptwua, fix wmi_installed_windows_updates_result
[FIX] waptagent: waptwua, use wmi_installed_windows_updates_result for search kb install date
[UPD] waptagent: waptexit: removed sogrid.
[FIX] waptagent: fix audit many packages on upgrade stopped on first failed audit
[UPD] waptagent: add forced install on linux waptupgrade packages
[IMP] waptagent: during waptservice upgrade, tweak notify_server_on_finish
[SEC] waptagent: resetting private and log folders in wapt rights after each update in case it has been messed up by sysadmin or other scripts
[IMP] waptagent: waptself: reduce amount of data in task grid.
[FIX] waptagent: waptwua client: revert more registry paramaters when reenabling windows wua service
[FIX] waptagent: fix uninstall kb on win10 using DISM and mum files data
[UPD] waptagent: waptservice tasks: add start_not_before and start_not_after attributes in reporting json dict
[FIX] waptagent: don’t check wsusscn2cab date if waptwua is disabled
WAPT Core¶
[SEC] waptcore: upgrade cryptography to 41.0.7 for CVE-2023-49083
[UPD] waptcore: remove wapt version in exe filename with auto_create_waptagent_from_config
[UPD] waptcore: wapt-get.exe now honors “–not-interactive” command line flag
[REF] waptcore: waptcrypto: export cacert.pem in non redirected profile path if different from redirected one on Windows (SysWOW64 / system32)
[UPD] waptcore: when comparing target_os version and versions, add missing ending version members
[NEW] waptcore: add 7zip dlls in default wapt install
[IMP] waptcore: upgrade to openssl 3.1.4
[FIX] waptcore: Change all http client calls to not retry once if timeout.
[FIX] waptcore: fixed socket (Wget) performance regression on Windows
[FIX] waptcore: fix install_msi_if_needed in setup.install. some args were not passed to underlying setuphelper function.
[FIX] waptcore: remove_user_programs_menu_folder() failed if dir didn’t exist
[FIX] waptcore: sys and time sould be imported by default
[FIX] waptcore: use ~ for make_packages_filter_string separator
[FIX] waptcore: verify_cert not propagated properly from config WaptRemoteRepo config argument
[FIX] waptcore: wapt-get local auth: avoid sending 2 authorization (Bearer + Basic)
[FIX] waptcore: wapt-scanpackages: add –reload-nginx-if-needed option to reload nginx config if CRL updated (need specific sudo rights for wapt user)
[FIX] waptcore: waptutils.get_requests_client_cert_session : be sure verify_cert is True if arg is None
[FIX] waptcore: waptsetuputil for waptserversetup: don’t use openssl to extract Subject from X509 certificate to avoid locking
[FIX] waptcore: ignore trailing zero subversion when doing comparison. Now 2.1.0 == 2.1
[FIX] waptcore: uuid to lower in WADS
[FIX] waptcore: remove non valid chars from package Dev directory when building package name
[FIX] waptcore: fix missing Exception message reporting from the agent
[FIX] waptcore: wapt-get check-package 401 error when trying to get Packages index
[FIX] waptcore: wapt-get build-package when personal crt file has multiple certificates
[FIX] waptcore: wapt-get reset-uuid: delete stored hardware_uuid and hostname
WAPT WADS¶
[NEW] wads: add support for static ip address in WinPE
[NEW] wads: getting net interfaces info for WADS
[NEW] wads: when using a winre wim file for wifi support on wads, del winpeshl.ini to behave like a winpe
[NEW] wads: improve information updates on waptserver when wads install starts
[UPD] wads: wapttftpserver: set case insensitive filename option
[IMP] wads: replace ipxe.efi with snponly.efi to improve support of ip stack on uefi bios
[IMP] wads: Run setupcomplete.cmd with “schtasks /Create /RU SYSTEM /SC ONSTART” to support wapt postinstall script on Windows Pro OEM or Windows Home OEM (otherwise it was not run)
[FIX] wads: add except ValueError for ipaddress.ip_network (fix fail if bad network)
[FIX] wads: avoid checking for WinPE under UNIX system since it can only be created on Windows systems
[FIX] wads: ensure waptdjoin overwrite/move works with children
[FIX] wads: improve WinPE creation (7z.dll and certificate improvements)
[FIX] wads: loading properly pem data in grid
[FIX] wads: login: clear password if login fails
[FIX] wads: setting selected .wim file for managing WinPE
[FIX] wads: switch token generation to “it’s dangerous” lib
[FIX] wads: add json signature check in wgetwads
[FIX] wads: remove bad templates/wads_template/windows/conf/win7_with_join_ad_offline.xml because djoin blob handling fails on win7
[FIX] wads: Remove ProductKey in xml templates to let windows get product key from UEFI/Bios
[FIX] wads: fix disable schtask to do postinstall script
[IMP] wads: add 3 download retry when downloading drivers to handle shacky networks
[FIX] waptwads: add a default filter based on manufacturermodel when creating/uploading drivers from wads inventory
Setuphelpers / setupdevhelpers¶
[FIX] setupdevhelpers: replace of unicode 2019 character was incorrect
[FIX] setuphelpers: link was broken for wmi-rebuilding-the-wmi-repository
[ADD] setuphelpers: raise_error flag on set_service_start_mode()
[IMP] setupdevhelpers: complete_control_impacted_process now handle .EXE (caps)
[IMP] setupdevhelpers: descriptions will now cleared from black unicode character “u202f”.
[FIX] complete_control_min_wapt_version was not returning right value
[IMP] setupdevhelpers: get_private_persistent_package_() improved for DEV
[NEW] setupdevhelpers: complete_control_impacted_process returns a dict for advanced action in other scripts
[NEW] setupdevhelpers: remove_outdated_binaries will remove part files as it should be removed in update_package
[IMP] setupdevhelpers: add UNIX compatibility of unzip_with_7zip()
[IMP] setuphelpers: remove_appx() : No longer try to remove NonRemovable AppX package and optimize powershell by using output_format=”text”
[NEW] setupdevhelpers: add get_size() and update complete_control_impacted_process() functions
[NEW] setuphelpers: setuphelpers_windows functions: add_netfirewallrule() and remove_netfirewallrule()
[FIX] setupdevhelpers: get_private_persistent_package_*() when package is not installed yet
WAPT-2.5.1.14695 (2023-10-03)¶
hash : f667ffe1
This is the first release for WAPT 2.5 serie. The focus of this release is the security and performance improvement. Now the client SSL auth is configured by default to enhance the security of the server, protecting both the repository and the API endpoints used by the agent. On the performance front, the upload of inventory updates from the agent to the server are more atomic to avoid unnecessary bandwidth and cpu consumption.
In the process of security hardening of WAPT, the unit test coverage has been improved, the code base has gone through some cleanup and integration tests have been expanded. For more clarity, date / time are displayed in localized local time instead of UTC.
Note: be sure to read the upgrade procedure, it is required to have verify_cert enabled.
Libraries updates:
update python to 3.8.18
update openssl to 3.1.3
update krb5 lib to 1.21.2
update mormot2 framework to 2.1
WAPT Console¶
[NEW] waptconsole: “Don’t ask again” option on hosts trigger updates / upgrades / actions forms.
[IMP] waptconsole: displays the fingerprint of retrieved certificate when pinning a certificate.
[UPD] waptconsole: simplify default grid layout on first launch. Only minimal columns for Host and Packages status.
[SEC] waptconsole: when retrieving it initially from server, show the certificate to the user so that it can check.
[FIX] waptconsole: don’t try to load previous configuration before switching to the selected one.
[IMP] waptconsole: save certificate grid layout in the “create Wapt setup” windows.
[UPD] waptconsole: OSDeploy / Configuraration forms now show datetime columns as local time using OS default format.
[FIX] waptconsole: prevent unnecessary call the the api/v3/known_packages API in packageNameSelect.
[FIX] waptconsole: keep import packages basket always visible and disable importing when importing another package.
[UPD] waptconsole: remove all cached file for configured servers repo only when cleaning up local cache.
[UPD] waptconsole: in create waptagent, store upgrade package in local cache.
[IMP] waptconsole: ask to delete package in dev folder if it’s existing (for avoiding checksum issue).
[FIX] waptconsole: create waptsetup: don’t try to check certificate until form is initialized.
[IMP] waptconsole: create waptagent: trust at least one’s own certificate if no configuration yet.
[IMP] waptconsole: external repositories settings.
[FIX] waptconsole: Don’t include unnecessary option parameters in
wapt-get.ini
when disabling waptwua in agent generation.[FIX] waptconsole: improve gui form with checkboxes to select BIOS UUID, random UUID or FQDN UUID when creating the WAPT Agent.
[NEW] waptconsole build custom waptagent simplified dialog.
[FIX] waptconsole: import packages filenames truncated in dialog.
[NEW] waptconsole: add actions on OU menus
, , .[SEC] waptconsole: client side temporary auth cert: don’t provide a CSR on login if ClientPrivateKeyPath is set, don’t override client private key if not temporary.
[SEC] waptconsole: delete temporary client keys on renew or shutdown.
[NEW] waptconsole: create a CSR on login to get from server a tempory certificate for client side AuthMethod.
[IMP] waptconsole: beter error catching when uploading files.
[FIX] waptconsole: keep cursor position in task log when refreshing.
[IMP] waptconsole / acls: cosmetic change: show green checks centered. Multiple orange checks when acl is not boolean but a list show icon if assigned certificate or user with server password.
[IMP] waptconsole / acls: reorder users grid columns.
[IMP] waptconsole: packages filtering: add redhat os when selecting Linux.
[IMP] waptconsole: add python syntax highlight to .py files edit.
[FIX] waptconsole: GUI Logical problems on Generate Agent Visual.
[IMP] waptconsole: add credentials to authenticate to a proxy while importing from internet repository. The password is encrypted as the repository credential in import from internet.
[FIX] waptconsole: fix sizing text / button when changing language.
[IMP] waptconsole: change Host Delete window’s CheckBox and phrasing to be more user friendly.
[IMP] waptconsole: certificate’s serial numbers on console hostpage now in displayed in hexadecimal.
[IMP] waptconsole: add total size total of import package selection.
[IMP] waptconsole: add a search button for AD Group in self-service rules.
[IMP] waptconsole: implement a new popup that warn the user when he imports a package that has dependencies which are not located in the current repository.
[IMP] waptconsole: add the service authentication type setting in windows waptagent build form.
[FIX] waptconsole / config: missing
use_random_uuid
property in json config.[NEW] waptconsole / gui: add multi-filter in Grid, add Function to filter all agents, add filter in Grid for os_version (add str_removechars to compare os version).
[NEW] waptconsole / reporting: add snapshot action on report results.
[UPD] waptconsole / config: verify server cert by default.
[FIX] waptconsole / audit gui: better date handling by setting expiration date to NULL.
[UPD] waptconsole / acl gui: allow html selection in valid certificates frame.
[FIX] waptconsole / software repo: fix display of last detected software version by Luti.
[FIX] waptconsole / inventory: wrong image when OU is written in lowercase.
[IMP] waptconsole / inventory: introduce better FrmHtmlViewer.RenderTemplate.
[IMP] waptconsole / inventory: in LDAP tree enable display sub-OU checkbox by default.
[UPD] waptconsole / gui : store and manage all date / time in UTC. Display datetime in localized format in console.
[IMP] waptconsole / gui: visual color adjustments.
[NEW] waptconsole / create waptagent: add UI to set include_dmi_inventory and include_wmi_inventory_default in waptsetup and dynamic configurations.
[UPD] waptconsole: import package from external repo: when looking for package, strip specifically the configured prefix instead of any prefix. This fix the case when several prefixes are used in private repo. If the same package exists with 2 different prefixes, the comparison can use he wrong package and report incorrectly that a newer package exists.
[FIX] waptconsole / gui: LDAP search form: minor fixes and usage improvement.
[IMP] waptconsole / gui: introduce new filter by column in TisGrid / SOGrid.
[NEW] waptconsole: CheckLicence with out RemainingDays parameter.
[FIX] waptconsole: avoid trying execution of updates on non connected host to speed up the process.
[FIX] waptconsole: default and cancel action shortcut where missing.
[IMP] waptconsole: show Close button on form WUA pending updates.
[NEW] waptconsole: adding possibility to show only Cancel button acting like Close.
[GUI] waptconsole: showing os version in column os_name on Inventory.
[IMP] waptconsole: when editing corrupted package in pyscripter, don’t delete dev directory but show a warning.
[FIX] waptconsole / gui: wrong color on splitter, should be default color parameter.
[IMP] waptconsole: cleanly abort import packet on abort by user.
[SEC] waptconsole: Be sure to clear password memory in case of exception.
[IMP] waptconsole / multi-servers: authenticate separately on each server, avoid AV if one server is not responding anymore.
[UPD] waptconsole: add a “forced update” checkbox when triggering host updates if Ctrl+Maj are pressed.
[IMP] waptconsole: Disable audit button if user is not admin.
[IMP] waptconsole / licencing: allow to upload an already activated licence if activated for the same server_uuid.
[FIX] waptconsole: fix WUA order in inventory main grid.
[UPD] waptconsole: some improvements in the Linux / macOS agent download gui.
[FIX] waptconsole: fix missing repository error on imported queries.
[UPD] waptconsole: in create waptsetup, display localized date time for certificates.
[IMP] waptconsole: avoid to pop hosts limit approaching to license capacity limit.
[IMP] waptconsole: avoid unnecessary messagebox when checking licenses.
[UPD] waptconsole: add support for HTML in grid.
[FIX] waptconsole: proper property name for status / sync_status in grid agent repo.
[SEC] waptconsole: check that certificate used to sign new certificates is flagged for CA usage in CreateSignedCert.
[FIX] waptconsole: avoiding to load templates for now when messaging users.
[UPD] waptconsole html viewer: when secure_mode, disable http request in mustache templates.
[UPD] waptconsole: cosmetic layout change of waptconsole config.
[FIX] waptconsole: ask for a private key password even if it not encrypted.
[IMP] waptconsole: hiding WADS actions if wads_enable is false.
[IMP] waptconsole: hiding WUA actions is waptwua_enable is false.
[NEW] waptconsole: disabling OS Deploy and WUA by server options.
[IMP] waptconsole: enabling / disabling tabs from preferences.
[NEW] waptconsole: reduce validity duration of new certificates created in waptconsole if server is in secure_mode.
[FIX] waptconsole: temporary fix for waptconsole crash on win7 large fonts.
[FIX] waptconsole: Inventory host certificates multi selection shows merged certificates of selected hosts.
[FIX] waptconsole: warns the user when his Acls changes during his session.
[FIX] waptconsole: disable ActReportingQueryReload if user doesn’t have ‘run_report’ ACL.
[UPD] waptconsole: create waptsetup: make use kerberos more visible: move it in non advanced setting.
[FIX] waptconsole: update from store final report truncated.
[FIX] waptconsole: add filters on certificates dialog.
[UPD] waptconsole: improve and simplify private packages repo grid.
[FIX] waptconsole: enabling Ok button by default on Make WinPE.
[FIX] waptconsole: and other guis: fix Settings saving and loading.
[FIX] waptconsole: import newest packages than mine.
[FIX] waptconsole: empty certificate in waptsetup and json configuration.
[UPD] waptconsole: specify that don’t check certificate is dangerous.
[UPD] waptconsole: handle visibility of Wapt Dev tab in advanced display settings.
[SEC] waptconsole: encrypt the temporary key generated at waptconsole login.
[NEW] waptconsole: provide a copy of generated and uploaded waptsetup in local repo cache on admin computer
[NEW] waptconsole: allow hide and display on all main tabs in the console
[IMP] waptconsole: show_softwares_inventory set to false by default
[FIX] waptconsole: create waptsetup: check use_kerberos against global server config
[NEW] waptconsole: manageable hide/display items on host pages
[NEW] waptconsole: show_secondary_repo set to false by default
[IMP] waptconsole: show_waptdev set to false by default
[NEW] waptconsole: cbDontAskAgain after modifying host
[NEW] waptconsole: hide WUA in Agent creation setup and configuration and package creation
[FIX] waptconsole: use HttpgetSafe instead of HttpGet for host overview templates (check certificates)
WAPT Server¶
[UPD] waptserver / postconf: disable wads endpoints and send a http 403 answer if wads is not enabled.
[FIX] waptserver / postconf: improve upgrade path by better reloading server config to load calculated default values.
[FIX] waptserver / postconf: fix Linux postconf may need be launched twice to have a proper installation.
[FIX] waptserver / config: use a ping test file to test
repo/wapt
access instead of queryingwapt/Packages
url.[SEC] waptserver / nginx: always set X-Ssl-Authenticated X-Ssl-Client-DN X-Ssl-Client-Sha1.
[SEC] waptserver / config: use_ssl_client_auth = True by default.
[IMP] waptserver: don’t capture and save user certificate provided on login.
[FIX] waptserver: newest_only in
api/v3/packages
api does not compare versions properly.[NEW] waptserver model Packages: change architecture locale target_os licence to Array instead of text.
[FIX] waptserver: fix for waptserver postconf linux must be launched twice to have a proper installation.
[IMP] waptserver: Don’t set CA true by default when generating a self signed certificate.
[FIX] waptserver: fix model upgrade issues when coming from 1.8.
[SEC] waptserver: add a sleep of 3s in case of authentication failure to reduce risk of brute force or ddos on auth endpoints.
[FIX] waptserver: better handling of special caracters in LDAP authentications.
[UPD] waptserver: wapt-get server connection: try to use host keys if no key defined in config file (ClientPrivateKeyPath and ClientCertificatePath).
[NEW] waptserver: showing agents list on webserver index page.
[NEW] waptserver: getting agents symlink from waptagent folder (usefull for html template).
[FIX] waptserver update_server_status installed_packages: forgotten packages not removed from database.
[IMP] waptserver auth: in ssl auth, decode DN of certificate using ldap3.utils.dn.parse_dn for better parsing.
[NEW] waptserver config: introduce ssl_client_crls and ssl_client_certificates for nginx config on nginx, when client side cert auth is enabled, often we have at least 2 CA to trust: CA of wapt clients, and CA of wapt admins. In nginx, this means we have to concatenate in one PEM file 2 CAs the same for the CRLS if they are defined.
[REF] waptserver: nginx configuration: introduce common forward_ssl_auth.conf and require_ssl_auth.conf files.
[IMP] waptserver: add audit_data_def endpoints for audit data metadata description and html templates.
[SEC] waptserver: use a different secret for token and session cookies, use a temporary secret for session cookies on agent.
[NEW] waptserver check_auth. allow ‘admin’ user athentication with ‘token’ method (similar to session) useful for WADS on Linux.
[FIX] waptserver uninstall : delete
waptserver_pycache_
folder when uninstalling for cleanup.[IMP] waptserver: server waptwinsetup installer: add new paramaters –server-names= on Linux and /ServerNames on Windows to initialize server certificates CN and AltSubjectNames.
[IMP] waptserver waptcrypto : enable the use of IP in AltSubjectName of X509 certificates.
[FIX] waptserver: server postconf better handling of client ssl authentication configuration.
[IMP] waptserver socket authentication: use only client side certificate TLS authentication.
[UPD] waptserver: add waptserver update-crls action.
[UPD] waptserver postconf: configure ssl_additional_crls, clients_signing_crl and clients_signing_crl_url.
[FIX] waptserver: error for revoke_cert of host certificate when deleteing a host.
[UPD] waptserver conf: add ‘trust_signed_host_certificate’ default to False.
[FIX] waptserver: update default values for wads_enable and waptwua_enable.
[FIX] waptserver: allow access to api/v3/get_waptagent_exe/.*/waptagent.exe without client cert.
[NEW] waptserver: check password complexity on server when change_password is called.
[FIX] waptserver: be sure we have a username to check before checking certificate CN during ‘ssl’ authentication.
[NEW] waptserver / postconf: add automtic initilization of keytab if kerberos is enabled in postconf.py.
[SEC] waptserver / postconf: check password complexity.
[UPD] waptserver / wua: disable waptwua periodic tasks wit waptwua_enable is False.
[FIX] waptserver / auth: removed unuseful allow_unauthenticated_registration test in add_host_kerberos.
[FIX] waptserver: improve postconf.py –secure mode server side.
[UPD] waptserver: returns secure_mode, waptwua_enable and wads_enable in /api/v3/global_config endpoint.
[UPD] waptserver / postconf: removed the apache key/certificate migration.
[UPD] waptserver: use only lowercase login.
[FIX] waptserver: add acl admin or edit_wsus_package on WUA part.
[FIX] waptserver: return 404 for *_kerberos and *_wads endpoints when disabled.
[FIX] waptserver: postconf crash if /var/www/html/wapt/ssl/ not exist on Linux.
[NEW] waptserver: add reporting_enable parameter on wapt server windows install and linux install and in the console.
[FIX] waptserver: removed unused html and javascript files.
[UPD] waptserver: increate nginx large_client_header_buffers to 16k for Self service kerberos SSO to handle ticket with large group counts
[NEW] waptserver: add homepage_enable in config waptserver
[UPD] waptserver: disable repo_sync tasks if repo_sync_enable is False
[UPD] waptserver postconf: displays a summary message to donwload agent installer
[UPD] waptserver: returns a content type with text when 401 or 403 in nnginx SSL auth.
[UPD] waptserver: disable nginx rules.json and sync.json when disabled in server config
[NEW] waptserver: add enable_repo_sync and enable_repo_rules options
[FIX] waptserver: update all crls when deleteing host
[UPD] waptserver: update all crls on scan-packages
[FIX] waptserver / postconf: update crls immediately on postconf to allow nginx to start properky.
[UPD] waptserver : in secure mode, add a default value for ‘ssl_client_crls’ to /opt/wapt/conf/ca-check-clients.crl
[NEW] waptserver / postconf: add option to enable / disable waptwua_enable option
[UPD] waptserver / postconf: displays https server certificate fingerprint.
[FIX] waptserver : set check_auth_groups token_lifetime is in Wapt properties
[UPD] waptserver: removed jsquery and other JS from server index page
[FIX] waptserver / postconf : known_certificates_folder in /var/www/[html]/ssl by default
WAPT Agent¶
[FIX] waptagent / waptwua : bad arg in datetime.datetime.utcnow() when handling is_delayed parameter.
[IMP] waptagent: wapt-get reset-uuid: add extra argument to give an explicit uuid to set.
[FIX] waptagent: waptsetup : unable to load stuffed configurations if it is downloaded in a folder with non ascii characters.
[UPD] waptagent: wapt-get build-waptagent: take in account include_dmi_inventory and include_wmi_inventory settings.
[IMP] waptagent / Linux: add en_us.utf8 env variable to service file.
[UPD] waptagent / wapt-get : add check-package and check-json commands.
[FIX] waptagent: wapt-get reset-uuid and wapt-get generate-uuid for random uuid management.
[FIX] waptagent: waptsetup for use_random_uuid with stuffed waptagent.
[FIX] waptagent: fix warning in debian agent postinst.
[FIX] waptagent: wapt session-setup : remove session-setup for non standard interactive users (uid <1000).
[FIX] waptagent: update Agent: Ensure wget output directory exists.
[FIX] waptagent: wapt-get could ask for server password even if –wapt-server-passwd option is provided.
[SEC] waptagent: use
dmidecode.exe
from wapt directory on windows instead of first one in path.[FIX] waptagent: improve disable windows update when Windows would try to re-enable it by itself.
[FIX] waptagent: macOS : add correct WAPT version in
Info.plist
.[FIX] waptagent: waptwua can’t compare offset-naive and offset-aware datetimes.
[FIX] waptagent: Create waptsetup: server cert verify improvement.
[IMP] waptagent: update_server_status: add explicit include_dmi_inventory and include_wmi_inventory arguments (default to True).
[FIX] waptagent: wapt-get waptcrypto: workaround to be sure to load ssl before cryptography.
[FIX] waptagent: fix first package status upload after compute registration.
[UPD] waptagent / waptself: add an explicit get_token argument to login_kerberos / login in kerberos ldap-server authentication.
[FIX] waptagent: wapt-get.ini include_wmi_inventory and include_dmi_inventory not taken in account.
[UPD] waptagent: after editing host package, when applying, don’t kill running applications.
[FIX] waptagent / waptsetup: write use_kerberos to inifile.
[REF] waptagent: refactor waptsetup settings on windows, check use_kerberos in install gui if already checked in wapt-get.ini.
[NEW] waptagent: noborder option to WAPTMessage.
[UPD] waptagent: update mormot2 for SMI UUID handling on Linux.
[FIX] waptagent: on Windows, add mklink for libcrypto-3.dll and libssl-3.dll for cryptography lib to avoid improper openssl dll search.
[FIX] waptagent: set RedirectLogRotateFiles to 2 for angelize services to avoid filling the local log directory.
WAPT WADS¶
[REF] waptwads: TFTP server logging.
[FIX] waptwads: testing dnslookup before getting wads executable.
[FIX] waptwads: taking care of verify ssl server parameter.
[IMP] waptwads: add an history for the status log of the os deployment New action on the OS deployment page, right click on the main grid.
[IMP] waptwads / djoin: Allow to move or delete (with children) host if it already exist.
[FIX] waptwads / djoin: Handle special characters in djoin OU treeview.
[FIX] waptwads / djoin: Use pagination in ldap search for groups.
[FIX] waptwads / djoin: fix djoin subdomain handling in Active Directory forest.
[FIX] waptwads djoin: prepare djoin: force use of tls if ldap connection on port 636 allow using password on unencrypted channel.
[IMP] waptwads: add a version file for the WinPe It warns the user if the WinPe is not up to date with the current console version Linked #6501.
[FIX] waptwads: mormot2 TLdapClient.AddComputer don’t escape DN.
[FIX] waptwads: infinite loop if canceling creation host in OS Deploy.
[FIX] waptwads: encoding issue when executing diskpart command on WADS.
[UPD] waptwads: Allow to create winpe on non empty external drive after double warning.
[NEW] waptwads: host configuration selection on OS deploy like drivers bundle selection.
[NEW] waptwads: configurations property storing all Configurations on frame Tfrmmanagedeploymentconfiguration.
[NEW] waptwads: selection of driver bundle in OS deploy.
[NEW] waptwads: function to hide buttons Add, Delete and Delete unused on TFrmManageDeploymentDrivers.
[IMP] waptwads: colorizing cell in red when ISO does not exists anymore on WADS configuration.
[FIX] waptwads: rights issues when creating WinPE with other elevated user credentials.
[IMP] waptwads: getting IsoConfig when requesting DeployConfig and HostOSDeploy data insertion values.
[IMP] waptwads: improvements, better logs, visual for iso decompression, delete the log after the start of a new deployment Linked.
[IMP] waptwads / wapttftpserver: add option session_port_min and session_port_max to specify the range of ports to use for ephemeral session UDP port. Useful if limit on firewalls must be set. Defaults to 0 to use system defined ephemeral ports.
[FIX] waptwads: prepare Host Packages: packages specific to one target OS are filtered out.
[IMP] waptwads: replace the use of 7-Zip.exe on Wads with mormot2 7-Zip Mormot2 uses 7-Zip dll to copy the behavior of 7-Zip No linked ticket.
[NEW] waptwads / wapttftpserver: if loglevel=debug, add ttoLowLevelLog option to get more debug details.
[FIX] waptwads: remove constraints for Graphical WADS window, allowing the binary to adapt to screen size.
WAPT Setuphelpers / SetupDevHelpers¶
[ADD] devhelpers:
get_public_persistent_dir(),
get_public_persistent_file(),
get_private_persistent_package_dir(),
get_private_persistent_package_file(),
remove_tree_for_all_users(),
get_file_extension(),
complete_control_*() are GUI helpers for “template” packages.
[UPD] setuphelpers: update detect_file_encoding doctring class MacOSVersions in CamelCase.
[IMP] devhelpers: reduce unexpected behaviors on vscode_launch.json: –no-ide “justMyCode”: false, pythonArgs”: “-I”.
[ADD] setuphelpers: adding new WindowsVersions.
[ADD] setuphelpers: add new macOSVersions class.
[ADD] setuphelpers: get_release_name(lower=False) for original case but stays lower() by default.
[IMP] devhelpers: add newline flag to json_write_file().
[FIX] setuphelpers: wrong log on unmount_dmg.
[FIX] devhelpers: remove_outdated_binaries() productversion check.
[IMP] setuphelpers: adds REG_QWORD in setuphelpers symbols default import.
[IMP] setuphelpers: setuphelpers_windows.py: be tolerant if dmidecode.exe does not exist.
[IMP] devhelpers: waptguihelper: add form’s height/width info on grid’s metadata that was returned, when copy to clipboard.
[FIX] devhelpers: setuphelpers_windows get_app_path() returns always None.
[IMP] devhelpers: BeautifulSoup functions can now parse string content of a page or reparse a “bs_result”. It is now possible to parse a specific attribute.
[FIX] devhelpers: setuphelpers_windows get_app_path() returns always None.
[FIX] devhelpers: copytree2 better symlink handling.
[IMP] devhelpers: complete_control_package now avoid triple hyphens “—“.
[FIX] devhelpers: get_control_dict() was not returning a dict when detected as PackageEntry.
[ADD] devhelpers: new function complete_control_min_wapt_version().
[FIX] devhelpers: waptguihelper import was crashing WAPT for non-GUI systems in setupdevhelpers.py.
WAPT Core¶
[UPD] wapt core: add FailIfFileExists argument to GetPeerCertChainFromServerPath.
[UPD] wapt core / waptcrypto: in TX509Certificate, introduce IsSelfSigned and use short field names for DN.
[UPD] wapt core / waptcrypto: in TX509Certificate.Generate, add IsServerAuth and Usages arguments.
[FIX] wapt core: use LAZVER300 define instead of VER300 for version of lazarus.
[FIX] wapt core: ISO8601UtcToLocalDateTimeStr: handle 9999-12-31 as NULL date.
[FIX] wapt core: UpdateSOCertFromCert missing ‘not_before’ property.
[UPD] wapt core: small improvement in certificate HTML templates.
[FIX] wapt core: waptsetuputil ApplyJsonConfigToIniFile: update [default_global] section if it exists instead of [global].
[IMP] wapt core: be tolerant for ISO8601UtcToLocalDateTimeStr with date in far future.
[IMP] wapt core: Be tolerant if datetime string has no date and time separators.
[FIX] wapt core: explicit failure if package.localpath is None or empty.
[FIX] wapt core: check hosts limit only if we got at least one host.
[FIX] wapt core: waptpackage.py PackageEntry sign_package.
[REF] wapt core: host uuid calc to keep existing uuid but use hardware uuid in lowercase in cas eof new hardware.
[IMP] wapt core: reduce amount of data sent to server when update_server_status don’t update server status too often dont’t send wmi and dmi by default send only delta of packages install status.
[FIX] wapt core: python pyd module initialization: by default, revert to use Py_Initialize for engine initilization which keeps sys.argv as in caller process python engine.
[REF] wapt core: use IWaptSignatureChecker interface instead of IX509Store when it is needed to check a package.
[IMP] wapt core: TX509Store IsTrustedCert : take in account the AllowSelfSigned argument.
[IMP] wapt core: waptpackage: remove duplicated certificate chain checks.
[SEC] wapt core: enable ASLR and DEP on all wapt binaries. Enable debug infos on Default on projects disable run in debugger for release modes.
[SEC] wapt core: make wapt_base_dir handling more deterministic in both python and freepascal modules. Waptlicences waptbasedir: use new GetExecutableName func from mormot2 introduce WAPT_BASE_DIR environment variable to override default guessed wapt base dir (based on pyd location) introduce WAPT_LIBCRYPTO_BASE_DIR environment variable to override guessed location of libcrypto and libssl modules.
[REF] wapt core: replaces GetWaptFullVersion function by WaptBuildVersion constant from wapt-get/build_version.inc.
[IMP] wapt core: add GetTerminalWidth for commandline.
[FIX] wapt core: FrmPackageDetails: Missing condition when saving local files.
[IMP] wapt core: angelize waptsvc: add wapt_base_dir and config commandline parameter for tests.
[FIX] wapt core: CSR fixed version number as generated by NewCertificateRequest - should be 0 as stated by the RFC.
[SEC] wapt core / waptcrypto : add X509_V_FLAG_POLICY_CHECK when checking certificate chains.
[FIX] wapt core: waptsigner TWaptSignatureChecker.VerifyJsonSignature: unable to check signature if cert is not the trusted CA.
[IMP] wapt core / waptguihelper: system language based.
[NEW] wapt core: Add new errors_list output variable for HostCapabilities / PackageRequest.is_matching functions.
[SEC] wapt core: sign and check the “get_tasks_status” action from console to agents.
[UPD] wapt core: log (info) Openssl version at startup of server.py and wapt-get.py.
[FIX] wapt core: don’t set client_certificate and client_private_key for repo and server if they are empty strings in wapt-get.ini.
[FIX] wapt core: patch for cryptography to avoid the error when trying to load legacy provider with openssl >= 3.0.0 which has been removed.
[FIX] wapt core: TimedJSONWebSignatureSerializer is replaced by URLSafeTimedSerializer in latest itsdangerous python module.
[FIX] wapt core: waptcrypto SSLCertificate subject_dn and issuer_dn to return short names rfc4514_string
WAPT-2.4 Serie¶
WAPT-2.4.0.14143 (2023-08-08)¶
hash : 9847ee8b
This is a bugfix release for WAPT 2.4.0. Notable fixes are fixes are :
better handling of scrolling in SelfService on macOS
fix network error on macOS m1
better support for authentication on WAPT Store Enterprise when downloading packages in the WAPT Console
WAPT Console¶
[IMP] waptconsole import packages: avoid flickering when clicking on rows.
[FIX] waptconsole / external repositories settings: renamed user and password fields to mention explicitly Store and token.
[IMP] waptconsole import packages from store: handle 401 and 403 proactively to suggest user to authenticate to WAPT Store Enterprise and validate licences for proprietary software
[IMP] better handling of icons list WAPT Self-service
[FIX] fix waptconsole download waptagent for linux and mac (symlink for waptagent gui not properly handled)
WAPT core¶
[FIX] better handling of current path when starting wapt: determine default_waptservice_ini with waptutils__file__, not from sys.argv[0] to handle
[FIX] add use random uuid in json agent configurations
WAPT on Linux and macOS¶
[FIX] Fix running_on_ac setuphelpers function on Linux
[FIX] fix older macOS support specify --platform macosx_10_9_x86_64 and --platform macosx_11_0_arm64 when run pip compilation for backward compatibility
[FIX] macOS : fix app startup icon not working on macos ventura and above
[FIX] Debian : add dependency on rsyslog OR syslog-ng in server and service deb package
[FIX] fixed socket ioctl() on some POSIX targets (e.g. macOS on M1 architecture)
[FIX] fix scrolling WAPT Self-service under MacOS with magic mouse or macbook trackpad
WAPT Server¶
[FIX] edit order check_auh for get_wads_config
[FIX] fix db upgrade bug when upgrading from WAPT 1.8.2
WAPT-2.4.0.14080 (2023-06-22)¶
hash : 25f00c3f
This is a bugfix release for WAPT 2.4. Notable fixes are fix a for issues when building and uploading package from PyScripter due to __pycache__
and .pyc
files,
and a fix for the broken WakeOnLan feature.
WAPT Console¶
[FIX] waptconsole: show main_ip of pre wapt 2.4 host before upgrade
[FIX] waptconsole gui: splitter position in softwares inventory
[FIX] waptconsole : missing data in softwares inventory (host_capabilities)
[FIX] waptconsole: label showing KBs usage space
[FIX] waptconsole / sendMessage: don’t autosize form as it creates endless layout loop on linux
[FIX] waptconsole: MS remote assist is on port 135, not 3389
WAPT Core¶
[FIX] wapt dynamic configuration: hiberboot_enabled is a boolean in json config, but must be set as a dword in registry
[FIX] wapt-get build-upload: excluded files are not properly excluded when building the zip file due to
__pycache__
and.pyc
[FIX] waptagent macox: using launchctl kickstart instead of launchctl unload && load for wapt service under MacOS
WAPT Server¶
[FIX] server: reintroduce hosts.gateways extraction from host_networking
[FIX] server / trigger wakeonlan: fix for compatibility with old host data.
WAPT WADS¶
[IMP] send a human readable message to ipxe when WADS is disabled while trying to deploy through WADS
[IMP] ensure WADS deployment and ipxe still works when djoin is empty
WAPT-2.4.0.14058 (2023-06-09)¶
hash : ae548d8ab
This is a bugfix release for WAPT 2.4.
Notable changes :
Added support for Debian 12 amd64 on client and server
Upgrade openssl from 3.0.8 to 3.0.9
Upgrade python from 3.8.16 to 3.8.17
WAPT Server¶
[NEW] add debian12 for amd64
[UPD] no filter by default for importing WUA updates
[UPD] adding more update file extension
[FIX] handle server side Hosts dataset ordering (when a hosts count limit is given in waptconsole, we expect to get the first n hosts in the grid order)
[FIX] waptserver : upload linux waptagent ensure symlink is secure filename
[FIX] waptserver model: missing extraction of dnsdomain and mac from host_networking json into plain Hosts columns
WAPT macOS¶
[FIX] direct waptservice restart on MacOS
WAPT Linux¶
[NEW] add debian12 for amd64
[NEW] Add new systemd function to setuphelpers for Linux
WAPT Console¶
[FIX] fix waptpython.exe and waptpythonw.exe upgrade through innosetup when version id does not change
[FIX] fix waptsetup install when setup file is located in directory with non ascii chars
[FIX] Add escape_filter_chars for ldap3 (allow parenthesis and other special char in group names)
[FIX] DJoin: fetch ldap search result until no more pages left
[FIX] DJoin: Limit ldap search page to 500 results
[FIX] showing pending WUA updates
WAPT Core¶
[SEC] sign all dll and exe that are compiled by Tranquil IT during build process
[SEC] switch to openssl 3.0.9
[SEC] switch to python 3.8.17
WAPT-2.4.0.14031 (2023-05-26)¶
hash : 1420892a
This is the release of WAPT 2.4. WAPT 2.4 version brings a ton of small improvements and bugfixes along with the following main features:
better co-existence with antivirus due to removal of NSSM service manager which was often wrongly flagged as suspicious. WAPT Agent now uses mORMot Angelize for service management
due to OpenSSL 1.1.1 being eol’ed next september, WAPT has switch to embedded OpenSSL 3.0.8
re-implemented Active Directory offline join in WADS (djoin.exe) to work around many bug and limitation in the Microsoft version of djoin.exe, now with support of Active Direcotry Forrest and subdomains
it is now possible to have a use a user/password credentials when importing packages from the store. Authentification will be required for the WAPT Enterprise Store that provides educational softwares
add support for Debian 10 and Debian 11 support on ARM 64 bit platform
new WADS graphical interface
remove usage of Microsoft Windows RestartManager during upgrade to avoid unecessary killing of services
CAVEAT:
the new OpenSSL 3.0 has a huge performance issue when loading large certificate bundle. If you have verify_cert and want to use the Operating System bundle, please set verify_cert=1
WADS WinPE format has changed and it needs to be recreated . Please refer to https://www.wapt.fr/en/doc-2.4/wapt-wads.html#adding-the-winpe-files
WAPT Server¶
[NEW] waptserver: when login with ssl auth, check that the sha1 of the client certificate matches the sha1 of the user account in database for client cert auth
[NEW] waptserver: accept empty username when using ssl auth. if username is provide, it must match the CN part of the certificate DN
[NEW] use http status 403 instead of 401 when client side auth does not succeed to avoid a user/password popup in console.
[NEW] waptserver: add login_auth_methods configuration parameter in waptserver.ini defaults to admin,ldap,passwd,token,kerb (format : csv)
[NEW] waptserver licences: be tolerant if no server_uuid yet
[NEW] wapserversession: share waptserveruser across all waptserver connection * to make it easer to relogin after token expiration. * retry to get a token if http 401 status
[NEW] waptserver, waptservice on Windows: removed nssm service manager, replaced by waptsvc * waptsvc service supervisor is based on mormot agl. * waptservice.exe is a symlink to waptsvc.exe and manages “waptpython -I waptservice/service.py” * waptserver is a symlink to waptsvc and manages server.py, wapttasks huey queue, and nginx
[NEW] waptserversetup: don’t set repo_url and wapt_server url during setup as this done now later when building waptagent
[ADD] WAPTWUA missing allow url allow mp.microsoft.com
[RM] removed endpoint /api/v2/download_wuredist
[IMP] lower case for test rules secondary repo in case of mixed case scenario
[IMP] waptservice and wapttftpserver: don’t wait for enter key on error
[IMP] waptserver nginx: add api/v3/login specific section to forward client SSL auth
[IMP] waptserver: add signer_fingerprint db field to Wads models
[IMP] adding generic symlink when uploading waptagent to have standard http url for agent download
[IMP] waptrepo: hardened handling of multiple concurrent repo cache updates
[IMP] server add_configurations : return json config filenames in result.
[IMP] waptserver: get_ad_ou_split : be tolerant to malformed OU sent by client
[IMP] waptserver crls updates for nginx: * merge all known crls into file if “ssl_crls” waptserver.ini is defined
[IMP] waptserver model: update Packages table description_localized dict from package entry.
[IMP] add psycogreen patching for eventlet / postgresql
[IMP] Be sure to fill executable version infos when initializing logger
[IMP] cache CASigners in waptrepo
[UPD] upgrade to 14.7 postgresql for windows
[UPD] waptserver autocreate console ldap authenticated users if default_ldap_users_acls config is not empty
[FIX] waptserver: fix startup issue when calling waptlicences.CheckValidLicencesCount
[FIX] waptserversetup: missing dir=in in firewall rules for wapttftpserver on Windows Server
[FIX] waptserver nginx: add “proxy_request_buffering off;” to the top server nginx config to workaround issues with big iso uploads.
[FIX] fix username in log history of actions on waptserver
[FIX] newest_only in api/v3/packages api does not compare versions properly.
[FIX] fixed regexp in nginx location for
conf.d
/*.json
files (and others).[FIX] waptserver: login initialization of user typo
[FIX] configurations repositiories repo wapt/conf.d should not be protected by client side certificates
[FIX] config url on server index landing page.
[FIX] twaptserver auth callbacks. use OnHttpClientAuthorize if password in session, then OnAuthorize if defined and no password is available session
[FIX] StripCertificateComments endless loop is Pem bundle ends with 2 CR NextPem does’t not set input pointer P to nil if end of file.
[REF] waptserver: add a config parameter to change globally the default enabled auth methods default_auth_methods defaults to session,admin,passwd,ldap this can be overriden on per endpoint basis
[REF] server: removed legacy url style login
WAPT Agent¶
[NEW] waptsetup: removed the option to trust tranquilit certificates.
[NEW] don’t set wapt-templates by default in agent config file wapt-get.ini
[IMP] waptsetup: don’t configure URL in waptsetup by default as it it proposed later on in waptconsole.
[IMP] waptsetup: don’t ask innosetup to close applications using RestartManager as sometimes, it kills vital services (network) when launched as silently
[IMP] logo in WAPT SelfService
[IMP] waptself: improve auth error message
[IMP] waptself: removed shadows to lower redraw workload removed some visual overrides to panels
[IMP] waptdeploy: useWaptServer task does not exist anymore. Enable installService task by default
[IMP] WAPT Message adaptive form size to content if no size is set
[IMP] waptstarter: fix some waptstarter default settings removed kerberos checkbox
[IMP] wapt-get fpc: use agent key/cert client auth if none is defined in config inifile.
[IMP] add double quotes around waptservice executable filename for ImagePath in services windows registry. If not quoted, and there are spaces in file path, service can not start in certain case
[IMP] waptsetup: add logs of service install exec shell commands.
[UPD] wapt-get: add restart-waptservice action. fix add-licence authentication
[FIX] waptself: after hitting task panel hide button, packages flowpanel is hidden too
[FIX] Self Service : DownloadAllPackageIcons after getting a token
[FIX] restarting waptservice by scheduler under MacOS
[FIX] taking care of display_time in WAPT Service
[FIX] fix again regression on waptmessage impersonification from Agl waptservice. child processes are launched inside a job to control their termination. so for impersonification, we need CREATE_BREAKAWAY_FROM_JOB creation flag
[FIX] waptsetup: add waptconsole start shortcut only if not running a stuffed waptsetup.exe
[FIX] fix waptsetup trusted_external_certs
WAPT Linux¶
[NEW] add json config url in waptserver homepage to help linux agent config
[IMP] waptupgrade : improve command line install for deb base distro
[IMP] Debian: add reboot_needed and reboot-required.pkgs info in host info
[IMP] force locale C for strptime installed_softwares
[FIX] fix datetime.datetime.strptime for installed_softwares in rhel9
WAPT macOS¶
[NEW] WAPT Tray compilation config. for macosx
[FIX] fix out of range error when importing waptlicences python module on macosx
WAPT Console¶
[NEW] waptconsole acls form: fix the check signature action. add some icons to show when a certificate or password is assigned to a user
[NEW] add HttpGet and HttpPost helpers for mustache templates to create custom html display in console
[NEW] button export pending required WUA KB as curl string list
[NEW] import CAB WUA updates
[NEW] Showing pending WUA updates to download
[NEW] audit info Add asus support button to asus support site with computer ref
[NEW] WaptHttpGetString and WaptHttpPostData: add a default referer with root of URL to pass some basic access API authentication * applied as example for HP support access
[NEW] add lenovo got to support button as an example of HttpGet mustache helper. * note the leading “,” in the list of arguments because of a bug in mormot helpers arg handling.
[NEW] add display time for WAPT Message when sending from WAPT Console
[NEW] waptconsole: Enable audit data tab by default
[ADD] message user friendly for ‘.exe’ signature
[ADD] Message to confirm hosts deletion
[IMP] package maturity action
[IMP] adding url for wsusscn2.cab to download
[IMP] fix double click not able to show certificate using shell.
[IMP] adding possibility to cancel configuration package creation
[IMP] Add Tasks Status for better security and messages
[IMP] waptconsole edit package form: show always files tab. add a message for user if package does not exist anymore.
[IMP] WaptConsole: Discover domain controllers from domain dns name
[IMP] WaptConsole: Load available OU from AD in TVisPrepareDjoin
[IMP] User can add username / password for repositories while importing packages for Internet
[IMP] better grid status if restart pending
[IMP] external repositories settings: removed the checkbox for signature certificates directory. Check is enforced if cert is defined
[IMP] waptconsole configuration: set verify_cert to 1 instead of path to certifi bundle when checking “Check https certificate”.
[IMP] waptconsole: on first login, when no server is defined in waptconsole.ini, show the configuration dialog first
[IMP] waptconsole: manage reloading of ini config if file is updated externally add public_certs_dir setting.
[IMP] waptconsole: trust always own waptconsole’s user certificate when processing / resiggning packages
[IMP] missing changes for waptconsole build waptsetup: don’t include ssl dir in waptupgrade package.
[IMP] waptconsole: try to get a new session cookie if 401 and there is cached password for user instead of switching to basic auth
[IMP] waptconsole: Add update package tab in package editor
[IMP] waptconsole: Display min/max os version in target_os column if defined.
[IMP] waptconsole waptgent: allow to double click on certificates to open them with os shell.
[IMP] waptconsole: add architectures arm and arm64 to the filters
[IMP] new dark view mode for console
[UPD] waptconsole: show login dialog if the server session cookies expires
[UPD] add support for pkcs#12 file for private key and certificate in waptconsole and wapt-get.
[UPD] waptconsole private key password change : try to change P12 file password too if same base filename and same old password.
[UPD] icon on error status in host WUA
[UPD] filter out packages having a untrusted signer certificate when loading Packages index note that this is only to avoid processing or listing packages which will not be trusted anyway. But we dont check the signature at this point, so package control signature must still be checked later.
[FIX] waptconsole: fix potential AV when getting isEnterprise status if no waptserver is defined yet.
[FIX] adding a password in Acls raise an exception about missing arg. fix decoding of utf8 when building SO and SA from Array of const (valid for lazatus only where String=Utf8String)
[FIX] waptconsole reporting : no column displayed when running query outside of query editor
[FIX] waptconsole acls: small fix console acls signature display when deleting a certificate in console
[FIX] waptconsole: propagate licences count to background threads
[FIX] TVisPrepareDjoin: Handle properly subdomains in AD Forrest
[FIX] waptconsole PrepareDJoin: allow direct input of Host OU
[FIX] give modal status to driver download windows when creating winPE to avoid other conflicting actions
[FIX] splitter placement on audit data when showing history
[FIX] Better Design for Import from Internet Basket
[FIX] FrmLdapSearch: Fallback on OS DNS nameservers if no domain controller found using domain as nameserver
[FIX] fix basic auth (issue when concatenating user+’:’+password), prevent recursive call to login dialog, clear private key password if password is not OK on login.
[FIX] waptconsole: fix local agent configuration based on built agent config
[FIX] waptconsole : image showed as inactive on action forget package
[FIX] waptconsole: empty server side message when upload error.
[FIX] waptconsole import package: restore last used repository
[FIX] waptconsole create waptsetup: handle the host_profiles config attribute * removed unused organisation.
[FIX] waptconsole server login: be sure to not loop if basic auth fails
[FIX] waptconsole import packages newer than mine when there are dots in names
[FIX] deleting rows from audit data history
[FIX] waptconsole regression decrypting old python rsa encrypted data
[FIX] waptconsole decrypt of client side encrypted data
[FIX] Clearing audit data history view if no data
WAPT Core¶
[SEC] waptcrypto: don’t try to guess signed_attributes. this attribute in mandatory. signer is mandatory for python waptcrypto verify_claim check
[NEW] add command line action “wapt-get dmiinfo”
[NEW] showing countdown on WAPT Message + stopping countdown when entering in message viewer
[NEW] GetStrippedDownServerCABundlePath : stores only issuer CA cert chain, not server chain. keep file cache for 1 hour.
[NEW] improve handling of external repo user/password authentication.
[IMP] waptsetup: don’t change server and repo config by default if repo is already defined in wapt-get.ini.
[IMP] wakeonlan: be tolerant if no interface or no macs on a host
[IMP] fix get_net_ips() if not address on an interface (eg. CAN bus)
[IMP] store networking infos as a separate field in hosts table. removed list_services and listening_sockets from host’s status data moved audit_status into wapt_status
[IMP] waptcrypto python: add arguments for certificates’s not_before and not_after constraints add option to specify date of claim’s signature for testing purpose.
[IMP] waptrepo: Protect repo cache packages directory when updating. In case several process or threads are updating the same repo cache.
[IMP] wapt-get waptdeploy waptlicences lpi wads wgetwads waptsvc: disable -Wg win32 app mode for win32 and win64 target to force stdout open.
[IMP] waptcrypto: be sure to not create an empty stripped down CA file. return full bundle path if function fails.
[IMP] use mormot instead of tsmbios for get_biosinfos
[IMP] mormot2 fix Samba LDAP expectations in its “strong auth = yes” default mode - i.e. allow “signing sealing” of the frames if TLS is not used
[IMP] when checking for changed file over http, use a 2s tolerance before or after.
[IMP] waptutils copytree2 : don’t follow symlinks to avoid copying entire disks.
[IMP] waptpackage get_stripped_package: include ‘update_package.py’ in payload for the console.
[IMP] Add “–only-priorities” and “–only-if-not-process-running” options to wapt-get upgrade, install, remove actions
[IMP] logo for WAPT Message
[IMP] waptcrypto: TRSAPrivateKey: allow loading unencrypted PEM RSA key
[IMP] fixed OpenSSL UTF-8 encoding flags for certificates
[IMP] be sure to get only public cert from TX509Certificate mormot unit
[IMP] add pfx and p12 file filter for personal cert file browser
[IMP] waptdeploy: retry up to 30s to be able to get version on waptsetup
[IMP] waptsetup/waptstarter: install /StartPackages=xx if runningSilently
[IMP] create waptsetup: set verify_cert to ‘1’ instead of path to cabundle if verify cert is checked.
[UPD] update vc_redist to version 14.36.32532
[UPD] avoid untrapped exception when password can not decrypt key
[UPD] Strip comments in pem encoded certificates to reduce size and try to fit into the 32kb limit of stuffed exe.
[UPD] manage multivalued “architecture” in wapt packages control.architecture attribuet is now a csv of x64, x86, arm, arm64, armhf
[UPD] separate networking information from host_info to lower pressure on database when hosts update their status put host’s audit_status in last_update_status key.
[UPD] python waptpackage make_package_filename include os version in package filename for waptupgrade packages.
[FIX] missing makepath import and syntax fix
[FIX] waptpackage: remove references to old signature and manifest.sha1 files. delete them when unzipping package so that they are not considered as corruption.
[FIX] fix python WaptRepo packages_matching when condition is a PackageRequest (this is actually unused. The method packages_matching of Wapt class is used instead)
[FIX] allow empty folders in package
[FIX] TWaptSignatureChecker.VerifyJsonSignature in case ‘signed_attributes’ is not supplied in the json.
[FIX] DNS fallback to TCP on truncated UDP response - and also allow direct TCP query by using ‘tcp@1.2.3.4’ name server
[FIX] waptutils python fileutcmtime and httpdatetime2time. Convert all dates to UTC
[FIX] python wget not setting properly the file last-modified date from http header.
[FIX] wapt-get / commandline : user RawReadKey from keyboard unit to avoid crt unit which breaks console.
[FIX] wapt-get.py import waptservice is optionnal
[FIX] fix Machine without main_ip are ignored
[FIX] bad TTL for CACert bundle on disk cache
[FIX] old bug causing removes to fail when software is already uninstalled
[FIX] use ‘1’ for system CA in external repositories to force use of stripped down CA bundles due to openssl 3.0 perf bug
[REF] breaking change: removed import of PackageEntry from setupdevhelpers.py
[REF] refactor the http client to handle all requests the same way. handle user:password embedded in Urls renamed proc InitTlsContext to func InitHttpTlsContext. Returns a PTlsContext moved GetServerCertificate to waptcrypto GetPeerCertChainFromServerPath
[REF] move get_host_architecture from common to setuphelpers, move unzip_with_7zip from setuphelpers to setupdevhelpers
WAPT WADS¶
[SEC] add iso hash in ipxescript
[NEW] IP address and details of DISKPART info (volumes and disks) on wads_register_host
[NEW] Wads with Graphical Display and Info
[NEW] add update driver bundle option
[NEW] reset drivers on hosts OSDeploy
[NEW] drag and drop .iso on console for upload
[NEW] drag and drop of drivers folder on drivers in WADS part
[NEW] drag and drop from Host to deploy to drivers or configuration
[IMP] Verify WADS hostname on WADS Winpe / Console / Server
[IMP] Better login for login_on_wads
[IMP] Wapt downloads are now in Graphical WADS
[IMP] waptserver: calc sha256 of iso during upload rather than after upload
[IMP] TVisPrepareDjoin: Add domain discovery
[IMP] TVisPrepareDjoin: sort DC by response time using cldap
[IMP] Save prepare djoin form fields in session (domain, username and password)
[IMP] Add ubuntu and rhel9 wads template
[IMP] Upload iso. Deleting file if wrong hash after upload
[IMP] ipxe add keymap
[IMP] sending file to api/v3/upload_deploy_files only if needed
[IMP] Default prepare djoin window credentials to current domain’s
[IMP] Prepare Djoin: Retrieve domain controller using mormot dns resolver
[IMP] On WADS conf, a password for superadmin is defined
[IMP] Prepare DJoin: Connect through kerberos if possible
[IMP] waptconsole PrepareDJoin: allow direct input of Host OU
[UPD] wads: wait 30s for an ip address.
[UPD] limiting uploading iso files only on WADS part
[FIX] Wads fix default dir for iso upload
[FIX] osdeploy data signature. signer_fingerprint is not saved into db, so must not be included in signed attributes
[FIX] getting ipv4 addresses excluding APIPA
[FIX] wads: break loop if 401 login fails.
[FIX] Fix VisPrepareDJoin: Reset ldap kerberos SPN before connecting to the domain
[FIX] Stop Graphical if WADS is only used to send status
[FIX] Retry Wads now reset the status
[FIX] avoiding loop showing message if ISO name already exits
[FIX] empty error message on refreshing ISO file list
[FIX] waptdeploy unable to read setup exe version same potential issue in wads missing call to RetrieveInformationFromFileName
[FIX] fix copy cert in winpe for wads
[FIX] empty error message on refreshing drivers file hashes and bundle names
[FIX] Warning Removal and reset wads32 binary
[FIX] Fix TVisPrepareDjoin GetDJoinBlob method - Fix verification of computer existence in the domain - Set computer password in AD even if we’re not creating it - Parse the created djoin blob after creation and set an error if the format is invalid
[FIX] TVisPrepareDjoin: Call to CldapSortHosts missing a parameter
[FIX] TVisPrepareDjoin: Handle sub-domain within forest
[FIX] waptconsole wads osdeploy grid: popupmenu clears multiselect
[REF] Prepare djoin fixes and form rework - Allow to configure ldap port - Don’t load OU on show - Split DC load and ldap connect buttons - Forbid to modify existing machine password (force to overwrite)
WAPT-2.4.0.14001-rc3 (2023-05-25)¶
hash : 1420892a
This is the third release candidate of WAPT 2.4. WAPT 2.4 version brings a ton of small improvements and bugfixes along with the following main features:
better co-existence with antivirus due to removal of NSSM service manager which was often wrongly flagged as suspicious. WAPT Agent now uses mORMot Angelize for service management
due to OpenSSL 1.1.1 being eol’ed next september, WAPT has switch to embedded OpenSSL 3.0.8
re-implemented Active Directory offline join in WADS (djoin.exe) to work around many bug and limitation in the Microsoft version of djoin.exe, now with support of Active Direcotry Forrest and subdomains
it is now possible to have a use a user/password credentials when importing packages from the store. Authentification will be required for the WAPT Enterprise Store that provides educational softwares
add support for Debian 10 and Debian 11 support on ARM 64 bit platform
new WADS graphical interface
remove usage of Microsoft Windows RestartManager during upgrade to avoid unecessary killing of services
CAVEAT:
the new OpenSSL 3.0 has a huge performance issue when loading large certificate bundle. If you have verify_cert and want to use the Operating System bundle, please set verify_cert=1
WAPT Server¶
[FIX] waptserversetup: missing dir=in in firewall rules for wapttftpserver on Windows Server
[FIX] waptserver nginx: add “proxy_request_buffering off;” to the top server nginx config to workaround issues with big iso uploads.
[FIX] fix username in log history of actions on waptserver
[FIX] newest_only in api/v3/packages api does not compare versions properly.
[IMP] lower case for test rules secondary repo in case of mixed case scenario
[IMP] waptservice and wapttftpserver: don’t wait for enter key on error
WAPT Agent¶
[FIX] Self Service : DownloadAllPackageIcons after getting a token
[IMP] waptsetup: don’t configure URL in waptsetup by default as it it proposed later on in waptconsole.
[UPD] wapt-get: add restart-waptservice action. fix add-licence authentication
[IMP] wapt-get fpc: use agent key/cert client auth if none is defined in config inifile.
[FIX] restarting waptservice by scheduler under MacOS
[IMP] add double quotes around waptservice executable filename for ImagePath in services windows registry. If not quoted, and there are spaces in file path, service can not start in certain case
[IMP] waptsetup: add logs of service install exec shell commands.
[FIX] waptself: after hitting task panel hide button, packages flowpanel is hidden too
[IMP] waptdeploy: useWaptServer task does not exist anymore. Enable installService task by default
WAPT Console¶
[FIX] waptconsole: fix potential AV when getting isEnterprise status if no waptserver is defined yet.
[IMP] waptconsole configuration: set verify_cert to 1 instead of path to certifi bundle when checking “Check https certificate”.
[IMP] waptconsole: on first login, when no server is defined in waptconsole.ini, show the configuration dialog first
[FIX] adding a password in Acls raise an exception about missing arg. fix decoding of utf8 when building SO and SA from Array of const (valid for lazatus only where String=Utf8String)
WAPT Core¶
[FIX] missing makepath import and syntax fix
[FIX] waptpackage: remove references to old signature and manifest.sha1 files. delete them when unzipping package so that they are not considered as corruption.
WAPT WADS¶
[FIX] Wads fix default dir for iso upload
WAPT-2.4.0.14001-rc2 (2023-05-17)¶
hash : 13e724ad
This is the second release candidate of WAPT 2.4. WAPT 2.4 version brings a ton of small improvements and bugfixes along with the following main features:
better co-existence with antivirus due to removal of NSSM service manager which was often wrongly flagged as suspicious. WAPT Agent now uses mORMot Angelize for service management
due to OpenSSL 1.1.1 being eol’ed next september, WAPT has switch to embedded OpenSSL 3.0.8
re-implemented Active Directory offline join in WADS (djoin.exe) to work around many bug and limitation in the Microsoft version of djoin.exe, now with support of Active Direcotry Forrest and subdomains
it is now possible to have a use a user/password credentials when importing packages from the store. Authentification will be required for the WAPT Enterprise Store that provides educational softwares
add support for Debian 10 and Debian 11 support on ARM 64 bit platform
new WADS graphical interface
remove usage of Microsoft Windows RestartManager during upgrade to avoid unecessary killing of services
CAVEAT:
the new OpenSSL 3.0 has a huge performance issue when loading large certificate bundle. If you have verify_cert and want to use the Operating System bundle, please set verify_cert=1
WAPT Console¶
[FIX] waptconsole reporting : no column displayed when running query outside of query editor
[FIX] waptconsole acls: small fix console acls signature display when deleting a certificate in console
[FIX] waptconsole: propagate licences count to background threads
[FIX] TVisPrepareDjoin: Handle properly subdomains in AD Forrest
[FIX] waptconsole PrepareDJoin: allow direct input of Host OU
[FIX] give modal status to driver download windows when creating winPE to avoid other conflicting actions
[FIX] splitter placement on audit data when showing history
WAPT Server¶
[FIX] waptserver: fix startup issue when calling waptlicences.CheckValidLicencesCount
[IMP] adding generic symlink when uploading waptagent to have standard http url for agent download
[UPD] upgrade to 14.7 postgresql for windows
[FIX] fixed regexp in nginx location for
conf.d
/*.json
files (and others).
WAPT Core¶
[FIX] fix python WaptRepo packages_matching when condition is a PackageRequest (this is actually unused. The method packages_matching of Wapt class is used instead)
[IMP] wapt-get waptdeploy waptlicences lpi wads wgetwads waptsvc: disable -Wg win32 app mode for win32 and win64 target to force stdout open.
[UPD] update vc_redist to version 14.36.32532
[FIX] allow empty folders in package
WAPT Linux¶
[IMP] waptupgrade : improve command line install for deb base distro
WAPT macOS¶
[FIX] fix out of range error when importing waptlicences python module on macosx
WAPT-2.4.0.13958 RC1 (2023-04-17)¶
hash : 2cb08262
This is the first release candidate of WAPT 2.4. This new version brings a ton of small improvements and bugfixes along with the following main features:
better co-existence with antivirus due to removal of NSSM service manager which was often wrongly flagged as suspicious. WAPT Agent now uses mORMot Angelize for service management
due to OpenSSL 1.1.1 being eol’ed next september, WAPT has switch to embedded OpenSSL 3.0.8
re-implemented Active Directory offline join in WADS (djoin.exe) to work around many bug and limitation in the Microsoft version of djoin.exe
it is now possible to have a use a user/password credentials when importing packages from the store. Authentification will be required for the WAPT Enterprise Store that provides educational softwares
add support for Debian 10 and Debian 11 support on ARM 64 bit platform
new WADS graphical interface
remove usage of Microsoft Windows RestartManager during upgrade to avoid unecessary killing of services
CAVEAT:
the new OpenSSL 3.0 has a huge performance issue when loading large certificate bundle. If you have verify_cert and want to use the Operating System bundle, please set verify_cert=1
WAPT Console¶
[FIX] Better Design for Import from Internet Basket
[FIX] FrmLdapSearch: Fallback on OS DNS nameservers if no domain controller found using domain as nameserver
[NEW] waptconsole acls form: fix the check signature action. add some icons to show when a certificate or password is assigned to a user
[IMP] waptconsole: manage reloading of ini config if file is updated externally add public_certs_dir setting.
[IMP] waptconsole: trust always own waptconsole’s user certificate when processing / resiggning packages
[IMP] missing changes for waptconsole build waptsetup: don’t include ssl dir in waptupgrade package.
[IMP] waptconsole: try to get a new session cookie if 401 and there is cached password for user instead of switching to basic auth
[FIX] fix basic auth (issue when concatenating user+’:’+password), prevent recursive call to login dialog, clear private key password if password is not OK on login.
[UPD] waptconsole: show login dialog if the server session cookies expires
[FIX] waptconsole: fix local agent configuration based on built agent config
[NEW] add HttpGet and HttpPost helpers for mustache templates to create custom html display in console
[IMP] waptconsole: Display min/max os version in target_os column if defined.
[FIX] waptconsole : image showed as inactive on action forget package
[FIX] waptconsole: empty server side message when upload error.
[IMP] waptconsole: Add update package tab in package editor
[FIX] waptconsole import package: restore last used repository
[IMP] waptconsole waptgent: allow to double click on certificates to open them with os shell.
[IMP] waptconsole: add architectures arm and arm64 to the filters
[IMP] new dark view mode for console
[NEW] button export pending required WUA KB as curl string list
[NEW] import CAB WUA updates
[IMP] adding url for wsusscn2.cab to download
[IMP] fix double click not able to show certificate using shell.
[NEW] Showing pending WUA updates to download
[UPD] add support for pkcs#12 file for private key and certificate in waptconsole and wapt-get.
[UPD] waptconsole private key password change : try to change P12 file password too if same base filename and same old password.
[IMP] package maturity action
[IMP] adding possibility to cancel configuration package creation
[IMP] Add Tasks Status for better security and messages
[IMP] waptconsole edit package form: show always files tab. add a message for user if package does not exist anymore.
[FIX] waptconsole create waptsetup: handle the host_profiles config attribute * removed unused organisation.
[IMP] WaptConsole: Discover domain controllers from domain dns name
[IMP] WaptConsole: Load available OU from AD in TVisPrepareDjoin
[NEW] audit info Add asus support button to asus support site with computer ref
[NEW] WaptHttpGetString and WaptHttpPostData: add a default referer with root of URL to pass some basic access API authentication * applied as example for HP support access
[NEW] add lenovo got to support button as an example of HttpGet mustache helper. * note the leading “,” in the list of arguments because of a bug in mormot helpers arg handling.
[UPD] icon on error status in host WUA
[IMP] User can add username / password for repositories while importing packages for Internet
[NEW] add display time for WAPT Message when sending from WAPT Console
[FIX] waptconsole server login: be sure to not loop if basic auth fails
[FIX] waptconsole import packages newer than mine when there are dots in names
[UPD] filter out packages having a untrusted signer certificate when loading Packages index note that this is only to avoid processing or listing packages which will not be trusted anyway. But we dont check the signature at this point, so package control signature must still be checked later.
[IMP] better grid status if restart pending
[FIX] deleting rows from audit data history
[FIX] waptconsole regression decrypting old python rsa encrypted data
[NEW] waptconsole: Enable audit data tab by default
[IMP] external repositories settings: removed the checkbox for signature certificates directory. Check is enforced if cert is defined
[FIX] waptconsole decrypt of client side encrypted data
[ADD] message user friendly for ‘.exe’ signature
[ADD] Message to confirm hosts deletion
[FIX] Clearing audit data history view if no data
WAPT Agent¶
[FIX] waptsetup: add waptconsole start shortcut only if not running a stuffed waptsetup.exe
[FIX] fix waptsetup trusted_external_certs
[IMP] WAPT Message adaptive form size to content if no size is set
[NEW] waptsetup: removed the option to trust tranquilit certificates.
[IMP] waptstarter: fix some waptstarter default settings removed kerberos checkbox
[FIX] taking care of display_time in WAPT Service
[NEW] don’t set wapt-templates by default in agent config file wapt-get.ini
[FIX] fix again regression on waptmessage impersonification from Agl waptservice. child processes are launched inside a job to control their termination. so for impersonification, we need CREATE_BREAKAWAY_FROM_JOB creation flag
[IMP] waptsetup: don’t ask innosetup to close applications using RestartManager as sometimes, it kills vital services (network) when launched as silently
[IMP] logo in WAPT SelfService
[IMP] waptself: improve auth error message
[IMP] waptself: removed shadows to lower redraw workload removed some visual overrides to panels
WAPT Core¶
[SEC] waptcrypto: don’t try to guess signed_attributes. this attribute in mandatory. signer is mandatory for python waptcrypto verify_claim check
[FIX] DNS fallback to TCP on truncated UDP response - and also allow direct TCP query by using ‘tcp@1.2.3.4’ name server
[NEW] add wapt-get dmiinfo
[IMP] waptcrypto: be sure to not create an empty stripped down CA file return full bundle path if function fails.
[IMP] use mormot instead of tsmbios for get_biosinfos
[FIX] TWaptSignatureChecker.VerifyJsonSignature in case ‘signed_attributes’ is not supplied in the json.
[IMP] mormot2 fix Samba LDAP expectations in its “strong auth = yes” default mode - i.e. allow “signing sealing” of the frames if TLS is not used
[FIX] waptutils python fileutcmtime and httpdatetime2time. Convert all dates to UTC
[UPD] python waptpackage make_package_filename include os version in package filename for waptupgrade packages.
[REF] breaking change: removed import of PackageEntry from setupdevhelpers.py
[IMP] when checking for changed file over http, use a 2s tolerance before or after.
[FIX] python wget not setting properly the file last-modified date from http header.
[IMP] waptutils copytree2 : don’t follow symlinks to avoid copying entire disks.
[IMP] waptpackage get_stripped_package: include ‘update_package.py’ in payload for the console.
[IMP] Add –only-priorities and –only-if-not-process-running to wapt-get upgrade, install, remove
[IMP] logo for WAPT Message
[IMP] waptcypto: TRSAPrivateKey: allow loading unencrypted PEM RSA key
[IMP] fixed OpenSSL UTF-8 encoding flags for certificates
[IMP] be sure to get only public cert from TX509Certificate mormot unit
[IMP] add pfx and p12 file filter for personal cert file browser
[UPD] avoid untrapped exception when password can not decrypt key
[UPD] Strip comments in pem encoded certificates to reduce size and try to fit into the 32kb limit of stuffed exe.
[IMP] waptdeploy: retry up to 30s to be able to get version on waptsetup
[IMP] waptsetup/waptstarter: install /StartPackages=xx if runningSilently
[FIX] wapt-get / commandline : user RawReadKey from keyboard unit to avoid crt unit whicj breaks console.
[UPD] manage multivalued “architecture” in wapt packages control.architecture attribuet is now a csv of x64, x86, arm, arm64, armhf
[FIX] wapt-get.py import waptservice is optionnal
[IMP] waptsetup: don’t change server and repo config by default if repo is already defined in wapt-get.ini.
[IMP] wakeonlan: be tolerant if no interface or no macs on a host
[IMP] fix get_net_ips() if not address on an interface (eg. CAN bus)
[FIX] fix Machine without main_ip are ignored
[FIX] bad TTL for CACert bundle on disk cache
[IMP] create waptsetup: set verify_cert to ‘1’ instead of path to cabundle if verify cert is checked.
[FIX] old bug causing removes to fail when software is already uninstalled
[NEW] showing countdown on WAPT Message + stopping countdown when entering in message viewer
[NEW] GetStrippedDownServerCABundlePath : stores only issuer CA cert chain, not server chain. keep file cache for 1 hour.
[FIX] use ‘1’ for system CA in external repositories to force use of stripped down CA bundles due to openssl 3.0 perf bug
[REF] refactor the http client to handle all requests the same way. handle user:password embedded in Urls renamed proc InitTlsContext to func InitHttpTlsContext. Returns a PTlsContext moved GetServerCertificate to waptcrypto GetPeerCertChainFromServerPath
[UPD] separate networking information from host_info to lower pressure on database when hosts update their status put host’s audit_status in last_update_status key.
[IMP] store networking infos as a separate field in hosts table. removed list_services and listening_sockets from host’s status data moved audit_status into wapt_status
[NEW] improve handling of external repo user/password authentication.
[IMP] waptcrypto python: add arguments for certificates’s not_before and not_after constraints add option to specify date of claim’s signature for testing purpose.
[IMP] waptrepo: Protect repo cache packages directory when updating. In case several process or threds are updating the same repo cache.
[REF] move get_host_architecture from common to setuphelpers, move unzip_with_7zip from setuphelpers to setupdevhelpers
WAPT Server¶
[IMP] waptserver nginx: add api/v3/login specific section to forward client SSL auth
[NEW] waptserver: when login with ssl auth, check that the sha1 of the client certificate matches the sha1 of the user account in database for client cert auth
[IMP] waptserver: add signer_fingerprint db field to Wads models
[NEW] waptserver: accept empty username when using ssl auth. if username is provide, it must match the CN part of the certificate DN
[ADD] WAPTWUA missing allow url allow mp.microsoft.com
[NEW] use http status 403 instead of 401 when client side auth does not succeed to avoid a user/password popup in console.
[REF] waptserver: add a config parameter to change globally the default enabled auth methods default_auth_methods defaults to session,admin,passwd,ldap this can be overriden on per endpoint basis
[FIX] waptserver: login initialization of user typo
[REF] server: removed legacy url style login
[NEW] waptserver: add login_auth_methods configuration parameter in waptserver.ini defaults to admin,ldap,passwd,token,kerb (format : csv)
[FIX] configurations repositiories repo wapt/conf.d should not be protected by client side certificates
[NEW] waptserver licences: be tolerant if no server_uuid yet
[IMP] waptrepo: hardened handling of multiple concurrent repo cache updates
[FIX] config url on server index landing page.
[FIX] twaptserver auth callbacks. use OnHttpClientAuthorize if password in session, then OnAuthorize if defined and no password is available session
[UPD] waptserver autocreate console ldap authenticated users if default_ldap_users_acls config is not empty
[IMP] server add_configurations : return json config filenames in result.
[IMP] waptserver: get_ad_ou_split : be tolerant to malformed OU sent by client
[IMP] waptserver crls updates for nginx: * merge all known crls into file if “ssl_crls” waptserver.ini is defined
[NEW] wapserversession: share waptserveruser across all waptserver connection * to make it easer to relogin after token expiration. * retry to get a token if http 401 status
[NEW] waptserver, waptservice on Windows: removed nssm service manager, replaced by waptsvc * waptsvc service supervisor is based on mormot agl. * waptservice.exe is a symlink to waptsvc.exe and manages “waptpython -I waptservice/service.py” * waptserver is a symlink to waptsvc and manages server.py, wapttasks huey queue, and nginx
[RM] removed endpoint /api/v2/download_wuredist
[NEW] waptserversetup: don’t set repo_url and wapt_server url during setup as this done now later when building waptagent
[IMP] waptserver model: update Packages table description_localized dict from package entry.
[FIX] StripCertificateComments endless loop is Pem bundle ends with 2 CR NextPem does’t not set input pointer P to nil if end of file.
[IMP] add psycogreen patching for eventlet / postgresql
[IMP] Be sure to fill executable version infos when initializing logger
[IMP] cache CASigners in waptrepo
WAPT WADS¶
[FIX] osdeploy data signature. signer_fingerprint is not saved into db, so must not be included in signed attributes
[IMP] waptserver: calc sha256 of iso during upload rather than after upload
[FIX] getting ipv4 addresses excluding APIPA
[IMP] TVisPrepareDjoin: Add domain discovery
[IMP] TVisPrepareDjoin: sort DC by response time using cldap
[IMP] Save prepare djoin form fields in session (domain, username and password)
[FIX] wads: break loop if 401 login fails.
[FIX] Fix VisPrepareDJoin: Reset ldap kerberos SPN before connecting to the domain
[NEW] reset drivers on hosts OSDeploy
[FIX] Stop Graphical if WADS is only used to send status
[FIX] Retry Wads now reset the status
[IMP] Verify WADS hostname on WADS Winpe / Console / Server
[NEW] IP address and details of DISKPART info (volumes and disks) on wads_register_host
[IMP] Better login for login_on_wads
[IMP] Wapt downloads are now in Graphical WADS
[NEW] Wads with Graphical Display and Info
[FIX] avoiding loop showing message if ISO name already exits
[FIX] empty error message on refreshing ISO file list
[SEC] add iso hash in ipxescript
[IMP] Add ubuntu and rhel9 wads template
[UPD] wads: wait 30s for an ip address.
[IMP] Upload iso. Deleting file if wrong hash after upload
[IMP] ipxe add keymap
[FIX] waptdeploy unable to read setup exe version same potential issue in wads missing call to RetrieveInformationFromFileName
[FIX] fix copy cert in winpe for wads
[FIX] empty error message on refreshing drivers file hashes and bundle names
[NEW] add update driver bundle option
[UPD] limiting uploading iso files only on WADS part
[IMP] sending file to api/v3/upload_deploy_files only if needed
[FIX] Warning Removal and reset wads32 binary
[NEW] drag and drop .iso on console for upload
[NEW] drag and drop of drivers folder on drivers in WADS part
[NEW] drag and drop from Host to deploy to drivers or configuration
[IMP] Default prepare djoin window credentials to current domain’s
[IMP] Prepare Djoin: Retrieve domain controller using mormot dns resolver
[IMP] On WADS conf, a password for superadmin is defined
[REF] Prepare djoin fixes and form rework - Allow to configure ldap port - Don’t load OU on show - Split DC load and ldap connect buttons - Forbid to modify existing machine password (force to overwrite)
[IMP] Prepare DJoin: Connect through kerberos if possible
[FIX] Fix TVisPrepareDjoin GetDJoinBlob method - Fix verification of computer existence in the domain - Set computer password in AD even if we’re not creating it - Parse the created djoin blob after creation and set an error if the format is invalid
[IMP] waptconsole PrepareDJoin: allow direct input of Host OU
[FIX] TVisPrepareDjoin: Call to CldapSortHosts missing a parameter
[FIX] TVisPrepareDjoin: Handle sub-domain within forest
[FIX] waptconsole wads osdeploy grid: popupmenu clears multiselect
WAPT Linux¶
[IMP] Debian : add reboot_needed and reboot-required.pkgs info in host info
[IMP] force locale C for strptime installed_softwares
[FIX] fix datetime.datetime.strptime for installed_softwares in rhel9
[NEW] add json config url in waptserver homepage to help linux agent config
WAPT macOS¶
[NEW] WAPT Tray compilation config. for macosx
WAPT-2.3 Serie¶
WAPT-2.3.0.13516 (2023-02-23)¶
hash : 69968974
This is a bugfix release for WAPT 2.3.
Attention
When upgrading from WAPT 2.2.3 to WAPT 2.3, when installing the new waptsetup.exe 2.3, if the waptagent.exe 2.2.3 had previously been installed ON the management
machine ABOVE the waptsetup.exe 2.2.3, then the org certificate located in wapt\ssl
directory of the agent belonged to the
waptagent.exe 2.2.3 InnoSetup installation instead of being a local file, and was removed during upgrade to waptsetup.exe 2.3, which handles certificate deployment differently.
Now, in the case a waptagent.exe has been installed above a waptsetup.exe install, the certificates in wapt\ssl
will be preserved during upgrade.
This should happen only on the managemnent machine that is used to rebuild the agent if the agent has been re-installed above the waptsetup.exe install.
Note
The RHEL9 repository are how signed with a sha256 key/digest
WAPT Agent¶
[IMP] waptsetup.exe : backup
<wapt>\ssl\*.crt
before upgrading and restore after install[UPD] when building waptagent, check that there is at least one trusted cert for packages and actions
[UPD] be more relax on waptagent setup naming: if setup exename “starts” with waptagent, assume we can safely use the configuration inside when running silently
[IMP] waptsetup: don’t ask innososetup to close applications using Microsoft Windows RestartManager. Use specific process name instead.
WAPT Console¶
[FIX] fix zip64 for big packages (>2GB) not handled properly in waptconsole
[FIX] waptconsole build waptagent certificate issue when both CA and personal cert+CA files are selected
WAPT Server¶
[FIX] Debian : fix logrotate on wapt server
WAPT-2.3.0.13505 (2023-02-13)¶
hash : c7fcb3a7
This is a bugfix release for WAPT 2.3, and has been signed with a new code signing certificate to replace the expired one.
Attention
All the previous version of the 2.3 branch have an issue with the creation of the waptagent.exe due to a expiring code signing certificate. If you need to create a new WAPT Agent, please upgrade to this version.
The error message that you will get is “Error while creating waptagent.exe: Checking hashes of executables on server against Tranquil IT certificate has failed. Please check if waptbinaries.sha256 has not been altered.”
Message in French : “Erreur lors de la création du waptagent.exe : La vérification de la signature Tranquil IT des hashs de contrôle sur le serveur a échoué. Vérifier que le waptbinaries.sha256 n’a pas été altéré sur le serveur.”
WAPT core¶
[FIX] better handling of filename with ‘..’ and ‘~’ in zip filenames. No need to be paranoid if ‘..’ and ‘~’ are in the middle of the name
[FIX] waptservice only_if_no_process_running not taken in account when auto upgrade with waptupdate_task_period is enabled.
[UPD] waptservice / core: include packages with install status == error when checking for conflicting packages to remove.
[FIX] remote user waptmessage encoding issue
[FIX] waptconsole waptpackage manifest add support for file with non ascii chars.
[IMP] read Packages index from disk: use mormot function to potentially avoid lock conflicts
[FIX] remove or forget packages with spaces in package name. fix RemoveDuplicates when there are spaces in data items.
[FIX] closing WAPT Self for Linux/MacOSX
[FIX] waptdeploy : update certificate pinning with new code signing certificate
[FIX] waptcrypto : takes into account signature_date when checking certificate expiration date vs timestamping time.
[SEC] update openssl binaries to 1.1.1t
WAPT Server¶
[FIX] waptdeploy on server location: <repodir>/waptagent/waptdeploy.exe
[SEC] add server_tokens off to avoid giving nginx server version to non authenticated clients
[SEC] delete waptversion in /ping to avoid giving waptserver version to non authenticated clients
[IMP] add view acl for get_storage_used_by_kbs
WAPT WADS¶
[FIX] check volume letters before diskpart
[IMP] waiting network for wgetwads
[IMP] install waptagent at end pressed debian
[IMP] not force login in ipxescript if login already in ipxescript (for leave the possibility of forcing the language before)
[IMP] add keymap on menu register
[IMP] add login in pxe for linux deploy
[IMP] delete double login wads
WAPT-2.3.0.13470 (2023-01-26)¶
hash : 4cc5fc06
This is a bugfix release for WAPT 2.3, and add support for Red Hat Enteprise Linux 9 and derivatives (both as server and agent)
WAPT Core¶
[FIX] fix waptdeploy.exe unable to read setup exe version, requiring the use of force flag in GPO
WAPT Agent¶
[FIX] fix datetime display for software inventory on RedHat and derivatives
[IMP] better support for Red Hat os version numbering in inventory and tags
[NEW] add el9 waptagent and waptserver support
WAPT Server¶
[IMP] simplify web interface displayed version values to avoid misunderstanding
[UPD] waptserver autocreate console ldap authenticated users if default_ldap_users_acls config is not empty
[FIX] fix update_hosts_sid_table connexion leaks (to update the reachable column before calling query in reporting tab)
[NEW] add el9 waptagent and waptserver support
WAPT Console¶
[FIX] fix package maturity action default value if none chosen
[FIX] fix grayed out host packages actions in Discovery mode
[UPD] Strip comments in pem encoded certificates to reduce size and try to fit into the 32kb limit of stuffed exe.
[IMP] adding possibility to cancel configuration package creation
WAPT WADS¶
[IMP] add support for keyboard selection in ipxe
[FIX] fix template windows 11 wads
[UPD] wads: wait 30s for an ip address if dhcp is slow to respond or waiting for 802.1x vlan switch
[FIX] fix wads regression where a computer could connect to waptserver instead of local secondary repo
[IMP] Upload iso. Deleting file if wrong hash after upload
[FIX] fix copy cert in winpe for wads
[FIX] fix waptdeploy unable to read setup exe version, requiring the use of force flag
WAPT-2.3.0.13438 (2023-01-19)¶
hash : 8e580896
This is a bugfix release for WAPT 2.3. Those are mainly fixes and improvements to smooth the upgrade process from older WAPT versions.
WAPT Core¶
[FIX] waptcore: keep install status of previous package if new package upgrade status is ERROR
[FIX] Don’t forced install packages which could’t not be installed properly last time (to avoid install loop) a better approach could be to define a maximum retries count and an increasing delay between retries.
WAPT Console¶
[FIX] fix verify waptsetup.exe and waptdeploy.exe hash when creating waptupgrade
[UPD] set all search timer to default (300ms)
[FIX] waptconsole display correct icon on Linux
[UPD] waptconsole: propose to add a licence right after login if none on server.
[FIX] waptconsole: fix some tab orders in forms
[FIX] waptconsole package wizard: change layout for compatibility with linux.
[FIX] waptconsole: quick fix for external repos settings if none is currently defined in waptconsole ini settings. Autoregister
wapt-templates
.[FIX] waptsetup: don’t create a shortcut for the waptconsole to replicate behavior from older waptsetup…
[NEW] waptagent for Windows can be generated on Linux waptconsole
[REF] Improved djoin support
[NEW] waptconsole: better support for dark mode on Linux / MacOS
WAPT Agent¶
[IMP] macOS: use sw_vers -productVersion for mac os version
[FIX] windows: waptwua client: fix issue when main repo url ends with a slash
[FIX] fix wapt-signpackage compatibility error : removes mds argument
[FIX] fix waptupgrade package for centos
[FIX] fix application version on MacOsx
[FIX] switch
DisableSkipWindowsUpdates
towaptwua
section[NEW] Add ForceUnsigned for add drivers in winpe
[FIX] add defaultInterpreterPath for vscode support
[FIX] waptexit self-kill if machine has been started for too much time
WAPT WADS¶
[IMP] wads: removing mounted drive letters before diskpart for better support of machine without any installed OS
[NEW] Add script compile_ipxe.py to integrate waptserver url directly in ipxe binary
[FIX] fix acl wads_admin on upload_winpe
[FIX] wads: fix wads skip_login_wads and acl
WAPT Server¶
[FIX] waptserver: don’t try to convert jsonb boolean to raw boolean as it fails for postgresql <= 10
[FIX] better support for postgres upgrade for Debian / Ubuntu in postconf.py
[FIX] waptserver: path to waptdeploy on windows server to fix link
[FIX] during upgrade, run /opt/wapt/wapt-scanpackages.sh when run postconf.py
[NEW] waptserver: new option to set nginx port from waptserver.ini
WAPT-2.3.0.13356 (2023-01-10)¶
hash : fd590589
This is the first release of WAPT 2.3. This release does not have any new big feature, but brings a ton of little bugfixes and improvements to make WAPT usage more lean and smooth.
What’s New?¶
1000+ bugfixes
Less issues with false positive with antivirus software when deploying a new agent: WAPT Agents do not need to be rebuilt. The WAPT Agent is based on waptsetup.exe with certificate and configuration stored in the certificate signature of the file. The signature of the file is not altered.
WAPT Agent on Linux and macOS: improved workflow for installing and updating the WAPT Agent.
Improved Websocket connexion. Disconnects and reconnects have be made more robust.
Improved support on macOS.
Improved support on Linux.
Update of WAPT external components.
Tech Preview : WAPT Console support on Linux (Debian and derivatives, RedHat and derivatives)
Tech Preview : WAPT Console support on macOS (Mojave and above).
Upgrade details¶
WAPT Server 2.3 needs PostgreSQL 10 or above. Please be sur to have the correct version running, especially if your server is running Debian and has been upgraded from Stretch:
If the WAPT Server is running on Debian or Ubuntu, if you have upgrade from Debian Stretch to Buster to Bullseye, please check that the running instance of PostgreSQL has been upgraded when the OS has been upgraded;
If you are on RedHat 7, upgrade is taken care of in the postconf script, and it should upgrade from 9.6 to 14;
If the WAPT Server is running on RedHat 8 or derivative, then the DB is already in a good version;
If the WAPT Server is running on Windows the DB upgrade is done during the upgrade from 9.6 to 14.
WAPT Core¶
[SEC] When checking exe certificate, first check that the signature is OK.
[SEC] when stuffing waptsetup.exe, check that waptsetup.exe downloaded from wapt server is properly signed by Tranquil IT.
[FIX] Fixed handling properly utf8 chars in certificate subject.
[FIX] Small improvement for wapt-get build-waptagent. Do not ask the server password twice.
[FIX] Fixed stuffed legacy waptagent build: be sure to have a deterministic binary result when stuffing in waptconsole or server side.
[IMP] remove client library dependency for command line progress bar.
[SEC] waptpython 3.8.16 is now compiled with the isolated mode flag at true by default (Python -I)
[REF] Removed unused functions.
[REF] Removed unused headers.
[IMP] waptservice: fix setting loglevel for specific components do not log WS listening too often. Fixed some action’s “created_by” attributes which were not not set.
[FIX] Windows setuphelpers: missing service_list in _all__.
[FIX] wapt-get: moved LoadOpenSSLFromPythonLib to get proper path for RegWaptBaseDir on Linux.
[NEW] Added armhf as a valid package architecture.
[FIX] Fixed
scan_package
issue when there are packages withoutpackage_uuid
. Packages table was growing at eachscan_packages
.[IMP] wapt-get: Added some help for
build-waptagent
andadd-config
/reset-config
/set-config
-from-url.[IMP]
wapt-get reset-config-from-url
: removes dynamic configs fromconf.d
too.[IMP] Re-include empty folders in zipped WAPT packages.
[FIX] Update for zip empty folder entries.
[FIX] When checking files and directories from package manifest, create empty directories from the
manifest
file if thet do not exist yet.[UPD]
wapt-get update-package-sources
: Implicit transparent import of all functions frompackagesdevhelpers.py
.[FIX] Do not audit packages with
install_status
<> ‘OK’.[SEC] waptpackage: Cleanup removed multiple MD type. We use only sha256 now.
[NEW] waptconsole: Stuff
waptsetup
with json config for embedding into waptupgrade package.[FIX] waptpackage signature issue if the WAPT package is created from scratch with null attributes (ex. max_os_version). If signed, these null attributes are written to control file as sempty string, this breaks the signature control. So we initialize all default signed attributes to empty string instead of null.
[UPD]
wapt-get create-waptagent
: Use json embedded config stuffed into certificate zone of executable signature.[FIX] Fixed regression in python _sign_control (encoding issue).
[UPG] Upgraded python to 3.8.16.
[IMP]
waptutils.py
cleanup and small fix inuser_is_member_of
.[REF] waptserver: Cleanup code with pyflakes.
[IMP] Allow none loglevel.
[NEW] Introduced
wapt-get reset-config-from-url
.[FIX] Fixed json_load_file() by adding encoding option. Default is “utf-8”.
[IMP] waptguihelper: Introduced StayOnTop argument for input_dialog() and grid_dialog()
[FIX] Fixed
wapt-get add-config-from-url
in pure Pascal. The hash is retrieved from the filename if present, or as second parameter of command line.[REF] wapt python core: Removed sha1 compatibility with wapt 1.3 packages signatures.
[FIX] Shows the proper logged user after login.
[IMP] Fallback other method for get domain in get_hostname.
[REF]
jsonconfig
data embedded in setup exe.[FIX] Default value for check verify cert.
[UPD] Introduced uwaptjsonconfig (port of json config from python to FPC).
[UPD] wapt-get: Added a command to list the initial configs available on server (in
wapt/conf.d
).[UPD] waptsetuputil: Added UnzipConfigFromExe.
[FIX] Removed global variable for PopupEnterprise, check Licensing after closing the window.
[IMP] buildlib: Do not remove unittest from python lib when creating the build environment.
[FIX]
remove_file()
was unable to remove symlinks.[FIX] wapt core: Regression on uuid retrieval from WMI. ‘System_Information’ key is an array.
[NEW] wapt core: added “wapt_temp_dir”
wapt-get.ini
parameter to specify the directory wher packages are unzipped at installation (for wyse terminal).[REF] Introduced packagesdevhelpers python module to remove helpers useful only for “packages source update” and reduce import time of setuphelpers.
[IMP] windows_version() now getting the correct UBR (Update Build Revision) shown with “winver” command, adding windows_version_full in hardware inventory
[IMP] waptguihelper: help improved for grid_dialog - also, introduced an (optional) Text parameter.
[FIX] waptpackage: trim attributes value in
control
data. (‘all’ was retrieved as ‘all ‘ ).[IMP] twaptpackage: Always set architecture and priority default.
[UPD] Refactored SSLCABundle usage.
[FIX] Fixed waptpackage build issue when sourceroot includes the ending path separator. Fixed self service package building. Fixed version incbuild result.
[FIX] Fixed issue with in path in zipped files created with
CreateRecursiveZip
.[FIX] Fixed file not found when calling
GetServerCertificate
.[FIX] Fixed editing zipped package inplace (hosts packages).
[FIX] Added call to mormot2
RegisterOpenssl
for Access violation in waptlicences.[IMP] Grid editor: Show which column is currently focused even if grid has not the focus.
[IMP] Use UTC time for expiration check of ACLs.
[UPD] wapt core: use datetime in UTC for
audit_data
.[IMP] wapt core: allow usage of an environment variable waptbasedir to specify the location of root waptbasedir.
[IMP] Default grid order set to descending signature date.
[FIX] Allow ~ character in WAPT package names (for spaces in Organizational Units packages).
[FIX] waptcrypto: Fixed certificate filename attribute not set when loading a certificate chain.
[UPD] Refactored
SSLCABundle
usage.[FIX] Fixed using particular characters in passwords.
[FIX] Fixed waptcore: Fixed the type for dynamic configuration.
[FIX] copytree2
replace_at_next_reboot
.[REF] Moved all the dynamic json config functions into the WAPT class to take in account the actual agent settings (specially directories).
[UPD] Created a full version 1.2.3.rev-hash into file
wapt/version-full
.
WAPT Agent¶
[FIX] force create random uuid if bios uuid is not correct.
[FIX] Do not check
wsusscn2.cab
if not Enterprise.[IMP] add host_capabilities inventory.
[IMP] Better JSON format (Human Readable) for Audit Data.
[FIX] Use parameter
IncludeCA
onListSOCertificatesFromFolder
.[FIX] Fixed translation issues in graphical components.
[FIX] Fixed last version, checks the minimal OS version
[FIX] edit waptwua if
install_delay
has value.[IMP] When uninstalling the WAPT Agent, stop the waptservice only if the service exists.
[FIX] Popping wrong license message on new installation.
[FIX] waptservice socketio: Force get new ws params in case of connection error like when config is updated.
[FIX] Fixed add new rule missing import for
isenterprise
.[NEW] Added disk drives to host overview template.
[IMP] Reduced size of host json inventory data. Do not send host configurations data if not changed. Do not send audit_data headers if no data. Fixed last audit data that was always sent.
[IMP] Improved local waptservice auth feedback.
[REF] Refactored waptservice code.
[FIX] Enable custom CA file for websockets certificate checking.
[FIX] Fixed WAPT Agent
websockets_verify_cert
: error reading setting from ini file. Reset socketioclient to None when connection error to force recreating the object with new TLS settings.[IMP] waptdeploy: Use only registry wapt_is1 install location to get the WAPT base directory.
[IMP] waptdeploy: Do not check wapt-get working condition.
[FIX] Fixed waptdeloy argument parsing.
[UPD] waptsetup: Removed distribution of innosetup as it is no longer needed.
[NEW] waptdeploy: Check that the WAPT Agent installer and wapt-get.exe are digitally signed by Tranquil IT.
[FIX] waptdeploy wapt basedir guessing. Hardened waptdeploy RunTask.
[FIX] Fixed
wapt-get build-waptagent
: empty configuration name.[ADD] Check all rules signatures before doing anything else.
[IMP] The agent version is obtained from the exe, not the server.
[FIX] waptsetup auto json config: should accept
waptsetup-1.2.3_<confname>_<confhash>.exe
.[FIX] Fixed remote WakeOnLAN.
[IMP] waptservice: Do not include PrinterPaperNames, PaperSizesSupported and self_service_rules in inventory sent to the WAPT Server.
[FIX] waptexit: If unable to get licences from waptservice, assume is_enterprise is False.
[FIX] wapt-get: Set password callbacks after reloading config.
[FIX] Shortened the upgrade scheduled task argument, as it is limited to 256 chars.
[FIX] Stuffed waptsetup: Append waptwua settings to json.
[FIX] waptserver socketio: Host does not register / reconnect by itself when deleted from the WAPT Server.
[NEW] waptsetup.exe : If waptagent.exe is named, and only one config is embedded, take the first available config for the name of the configuartion to install instead of hardcoded “default”.
[IMP] waptservice: Can start right after install even if no
wapt-get.ini
.[NEW] Added nopassword to config wizard for
service_auth_type
.[UPD] Added
wapt-get reset-config-from-url
andset-config-from-url
json configuration.[FIX] Do not delete the files if the signature has failed.
[IMP] waptsetup: Display a summary of embedded stuffed json configurations. Removed use dynamic configuration task.
[FIX] waptserver: Fixed WakeOnLAN issue when no broadcast address exists in inventory.
[FIX]
remove_user_appx
was not initialized from setuphelpers.[UPD] waptsetup: ApplyJsonConfigToIniFile when a json configuration is stuffed instead of
conf.d
dynamic configuration.[IMP] waptsetup: Do not update
wapt-get.ini
when using dynamic json configuration.[UPD] waptservice socketio: Do not require connection params update / reconnection try if there is no authorization token. When
allow_unauthenticated_connect
= True on the WAPT Server, the WAPT agents should be able to connect without getting a token.[FIX] waptself: Fixed next page button unavailable on last page.
[UPD] waptexit: Add
waptexit_disable_skip_windows_updates
parameter inwapt-get.ini
file and commandline argument to disable the checkbox for skipping Windows Updates.[UPD] wapt-get: Return ExitCode <> 0 when an exception is raised Added ping --service command to check waptservice accessibility from waptsetup.
[UPD] waptself: Display details of WAPT package on top of packages list to avoid reframes.
[UPD] Enable
waptservice_allow_all_packages
only for nopasswordservice_auth_type
.[NEW] Added a waptservice parameter
waptservice_allow_all_packages
which allow all user to install / remove all packages as if they were part of the waptselfservice group.[NEW] If a json configuration is provided in waptsetup as stuffed data in certicode certificate area, use it for initial configuration.
[FIX] Improved error message and wait cursor when waptselfservice is starting.
[FIX] Fixed selfservice missing common module for
self_service_rules
when using the nopassword argument with the WAPT Enterprise version.[FIX] Changed Icon for
to Plus.[IMP] User is now informed when self service can not get a token (service not started).
[FIX] Remove double slahs in url //Packages.
[NEW] Added Ubuntu22 in waptsetup package.
[FIX] Fixed waptmessage ambiguous ‘-s’ option (use stdout and set window size), replaced by -c for init console.
[FIX] Fixed tasks list on host.
[FIX] Normalized view (lowercase) in grid for target_os from control part.
[FIX] Fixed execution of waptmessage in file instead of base64 (to avoid too long command line).
[FIX] Use cached trusted signer certificates store instead of recreating it each time.
[FIX] Fixed signed_attributes written as string list (instead of python form) and signer is the signer certificate Common Name.
[IMP] use --not-interactive with register if the installation runs in silent mode.
[FIX] waptservice: Do not ignore broadcast for
WaptUpdateServerStatus
to avoid the WAPT Tray sticking upon sending data to the WAPT Server.[FIX] Fixed unable to synchronize remote repository.
[IMP] waptmessage: No autosize if a size is specified on the command line.
[FIX] Fixed no hash in clipboard, added missing helper for
add-config-from-url
in wapt-get.[IMP] Limit access right to Administrators to log directory (in case non public stuff gets written to logs).
[IMP]
install_scheduling
work if not in PENDING_UPDATES status.[FIX] Fixed waptexit compilation: Removed specific
WaptIniFilename
function.[FIX] Fixed waptmessage unable to load sqlite.
[IMP] Updated waptwua status to ‘NEED-SCAN’ on hosts when
download_wsusscan
is triggered andwsusscn2.cab
file is downloaded.[NEW] wapt core: Added
as_dict
and descending parameters toWapt.read_audit_data_set
.[IMP] Do not take care anymore of maturity for version when it is compared to WAPT store version.
[FIX] Fixed configuration package template
setup_package_template_conf.py
.[FIX] Fixed waptservice configuration: Set the
configs_dir
relative towapt-get.ini
full path.[FIX] Fixed waptservice ‘start_waptexit’ with arguments Faulty arguments boolean value decoding.
[FIX] Fixed bad arguments sent to waptservice triggering upgrades with
only_priorities
andonly_if_not_process_running
.[FIX] Fixed
Wapt.write_audit_data_if_changed
: Write data if previous data has expired.[FIX] Updated the template of dynamic json configuration packages to match new location and naming of json configuration related functions.
[NEW] Option
include_potentially_superseded_updates
in configuration wizard.[FIX] Fixed waptservice: Be sure to dynamically revert to default setting when a key is removed from
wapt-get.ini
.[FIX] Fixed waptservice: Make sure we have a random
secret_key
for local waptservice session.[NEW] WAPTWUA superseded support.
[IMP] wapt-get edit now opens
update_package.py
too.[UPD] Added a NEED-SCAN waptwua.status, updated when
Wapt.update()
is called.[FIX] Fixed waptself: Set focus on search when opening.
[IMP] Ignore history for waptwua status.
[FIX] Fixed wapt-get update-package-sources: Handle properly relative path to package sources.
[FIX] Fixed wapt-get update-package-sources: use
devdirupdate_package.py
to callupdate_package()
hook if this file exists. Else usesetup.py
.[IMP] wapttray: Launch external waptself and waptconsole with OpenDocument instead of windows only ShellExecuteW.
[FIX] Workaround fix when pyscripter is put as editor for packages.
params_vscod_list
fixed when space in parameters. Reupdated description.[IMP] wapt-get edit now opens
changelog.txt
, VSCod* now openscontrol
file too. wapt-get edit can now be run as user with VSCod* updatingwapt_sources_edit()
description.[UPD] Changed default log path to
wapt/log
if writable.[UPD] Same logging initialization code for all UI executables with
waptcommon.InitLoggingFromCommandLine
.[IMP] waptservice waptself: localauth with file token (ie. nopassword). Handles local groups.
WAPT Console¶
[FIX] display an explicit error message if a new host package can not be saved on the WAPT Server because of acl.
[IMP] Process application messages when performing file hash/zip actions.
[FIX] Fixed waptconsole copy cert to
wapt/ssl
: handle properly spaces in target directory name.[FIX] Place cursor at end of line instead of point of click in textareas.
[ADD] Popup Menu with Copy and Copy as JSon for Audit TreeView.
[FIX] Fixed proper images on actions buttons.
[FIX] Fixed OU icon when OU name contains an empty character.
[FIX] Fixed Out of bound error : add verification on condition check in specific cases.
[FIX] Fixed missing error message on secondary repositories.
[IMP] Improve usability of copying new certificate in
<WAPT>\ssl
directory[FIX] Fixed icon on action
ActWUAGetUnusedKB
.[FIX] Fixed actions caption on toolbar in Windows Update.
[FIX] Fixed removing ability to personalize toolbuttons on ISO, configs, and drivers in OS Deployment.
[FIX] Fixed popup menus on toolbar in OS Deployment.
[FIX] Fixed actions on toolbar in Software Inventory.
[NEW] waptconsole / waptserver: Added a specific ACL for
update_audit_data
.[UPD] Increasing softwares max count limit in Software Inventory from 5000 to 20000.
[FIX] Fixed locking some actions on non Enterprise versions.
[FIX] Fixed waptconsole package zip build:
CreateRecursiveZip
.[IMP] cleanup of HTML templates on waptservice. Removed unused js.
[IMP] Showing icons for target_os.
[FIX] Fixed waptconsole TX509Store: when intermediate certificates are provided in user .pem certificate file, only trust the first one.
[FIX] Fixed waptconsole waptcrypto: implement
TX509Store.GetCertificatesChainFromFingerprint
. Fixed self signed certificates are always trusted when checking the WAPT package.[FIX] Fixed waptconsole: when signing packages, make sure we end with LF only (n unix style)
control
files.[IMP] Basic POC for Auto Completion on Reporting Queries.
[FIX] Fixed viewing TechPreview Features does not take care of display preferences.
[FIX] Fixed the downloaded packages have now the chosen maturity.
[IMP] Show
*.cmd
files in post install script selector.[NEW] Upload a default json configuration on the WAPT Server when building waptagent.exe. Fixed waptsetup.exe stuffing on the WAPT Server when uploading a json configuration.
[FIX] Fixed the button Type for update package warning.
[ADD] Confirm button before Update from the WAPT store.
[FIX] Fixed waptconsole update from the WAPT store Introduced
StripPrefix
inTPackageRequest
to allow searching in the repository on package name without prefix.[FIX] Include
min_os_version
andmax_os_version
in WAPT package identification to check which WAPT package is newest.[FIX] When building customized waptsetup, sometimes missing trusted certificate.
[FIX] Fixed the copy of
wapt-get.ini
if there is nowaptconsole.ini
.[NEW] Menu item for restoring toolbars to default.
[FIX] Fixed actions on toolbar in WAPT Development and OS Deployment forms.
[FIX] Fixed removing certificates in create waptsetup [NEW] function for listing certificates from folder.
[FIX] Fixed buttons links with actions on WSUS.
[FIX] Fixed encoding problem for WSUS.
[IMP] Removed GUI interface for the Update from the store action.
[ADD] Added a warning message before updating a WAPT package.
[ADD] Updated from the store button in private repository done.
[IMP] Added Updated part for the Store Update Action.
[IMP] Update from the store button (visual part).
[FIX] Fixed regression on creating new wuagroup package.
[UPD] waptconsole
, config and hash instead of waptagent.exe/.[FIX] Fixed __pycache__ included in zipped package when built from waptconsole.
[ADD] reporting: Added Unique save for each query.
[FIX] Fixed SQL query editor: any query can be edited at any time, without erasing the others.
[FIX] Fixed SQL query editor: if queries are already created and registered and have the same name, you can edit both without overwriting the other one.
[IMP] Use system font for html viewers.
[IMP] Allow package wizard without installer path.
[NEW] Added “keys” mustache helper for html templates.
[IMP] waptconsole: Do not try to ping servers before login dialog.
[FIX] Fixed enabling build and upload if all information are set / pre configuration in case of portable app if an executable is found.
[UPD] waptconsole Cyberwatch integration. Added Values mustache helper to format dict as list for Cyberwatch html report template. Added styled Cyberwatch example audit template.
[IMP] Addied listening to ipv6 only if ipv6 is available.
[FIX] Fixed waptconsole crash if custom column with empty size cell.
[IMP] Added a warning when no DNS record is found (Remote repository).
[FIX] Fixed call if app is currently closing (login cancelled).
[IMP] Opening configuration by double-clicking on grid.
[IMP] Package wizard for portable apps.
[IMP] waptconsole, display bytes size in human readable format in grid.
[FIX] Fixed OU options that are now available if the user is currently focusing the OU grid.
[IMP] Improved asking credentials on http error 401.
[FIX] Fixed waptconsole: random timeout error when running commands from the WAPT Console.
[FIX] Fixed WAPT package creation for OUs.
[ADD] Link to the official documentation for the Config Package Wizard.
[IMP] Proper restore of GUI when WindowState is maximized. Prevent flickering if starting maximized.
[IMP] Improved warning before deleting a valid licence.
[FIX] Fixed waptconsole regression: import packages. Check the signature even if it is disabled in remote repository settings.
[FIX] Fixed waptconsole regression on additional private repositories listed in the repositories tab, even if not defined in
repositories
setting inwaptconsole.ini
.[FIX] Fixed waptconsole: private key password is not asked again if a matching key can not be found or decrypted.
[REF] waptserver model upgrade: removed unused database migration steps.
[UPD] waptserversetup: avoid automatic restart when installing MSVC 2022.
[FIX] Fixed error editing same OU package in one session.
[ADD] ACL Edit Repo on Index for secondary repos
[FIX] Fixed missing editing ACL Edit Repo.
[FIX] Fixed waptconsole access violation when checking unzipped package signature.
[FIX] Fixed waptonsole multiple update of hosts corrupt packages depends grid display.
[IMP] waptself, wapt-get, waptexit, wapttray: kill check threads on close, even on linux to speed up application shutdown.
[UPD] waptconsole: lazy loading of DMPython. Removed python source scripter tab on main form. Moved to (inactive) uvispysources. Removed debug panel on main form removed unused
uvissearchpackage
. Added some euristic icons on audit and reporting grids depending on well known values (OK, ERROR etc…).[IMP] Improved the interpretation of checkbox states due to label description.
[IMP] Improved search when importing queries.
[FIX] Fixed host configuration package that are not editable right after creating them.
[FIX] Fixed waptconsole pkcs12 export and email in X509 certificates.
[IMP] Removed Python dependency in the WAPT Console.
[UPD] waptconsole: Added popup menu to Json hardware treeview.
[IMP] Improved reporting import, now select all queries by default + some code improvement
[IMP] Improved enabling or disabling ACL by double click.
[FIX] Fixed waptconsole: html audit templates. Bad search order.
[FIX] Fixed waptconsole: actions categories fixes and updates. Hide unused categories from toolbars customization.
[FIX] Fixed waptconsole: empty success message for some actions. Updated translations.
[FIX] Fixed waptconsole get agents installers: fixed MISSING -> OK status.
[UPD] Fixed waptconsole: Added Edit html template popup menu action.
[FIX] Fixed no logo resizing if smaller size.
[UPD] Load html templates for
host_overview
andhost_audit
from user’sappdata
directory if it exists, else fromwapt
.[REF] waptconsole: Refactored
TFrmHtmlViewer
to lookup templates either in user templates directory (%APPDATA%waptconsoletemplates
) or in defaultwapt
installation directory (%WAPTBASEDIR%templates
).[UPD] waptconsole: Improved drag & drop of columns into GridHosts.
[FIX] Fixed blocking action editing WSUS package if no Enterprise licence is active.
[FIX] Fixed waptconsole drag & drop audit values.
[FIX] Fixed waptconsole regression when signing unit package or modyfing stripped down WAPT packages.
[IMP] waptconsole: Load AD Groups in thread.
[FIX] Fixed waptconsole compilation without USE_WAPTPACKAGE flag.
[REF] waptconsole: Introduced an interface for uwaptpackage TWaptPackage WIP: fix compilation when USE_WAPTPACKAGE is defined TODO: implement IX509Store
[FIX] Fixed waptconsole: fixed host overview layout if no html template.
[UPD] waptconsole: host details layout changes: introduced html templates based overview if
templateshost_overview.html
file exists (mustache template).[FIX] Fixed waptconsole sendmessage gui splitter.
[IMP] waptconsole: check that downloaded waptsetup version is the same or newer than that of the WAPT Server.
[FIX] Fixed autosearch in
ttissearch
component.[NEW] waptconsole: Added a popumenu copy to clipboard as json for audit data.
[IMP] waptconsole: allow drag & drop of a audit json value subkey from value tree explorer.
[NEW] waptconsole: displays audit history and WIP audit data explorer (treeview + html template).
[FIX] Fixed reporting queries grid layout not saved properly.
[UPD] GUI Vis ACL: zebra colored lines and added possibility to change user password from one button (same action like in right click on user).
[FIX] Fixed avoiding exception if no user was selected before adding ACL rights.
[FIX] Fixed trigger downloads when triggering updates from the WAPT Console (missing import).
[UPD] Updated icons on windows update status for WUA.
[FIX] Fixed waptconsole check external repository version timeout exception raised in frontend.
[FIX] Fixed waptconsole multiserver: fixed can’t trigger action on servers other than main WAPT Server.
[FIX] Fixed waptconsole: Avoid error message of no
repo_url
for last used package template section.[FIX] Fixed modifying a password if old password was empty.
[ADD] Hide / show all columns in grids.
[NEW] new option
check_package_version
inwaptconsole.ini
.[UPD] waptconsole reporting: Added a quick search filtering zone for the query result.
[FIX] Fixed wrong message when no admin rights and the WAPT Agent needs to be upgraded or is not present.
[UPD] Host menu for upgrading hosts part.
[REF] waptconsole multiserver: Refactored
TriggerActionOnHosts
to send multiples actions to the right servers.[FIX] Fixed waptconsole: use ROOT in addition to CA windows system certificates stores when building winpe with
verify_cert
= True.[UPD] Deleted host popup.
[NEW] Possibility to download WAPT packages when asking hosts for updates.
[UPD]
trigger_host_update
adding possibility to download the WAPT package after update.[FIX] Fixed waptconsole: The WAPT Console crashed when checking newest packages if wapt-templates repository is protected with an encrypted client key.
[FIX] Fixed saving configuration when new configuration was created.
[FIX] Fixed saving language parameter.
[FIX] Fixed waptconsole: access violation when access to external repository is blocked or needs a proxy.
[FIX] Fixed waptconsole multiserver regression: unable to edit a WAPT package which was just edited.
[FIX] Fixed waptconsole edit conf package: Do not close if error when uploading to the WAPT Server.
[FIX] patched
setup_package_template_cert.py.tmpl
.[FIX] Fixed not adding “cn” in OU.
[FIX] Fixed layout on Windows Update part.
[FIX] Fixed the flow layout.
[IMP] waptconsole: WIP multiserver. Mostly works for hosts, but not for packages management.
[FIX] Fixed waptconsole: re-enable dataexport to .csv for grids.
[NEW] Explicit hint on number version when the WAPT package is not up to date (GridPackages).
[REF] Refactored private key password handling. Added a callback to clear cached key password in case of decrypt error in http client. Stores client https authentication key password in same storage as package private keys.
[REF] WIP for multiserver console. WaptCookieManager takes in accounts the domain. TODO: send allowed session cookies for cross domain auth. Lazy loading of waptserver instance. Loads list of servers in
DMWaptConsole.ReloadConfigFile
. All sections with awapt_server
key are taken in account. Shares the WaptServerSession across all waptserver connections.[FIX] Fixed bad port for veyon.
WAPT Server¶
[SEC] Windows: waptserversetup.exe windows: do not reenable acl inheritance on wapt root folder.
[SEC] Send minimal information on /ping api call.
[IMP] Set session cookie to 3 days
[IMP] waptserversetup: Check if there is a CRITICAL log entry during
winsetup.py
and exit with an exitcode 1000 if it is the case.[IMP] waptserver: Do not automatically create users in wapt database when user logs in with kerberos (self-service case).
[FIX] Fixed waptserverinstall windows: regression unable to install on new windows machine if wapt was not already installed.
[REF] Server python code cleanup.
[IMP] wapttasks: use environment variable on linux to pass
config
file path.[NEW] waptserver: reduced lifetime of session cookie to default 12h.
session_lifetime
can be changed inwaptserver.ini
usingsession_lifetime
seconds parameter.[UPD] Updated to python 3.8.16 for all supported operating systems.
[FIX] Fixed stuffed setup exe naming on the WAPT Server.
[NEW] new parameter
list_subnet_skip_login_wads
.[FIX] Fixed waptserver: shorten SQL columns aliases for long
get_hosts
json queries.[SEC] Upgraded werkzeug 2.0.2 -> 2.1.1 for PYSEC-2022-203.
[NEW] waptservice websocket: Enabled certificate checking on websockets.
[IMP] waptserver: Added index on
computer_ad_ou
.[FIX] Fixed waptserver: by default, do not create stuffed
waptsetup
when a dynamic config is uploaded.[FIX] Fixed waptserversetup: if installService, configure the local service to reach newly installed server. Propose to start the WAPT Console right after for demo mode.
[NEW]
model.py
: Addedupgrade-db
action and --overwrite-version=1.2.3 option to force the replay of upgrade db.[FIX] Fixed waptserver nginx config, there can be spaces in path. quotes include.
[NEW] Be sure to not start the WAPT Server if the database structure can not be upgraded properly.
[NEW] If licences json data is empty, assume an empty list.
[IMP] Getting storage used by KBs.
[NEW] 22H2 build numbers in WindowsVersions class.
[NEW] Added
hosts_sid
endpoint routing to uwsgi in nginx configuration templates.[FIX] Fixed wapt-get build-waptagent: create waptagent.exe link on the WAPT Server.
[FIX] Fixed waptserver: ignore null bytes in audit data string values.
[FIX] Fixed waptserver: allow access to agent download without client certificate auth.
[FIX] Fixed waptserver model: remove references to unused HostExtData table.
[FIX] Fixed waptserver multiinstance with uwsgi: takes in account
application_root
for interprocessget_ws_connections
/api/v3/hosts_sid calls.[UPD] Added waptserver /api/v3/update_hosts_sid_table endpoint to fill the HostWebsocket table with the in memory ws_connections for reporting purpose.
[UPD] Changed the path of the untouched waptsetup.exe on the WAPT Server: moved to the
wapt/waptagent
folder to be consistent with other agents location Same for waptdeploy.exe.[DEL] waptserver: Removed “enable_store” setting.
[UPD] waptconsole multiserver: display unreachable servers.
[FIX] Fixed waptserversetup: Reinclude waptwua even if service is not installed to allow wapt-get usage.
[FIX] Fixed waptconsole multiserver dynamic config: bad server url for checking https certificate.
[FIX] Fixed waptconsole multiserver: Do not include a server at startup if it is not pingable.
[UPD] waptserversetup windows: Removed some additional unused files when waptservice is not installed.
[UPD] waptconsole multi servers: Do not try to update / merge repo if
repo_url
is empty.[IMP] waptserver / waptservice websockets: When registering host, return an authentication token in response, so that websockets can connect without additional roundtrip.
[IMP]
allow_unauthenticated_registration
is now likeuse_kerberos
.[FIX] Postconf, current config is now autoselected.
[UPD] waptsetup waptserversetup: Sign the installers and uninstallers using embedded iscc logic.
[UPD] waptserver db: Changed the primary key of tables HostPackagesStatus, HostExtData, Packages, HostSoftwares, HostGroups, HostWebsocket, HostAuditData, ReportingSnapshots, HostWsus, LogsAPI to bigint.
[UPD] waptserversetup: Check that the user is a LOCAL computer user and not a domain user.
[FIX] Fixed waptserversetup: postgresql upgrade. Try to fix ACLs on data directory.
[FIX] Added a conflict on apache2 in the Linux WAPT Server package to avoid old install leftovers.
[REF] Removed
enterprise_common.py
.[UPD] Upgrade nginx on Windows.
[UPD] Upgraded DB to postgresql v14 for windows.
[UPG] upgraded postgresql 9.6 to v14 on CentOS7.
[FIX] Fixed waptserver: Fixed sid map sharing in uwsgi mode (missing imports).
[FIX] Fixed waptserver websocket: Be sure to not clear a SID which would be newer than current disconnect event. Not sure if disconnect / reconnect are always synchronous.
[FIX] Fixed waptserver: Improved message when triggering action.
[IMP] Added HTST header to nginx template.
[FIX] Fixed waptserver
update_hosts_audit_data
: Updated values with same global key (host_id,value_id).[FIX] Added trigger_host_action ACL on /api/v3/connected_wol_relays (used by /api/v3/trigger_wakeonlan).
[IMP] waptserver websocket auth: Put host certificates in cache.
[UPD] waptserver websocket: Do not cache UUID twice.
[REF] waptserver websockets: use a global in memory dictionary to hold the host uuid -> SID of connected host to avoid Database insert or updates.
[FIX] Fixed server regression for custom json fields ValueError: too many values to unpack (expected 3).
[IMP] waptserver: WIP endpoint
update_hosts_audit_data
to bulk insert hosts related data.[IMP] waptserver: update api/v3/get_agents_info to match the online
wapt_agent_list.json
.[FIX] Fixed glpi sync: simplified
glpi_upload_hosts.py
script.[FIX] Fixed waptserver huey tasks:
licences_list
not properly initialized when not using defaultwaptserver.ini
.[FIX] Fixed waptserver audit table structure upgrade: typo
[FIX] Fixed avoiding GET method limits on
hosts_for_wua
.[FIX] Fixed waptserver unable to delete some hosts when CRL is enabled be tolerant if the host certificate is not issued by this server’s CA.
[FIX] Fixed waptconsole multiserver: Computers identified by fqdn uuid are not displayed properly in the grid.
[UPD] Remove references to waptsetup-tis.exe -> renamed to waptsetup.exe.
[FIX] Fixed
update_server_status
with dynamic configuration.[IMP] Include waptsetup.exe in waptserversetup.exe.
WADS¶
[FIX] Clear WADS stdout before and after diskpart to avoid broken stdout.
[IMP] Check whether
winpe.wim
and7z.exe
files exist when creating the WADS WinPE.[FIX] Added missing ‘/’ in
wgetwads
error messages.[IMP] WADS: Added session login type and acl.
[IMP] WADS: Login to server only one time instead of for each request.
[IMP] WADS: Added flags: unchecked for wads login on Windows Server.
[IMP] Use of latest mormot function for
WgetWads
to fix DNS check.[IMP] Improved error messages for WADS and WGETWADS.
[IMP] Added option wads in Windows Server installer.
[IMP]
get_wads_secondary_repo
–> follow protocol of the server connection.[FIX] Fixed
list_subnet_skip_login_wads
read configuration.[IMP] WinPE creation key
[REF] Remove useless code on
get_wads_config
(Login WADS).[IMP] WgetWads does not require python to work.
[FIX] Be more indulgent on json rules for WADS.
[FIX] Fixed WADS working when no logging required.
[ADD] Login in IPXE, more tests needed.
[IMP] Proper way to secure
wads_get_config
.[ADD] Login on WADS register host and get wads configuration.
[NEW] include hostname in
debian.ipxe
for OS deployment.[FIX] Fixed
djoin
with given domainuser parameter.[IMP] Added back support GET method on /api/v3/get_wads_config.
[NEW] Added asset tag in HostOSDeploy.
[IMP] Ask for a new hostname when starting to deploy if hostname equals to ‘autoregister’.
[IMP] Improved filtering keyboard faster + french translation in Make WinPE.
[FIX] Fixed missing glob import in WADS
get_iso_config
.[NEW] Adding drivers in WinPE from WADS drivers.
[IMP] Improved feedback when the
djoin
fails (already existing machine).[WADS] <Value> format in XML was incorrect and not complete for password definition.
[IMP] Last error message added for failed
djoin
.[FIX] Fixed uninstall wapttftpserver when uninstalling waptserver.
[IMP] Improved file upload with hash check wads iso files listed from the WAPT Server even if not saved in the WAPT Console.
[NEW] Added customized WinPE export to zip file.
[IMP] Improved showing the error message on upload failure.
[IMP] Improved applying default configuration on wads host if no configuration has been set.
[IMP] ISO download dialog box.
[IMP] WADS: WinPE now pinging WAPT Server. Selected language keyboard layout will be available directly in a new cmd.
[IMP] WADS: XML no longer disable UAC by default.
[FIX] Fixed
mac_address
not returned with iPXE.[ADD] Added
ipxe_script_jinja_path
and two templates.[UPD] Added file type filters for loading the post-install script.
[FIX] Restored a progression bar when uploading the ISO and the winpe files.
[IMP] kill wapttftpserver and uninstall the service before installing it.
[ADD] Added Windows 11 unattend XML template files.
[IMP] Improved searching WADS data (hosts, isos, driver bundles, configurations).
[FIX] Added tftp firewalld port opening.
[IMP] Avoid creating WinPE on Windows partition + some ACL added.
[UPD] Renamed drivers bundle filenames to sha256(filename).
[ADD] Added a template for Debian.
[UPD] GridConfigDeploy showing the platform now.
[FIX] Fixed saving bundle names.
[NEW] Injecting a:abbr:OEM (Original Equipment Manufacturer) key by slmgr command.
[FIX] Fixed SELinux rules for wads.
[FIX] Potential fix for (over 10 joins for djoin by a standard user on MSAD).
[UPD] WADS grayed when windows update repository is selected.
[UPD] Possibility to select an iso file even if not Windows.
[FIX] Fixed waptconsole
uploadWinPE
: regression in upload progress bar and incomplete zip.[FIX] Fixed wads to include non CA certificates for WinPE build.
[IMP] Added
ipxe_script
in DeployConfig table.
WAPT Agent MacOS¶
[UPD] Delete old pkg if available in pkg list.
[NEW] Added fake menu for macOS for letting user to quit the app from the MainMenu.
[FIX] Improved support for macOS MenuBar.
[FIX] Added WAPT Console .app plist file for macOS X.
[FIX] Fixed some macOS X model and serial number reports.
[FIX] Fixed macOS X
local_groups
key inhost_info
.[FIX] Updated mormot2 for gssapi on macOS X.
[NEW] support WADS security, Network masks.
[FIX] Fixed
installed_softwares
on MacOS.[NEW] Added timestamping to pkg signing.
[FIX] Fixed getting agent version in
get_wads_config
.[NEW] Added entitlements file for macOS signing.
[IMP] Force light UI when DarkMode is active on macOS.
[FIX] Fixed opening maximized self service on macOS
[FIX] Fixed loading hosts on macOS when more options in inventory is checked.
[IMP] Better handle on input (utf8 convertion).
[IMP] macOS: Updated build script to handle binary file signing and better debugging.
[IMP] Patched
dmidecode
info for macOS.[FIX] Fixed macOS core
get_hostname
return binary string instead of str -> update_status loop.[IMP] Use
system_profiler_info
fordmi_info
on macOS X.[REF]
plistlib.readPlistFromBytes
deprecation fix.[FIX] Fixed core macOS: use UUID from
system_profiler_info
instead ofdmidecode
.[FIX] Fixed duplicated macOS code in setuphelpers for
get_hostname()
.[IMP] Improved mounting content for .pkg, .mpkg, .app only if file is not symbolic.
[NEW] Added the WAPT Console to Linux and macOS gui distribution.
[IMP] Fixed keyword and name with
installed_softwares
in macOS and Linux.[FIX] Fixed register for macOS.
[FIX] Fixed custom waptmessage logo linux.
[FIX] Fixed harakiri on non Windows kills all running processes.
[FIX] Fixed restart waptservice for macOS.
[IMP] Silently attach dmg file.
[FIX] Fixed
get_file_type
in macOS.
WAPT Agent Linux¶
[FIX] Fixed logrotate on RedHat8 for waptserver and wapttasks.
[IMP] wapt-get.bin: Improved python traceback format with proper line endings on non Windows.
[IMP] Improve support for dark mode on WAPT Console on Linux
[IMP] Replaced in
/usr/bin/
wapt-get.sh by wapt-get.bin.[IMP] Added Ubuntu and CentOS icons.
[IMP] Added icons in ImportPackages window.
[FIX] Fixed
user_local_appdata
for Linux.[IMP] waptagent Debian package: removed system python3 dependency.
[IMP] Avoid loop in checkbox events on search inventory especially on operating systems other than Windows.
[IMP] Added
PYTHONNOUSERSITE
= True to all .sh scripts to avoid spoiling PYTHONPATH with locally installed libraries in user home directory.[UPD] Disable compression on unix WAPT agent bundle (each package is itself already compressed).
[NEW] Added the WAPT Console to Linux and MacOS gui distribution.
[FIX] Fixed configpackage wizard and main form layouts for Linux.
[UPD] Updated virtualtreeview for Linux visual grid lines improvements.
[IMP] Fixed keyword and name with
installed_softwares
in macOS and Linux.[FIX] Fixed harakiri on non Windows kills all running processes.
[ADD] Added snap software inventory.
[FIX] Fixed waptservice linux restart Linux: AttributeError:
WaptServiceRestart
object has no attribute logger.[NEW] Linux OS deployment.
[FIX] Added firewalld rule on RedHat based server for wapttftpserver.
WAPT-2.3.0.13334 RC3 (2023-01-06)¶
hash : a06031bd
This is the third release candidate of WAPT 2.3.
This is a release candidate for testing that is not intended for production.
This changelog lists the fixes sinces WAPT 2.3 RC2.
WAPT Core¶
[SEC] When checking exe certificate, first check that the signature is OK.
[SEC] when stuffing waptsetup.exe, check that waptsetup.exe downloaded from wapt server is properly signed by Tranquil IT.
[FIX] Fixed handling properly utf8 chars in certificate subject.
[FIX] Small improvement for wapt-get build-waptagent. Do not ask the server password twice.
[FIX] Fixed stuffed legacy waptagent build: be sure to have a deterministic binary result when stuffing in waptconsole or server side.
[IMP] remove client library dependency for command line progress bar.
WAPT Agent¶
[FIX] force create random uuid if bios uuid is not correct.
[FIX] Do not check
wsusscn2.cab
if not Enterprise.
WAPT Server¶
[SEC] Windows: waptserversetup.exe windows: do not reenable acl inheritance on wapt root folder.
[SEC] Send minimal information on /ping api call.
[IMP] Set session cookie to 3 days
WAPT Console¶
[FIX] display an explicit error message if a new host package can not be saved on the WAPT Server because of acl.
[IMP] Process application messages when performing file hash/zip actions.
[FIX] Fixed waptconsole copy cert to
wapt/ssl
: handle properly spaces in target directory name.[FIX] Place cursor at end of line instead of point of click in textareas.
WADS¶
[FIX] Clear WADS stdout before and after diskpart to avoid broken stdout.
[IMP] Check whether
winpe.wim
and7z.exe
files exist when creating the WADS WinPE.[FIX] Added missing ‘/’ in
wgetwads
error messages.
WAPT Linux¶
[FIX] Fixed logrotate on RedHat8 for waptserver and wapttasks.
[IMP] wapt-get.bin: Improved python traceback format with proper line endings on non Windows.
[IMP] Improve support for dark mode on WAPT Console on Linux
WAPT-2.3.0.13301 RC2 (2023-01-04)¶
hash: a2af0e8d
What’s New?¶
This is second release candidate of WAPT 2.3. This is second release candidate of WAPT 2.3.
This is a release candidate for testing that is not intended for production.
This changelog lists the fixes sinces WAPT 2.3 RC1.
Note : for security reasons in waptpython, Python isolated mode is now enabled by default (Python -I). If you are using the waptpython Python environment outside of WAPT, please be sure to check for the corresponding Python documentation.
WAPT Core¶
[SEC] waptpython 3.8.16 is now compiled with the isolated mode flag at true by default (Python -I)
WAPT Console¶
[ADD] Popup Menu with Copy and Copy as JSon for Audit TreeView.
[FIX] Fixed proper images on actions buttons.
[FIX] Fixed OU icon when OU name contains an empty character.
[FIX] Fixed Out of bound error : add verification on condition check in specific cases.
[FIX] Fixed missing error message on secondary repositories.
[IMP] Improve usability of copying new certificate in
<WAPT>\ssl
directory
WAPT Agent¶
[IMP] add host_capabilities inventory.
[IMP] Better JSON format (Human Readable) for Audit Data.
[FIX] Use parameter
IncludeCA
onListSOCertificatesFromFolder
.[FIX] Fixed translation issues in graphical components.
[FIX] Fixed last version, checks the minimal OS version
[FIX] edit waptwua if
install_delay
has value.
WADS¶
[IMP] WADS: Added session login type and acl.
[IMP] WADS: Login to server only one time instead of for each request.
[IMP] WADS: Added flags: unchecked for wads login on Windows Server.
[IMP] Use of latest mormot function for
WgetWads
to fix DNS check.[IMP] Improved error messages for WADS and WGETWADS.
[IMP] Added option wads in Windows Server installer.
[IMP]
get_wads_secondary_repo
–> follow protocol of the server connection.[FIX] Fixed
list_subnet_skip_login_wads
read configuration.[IMP] WinPE creation key
WAPT Linux Agent¶
[IMP] Replaced in
/usr/bin/
wapt-get.sh by wapt-get.bin.[IMP] Added Ubuntu and CentOS icons.
[IMP] Added icons in ImportPackages window.
WAPT-2.3.0.13239 RC1 (2022-12-21)¶
hash: 675d861e
What’s New?¶
1000+ bugfixes
Less issues with false positive with antivirus software when deploying a new agent: WAPT Agents do not need to be rebuilt. The WAPT Agent is based on waptsetup.exe with certificate and configuration stored in the certificate signature of the file. The signature of the file is not altered.
WAPT Agent on Linux and macOS: improved workflow for installing and updating the WAPT Agent.
Improved Websocket connexion. Disconnects and reconnects have be made more robust.
Improved support on macOS.
Improved support on Linux.
Update of WAPT external components.
Tech Preview¶
WAPT Console support on Linux (Debian and derivatives, RedHat and derivatives).
WAPT Console support on macOS (Mojave and above).
WAPT Core¶
[REF] Removed unused functions.
[REF] Removed unused headers.
[IMP] waptservice: fix setting loglevel for specific components do not log WS listening too often. Fixed some action’s “created_by” attributes which were not not set.
[FIX] Windows setuphelpers: missing service_list in _all__.
[FIX] wapt-get: moved LoadOpenSSLFromPythonLib to get proper path for RegWaptBaseDir on Linux.
[NEW] Added armhf as a valid package architecture.
[FIX] Fixed
scan_package
issue when there are packages withoutpackage_uuid
. Packages table was growing at eachscan_packages
.[IMP] wapt-get: Added some help for
build-waptagent
andadd-config
/reset-config
/set-config
-from-url.[IMP]
wapt-get reset-config-from-url
: removes dynamic configs fromconf.d
too.[IMP] Re-include empty folders in zipped WAPT packages.
[FIX] Update for zip empty folder entries.
[FIX] When checking files and directories from package manifest, create empty directories from the
manifest
file if thet do not exist yet.[UPD]
wapt-get update-package-sources
: Implicit transparent import of all functions frompackagesdevhelpers.py
.[FIX] Do not audit packages with
install_status
<> ‘OK’.[SEC] waptpackage: Cleanup removed multiple MD type. We use only sha256 now.
[NEW] waptconsole: Stuff
waptsetup
with json config for embedding into waptupgrade package.[FIX] waptpackage signature issue if the WAPT package is created from scratch with null attributes (ex. max_os_version). If signed, these null attributes are written to control file as sempty string, this breaks the signature control. So we initialize all default signed attributes to empty string instead of null.
[UPD]
wapt-get create-waptagent
: Use json embedded config stuffed into certificate zone of executable signature.[FIX] Fixed regression in python _sign_control (encoding issue).
[UPG] Upgraded python to 3.8.16.
[IMP]
waptutils.py
cleanup and small fix inuser_is_member_of
.[REF] waptserver: Cleanup code with pyflakes.
[IMP] Allow none loglevel.
[NEW] Introduced
wapt-get reset-config-from-url
.[FIX] Fixed json_load_file() by adding encoding option. Default is “utf-8”.
[IMP] waptguihelper: Introduced StayOnTop argument for input_dialog() and grid_dialog()
[FIX] Fixed
wapt-get add-config-from-url
in pure Pascal. The hash is retrieved from the filename if present, or as second parameter of command line.[REF] wapt python core: Removed sha1 compatibility with wapt 1.3 packages signatures.
[FIX] Shows the proper logged user after login.
[IMP] Fallback other method for get domain in get_hostname.
[REF]
jsonconfig
data embedded in setup exe.[FIX] Default value for check verify cert.
[UPD] Introduced uwaptjsonconfig (port of json config from python to FPC).
[UPD] wapt-get: Added a command to list the initial configs available on server (in
wapt/conf.d
).[UPD] waptsetuputil: Added UnzipConfigFromExe.
[FIX] Removed global variable for PopupEnterprise, check Licensing after closing the window.
[IMP] buildlib: Do not remove unittest from python lib when creating the build environment.
[FIX]
remove_file()
was unable to remove symlinks.[FIX] wapt core: Regression on uuid retrieval from WMI. ‘System_Information’ key is an array.
[NEW] wapt core: added “wapt_temp_dir”
wapt-get.ini
parameter to specify the directory wher packages are unzipped at installation (for wyse terminal).[REF] Introduced packagesdevhelpers python module to remove helpers useful only for “packages source update” and reduce import time of setuphelpers.
[IMP] windows_version() now getting the correct UBR (Update Build Revision) shown with “winver” command, adding windows_version_full in hardware inventory
[IMP] waptguihelper: help improved for grid_dialog - also, introduced an (optional) Text parameter.
[FIX] waptpackage: trim attributes value in
control
data. (‘all’ was retrieved as ‘all ‘ ).[IMP] twaptpackage: Always set architecture and priority default.
[UPD] Refactored SSLCABundle usage.
[FIX] Fixed waptpackage build issue when sourceroot includes the ending path separator. Fixed self service package building. Fixed version incbuild result.
[FIX] Fixed issue with in path in zipped files created with
CreateRecursiveZip
.[FIX] Fixed file not found when calling
GetServerCertificate
.[FIX] Fixed editing zipped package inplace (hosts packages).
[FIX] Added call to mormot2
RegisterOpenssl
for Access violation in waptlicences.[IMP] Grid editor: Show which column is currently focused even if grid has not the focus.
[IMP] Use UTC time for expiration check of ACLs.
[UPD] wapt core: use datetime in UTC for
audit_data
.[IMP] wapt core: allow usage of an environment variable waptbasedir to specify the location of root waptbasedir.
[IMP] Default grid order set to descending signature date.
[FIX] Allow ~ character in WAPT package names (for spaces in Organizational Units packages).
[FIX] waptcrypto: Fixed certificate filename attribute not set when loading a certificate chain.
[UPD] Refactored
SSLCABundle
usage.[FIX] Fixed using particular characters in passwords.
[FIX] Fixed waptcore: Fixed the type for dynamic configuration.
[FIX] copytree2
replace_at_next_reboot
.[REF] Moved all the dynamic json config functions into the WAPT class to take in account the actual agent settings (specially directories).
[UPD] Created a full version 1.2.3.rev-hash into file
wapt/version-full
.
WAPT Agent¶
[IMP] When uninstalling the WAPT Agent, stop the waptservice only if the service exists.
[FIX] Popping wrong license message on new installation.
[FIX] waptservice socketio: Force get new ws params in case of connection error like when config is updated.
[FIX] Fixed add new rule missing import for
isenterprise
.[NEW] Added disk drives to host overview template.
[IMP] Reduced size of host json inventory data. Do not send host configurations data if not changed. Do not send audit_data headers if no data. Fixed last audit data that was always sent.
[IMP] Improved local waptservice auth feedback.
[REF] Refactored waptservice code.
[FIX] Enable custom CA file for websockets certificate checking.
[FIX] Fixed WAPT Agent
websockets_verify_cert
: error reading setting from ini file. Reset socketioclient to None when connection error to force recreating the object with new TLS settings.[IMP] waptdeploy: Use only registry wapt_is1 install location to get the WAPT base directory.
[IMP] waptdeploy: Do not check wapt-get working condition.
[FIX] Fixed waptdeloy argument parsing.
[UPD] waptsetup: Removed distribution of innosetup as it is no longer needed.
[NEW] waptdeploy: Check that the WAPT Agent installer and wapt-get.exe are digitally signed by Tranquil IT.
[FIX] waptdeploy wapt basedir guessing. Hardened waptdeploy RunTask.
[FIX] Fixed
wapt-get build-waptagent
: empty configuration name.[ADD] Check all rules signatures before doing anything else.
[IMP] The agent version is obtained from the exe, not the server.
[FIX] waptsetup auto json config: should accept
waptsetup-1.2.3_<confname>_<confhash>.exe
.[FIX] Fixed remote WakeOnLAN.
[IMP] waptservice: Do not include PrinterPaperNames, PaperSizesSupported and self_service_rules in inventory sent to the WAPT Server.
[FIX] waptexit: If unable to get licences from waptservice, assume is_enterprise is False.
[FIX] wapt-get: Set password callbacks after reloading config.
[FIX] Shortened the upgrade scheduled task argument, as it is limited to 256 chars.
[FIX] Stuffed waptsetup: Append waptwua settings to json.
[FIX] waptserver socketio: Host does not register / reconnect by itself when deleted from the WAPT Server.
[NEW] waptsetup.exe : If waptagent.exe is named, and only one config is embedded, take the first available config for the name of the configuartion to install instead of hardcoded “default”.
[IMP] waptservice: Can start right after install even if no
wapt-get.ini
.[NEW] Added nopassword to config wizard for
service_auth_type
.[UPD] Added
wapt-get reset-config-from-url
andset-config-from-url
json configuration.[FIX] Do not delete the files if the signature has failed.
[IMP] waptsetup: Display a summary of embedded stuffed json configurations. Removed use dynamic configuration task.
[FIX] waptserver: Fixed WakeOnLAN issue when no broadcast address exists in inventory.
[FIX]
remove_user_appx
was not initialized from setuphelpers.[UPD] waptsetup: ApplyJsonConfigToIniFile when a json configuration is stuffed instead of
conf.d
dynamic configuration.[IMP] waptsetup: Do not update
wapt-get.ini
when using dynamic json configuration.[UPD] waptservice socketio: Do not require connection params update / reconnection try if there is no authorization token. When
allow_unauthenticated_connect
= True on the WAPT Server, the WAPT agents should be able to connect without getting a token.[FIX] waptself: Fixed next page button unavailable on last page.
[UPD] waptexit: Add
waptexit_disable_skip_windows_updates
parameter inwapt-get.ini
file and commandline argument to disable the checkbox for skipping Windows Updates.[UPD] wapt-get: Return ExitCode <> 0 when an exception is raised Added ping --service command to check waptservice accessibility from waptsetup.
[UPD] waptself: Display details of WAPT package on top of packages list to avoid reframes.
[UPD] Enable
waptservice_allow_all_packages
only for nopasswordservice_auth_type
.[NEW] Added a waptservice parameter
waptservice_allow_all_packages
which allow all user to install / remove all packages as if they were part of the waptselfservice group.[NEW] If a json configuration is provided in waptsetup as stuffed data in certicode certificate area, use it for initial configuration.
[FIX] Improved error message and wait cursor when waptselfservice is starting.
[FIX] Fixed selfservice missing common module for
self_service_rules
when using the nopassword argument with the WAPT Enterprise version.[FIX] Changed Icon for
to Plus.[IMP] User is now informed when self service can not get a token (service not started).
[FIX] Remove double slahs in url //Packages.
[NEW] Added Ubuntu22 in waptsetup package.
[FIX] Fixed waptmessage ambiguous ‘-s’ option (use stdout and set window size), replaced by -c for init console.
[FIX] Fixed tasks list on host.
[FIX] Normalized view (lowercase) in grid for target_os from control part.
[FIX] Fixed execution of waptmessage in file instead of base64 (to avoid too long command line).
[FIX] Use cached trusted signer certificates store instead of recreating it each time.
[FIX] Fixed signed_attributes written as string list (instead of python form) and signer is the signer certificate Common Name.
[IMP] use --not-interactive with register if the installation runs in silent mode.
[FIX] waptservice: Do not ignore broadcast for
WaptUpdateServerStatus
to avoid the WAPT Tray sticking upon sending data to the WAPT Server.[FIX] Fixed unable to synchronize remote repository.
[IMP] waptmessage: No autosize if a size is specified on the command line.
[FIX] Fixed no hash in clipboard, added missing helper for
add-config-from-url
in wapt-get.[IMP] Limit access right to Administrators to log directory (in case non public stuff gets written to logs).
[IMP]
install_scheduling
work if not in PENDING_UPDATES status.[FIX] Fixed waptexit compilation: Removed specific
WaptIniFilename
function.[FIX] Fixed waptmessage unable to load sqlite.
[IMP] Updated waptwua status to ‘NEED-SCAN’ on hosts when
download_wsusscan
is triggered andwsusscn2.cab
file is downloaded.[NEW] wapt core: Added
as_dict
and descending parameters toWapt.read_audit_data_set
.[IMP] Do not take care anymore of maturity for version when it is compared to WAPT store version.
[FIX] Fixed configuration package template
setup_package_template_conf.py
.[FIX] Fixed waptservice configuration: Set the
configs_dir
relative towapt-get.ini
full path.[FIX] Fixed waptservice ‘start_waptexit’ with arguments Faulty arguments boolean value decoding.
[FIX] Fixed bad arguments sent to waptservice triggering upgrades with
only_priorities
andonly_if_not_process_running
.[FIX] Fixed
Wapt.write_audit_data_if_changed
: Write data if previous data has expired.[FIX] Updated the template of dynamic json configuration packages to match new location and naming of json configuration related functions.
[NEW] Option
include_potentially_superseded_updates
in configuration wizard.[FIX] Fixed waptservice: Be sure to dynamically revert to default setting when a key is removed from
wapt-get.ini
.[FIX] Fixed waptservice: Make sure we have a random
secret_key
for local waptservice session.[NEW] WAPTWUA superseded support.
[IMP] wapt-get edit now opens
update_package.py
too.[UPD] Added a NEED-SCAN waptwua.status, updated when
Wapt.update()
is called.[FIX] Fixed waptself: Set focus on search when opening.
[IMP] Ignore history for waptwua status.
[FIX] Fixed wapt-get update-package-sources: Handle properly relative path to package sources.
[FIX] Fixed wapt-get update-package-sources: use
devdirupdate_package.py
to callupdate_package()
hook if this file exists. Else usesetup.py
.[IMP] wapttray: Launch external waptself and waptconsole with OpenDocument instead of windows only ShellExecuteW.
[FIX] Workaround fix when pyscripter is put as editor for packages.
params_vscod_list
fixed when space in parameters. Reupdated description.[IMP] wapt-get edit now opens
changelog.txt
, VSCod* now openscontrol
file too. wapt-get edit can now be run as user with VSCod* updatingwapt_sources_edit()
description.[UPD] Changed default log path to
wapt/log
if writable.[UPD] Same logging initialization code for all UI executables with
waptcommon.InitLoggingFromCommandLine
.[IMP] waptservice waptself: localauth with file token (ie. nopassword). Handles local groups.
WAPT Console¶
[FIX] Fixed icon on action
ActWUAGetUnusedKB
.[FIX] Fixed actions caption on toolbar in Windows Update.
[FIX] Fixed removing ability to personalize toolbuttons on ISO, configs, and drivers in OS Deployment.
[FIX] Fixed popup menus on toolbar in OS Deployment.
[FIX] Fixed actions on toolbar in Software Inventory.
[NEW] waptconsole / waptserver: Added a specific ACL for
update_audit_data
.[UPD] Increasing softwares max count limit in Software Inventory from 5000 to 20000.
[FIX] Fixed locking some actions on non Enterprise versions.
[FIX] Fixed waptconsole package zip build:
CreateRecursiveZip
.[IMP] cleanup of HTML templates on waptservice. Removed unused js.
[IMP] Showing icons for target_os.
[FIX] Fixed waptconsole TX509Store: when intermediate certificates are provided in user .pem certificate file, only trust the first one.
[FIX] Fixed waptconsole waptcrypto: implement
TX509Store.GetCertificatesChainFromFingerprint
. Fixed self signed certificates are always trusted when checking the WAPT package.[FIX] Fixed waptconsole: when signing packages, make sure we end with LF only (n unix style)
control
files.[IMP] Basic POC for Auto Completion on Reporting Queries.
[FIX] Fixed viewing TechPreview Features does not take care of display preferences.
[FIX] Fixed the downloaded packages have now the chosen maturity.
[IMP] Show
*.cmd
files in post install script selector.[NEW] Upload a default json configuration on the WAPT Server when building waptagent.exe. Fixed waptsetup.exe stuffing on the WAPT Server when uploading a json configuration.
[FIX] Fixed the button Type for update package warning.
[ADD] Confirm button before Update from the WAPT store.
[FIX] Fixed waptconsole update from the WAPT store Introduced
StripPrefix
inTPackageRequest
to allow searching in the repository on package name without prefix.[FIX] Include
min_os_version
andmax_os_version
in WAPT package identification to check which WAPT package is newest.[FIX] When building customized waptsetup, sometimes missing trusted certificate.
[FIX] Fixed the copy of
wapt-get.ini
if there is nowaptconsole.ini
.[NEW] Menu item for restoring toolbars to default.
[FIX] Fixed actions on toolbar in WAPT Development and OS Deployment forms.
[FIX] Fixed removing certificates in create waptsetup [NEW] function for listing certificates from folder.
[FIX] Fixed buttons links with actions on WSUS.
[FIX] Fixed encoding problem for WSUS.
[IMP] Removed GUI interface for the Update from the store action.
[ADD] Added a warning message before updating a WAPT package.
[ADD] Updated from the store button in private repository done.
[IMP] Added Updated part for the Store Update Action.
[IMP] Update from the store button (visual part).
[FIX] Fixed regression on creating new wuagroup package.
[UPD] waptconsole
, config and hash instead of waptagent.exe/.[FIX] Fixed __pycache__ included in zipped package when built from waptconsole.
[ADD] reporting: Added Unique save for each query.
[FIX] Fixed SQL query editor: any query can be edited at any time, without erasing the others.
[FIX] Fixed SQL query editor: if queries are already created and registered and have the same name, you can edit both without overwriting the other one.
[IMP] Use system font for html viewers.
[IMP] Allow package wizard without installer path.
[NEW] Added “keys” mustache helper for html templates.
[IMP] waptconsole: Do not try to ping servers before login dialog.
[FIX] Fixed enabling build and upload if all information are set / pre configuration in case of portable app if an executable is found.
[UPD] waptconsole Cyberwatch integration. Added Values mustache helper to format dict as list for Cyberwatch html report template. Added styled Cyberwatch example audit template.
[IMP] Addied listening to ipv6 only if ipv6 is available.
[FIX] Fixed waptconsole crash if custom column with empty size cell.
[IMP] Added a warning when no DNS record is found (Remote repository).
[FIX] Fixed call if app is currently closing (login cancelled).
[IMP] Opening configuration by double-clicking on grid.
[IMP] Package wizard for portable apps.
[IMP] waptconsole, display bytes size in human readable format in grid.
[FIX] Fixed OU options that are now available if the user is currently focusing the OU grid.
[IMP] Improved asking credentials on http error 401.
[FIX] Fixed waptconsole: random timeout error when running commands from the WAPT Console.
[FIX] Fixed WAPT package creation for OUs.
[ADD] Link to the official documentation for the Config Package Wizard.
[IMP] Proper restore of GUI when WindowState is maximized. Prevent flickering if starting maximized.
[IMP] Improved warning before deleting a valid licence.
[FIX] Fixed waptconsole regression: import packages. Check the signature even if it is disabled in remote repository settings.
[FIX] Fixed waptconsole regression on additional private repositories listed in the repositories tab, even if not defined in
repositories
setting inwaptconsole.ini
.[FIX] Fixed waptconsole: private key password is not asked again if a matching key can not be found or decrypted.
[REF] waptserver model upgrade: removed unused database migration steps.
[UPD] waptserversetup: avoid automatic restart when installing MSVC 2022.
[FIX] Fixed error editing same OU package in one session.
[ADD] ACL Edit Repo on Index for secondary repos
[FIX] Fixed missing editing ACL Edit Repo.
[FIX] Fixed waptconsole access violation when checking unzipped package signature.
[FIX] Fixed waptonsole multiple update of hosts corrupt packages depends grid display.
[IMP] waptself, wapt-get, waptexit, wapttray: kill check threads on close, even on linux to speed up application shutdown.
[UPD] waptconsole: lazy loading of DMPython. Removed python source scripter tab on main form. Moved to (inactive) uvispysources. Removed debug panel on main form removed unused
uvissearchpackage
. Added some euristic icons on audit and reporting grids depending on well known values (OK, ERROR etc…).[IMP] Improved the interpretation of checkbox states due to label description.
[IMP] Improved search when importing queries.
[FIX] Fixed host configuration package that are not editable right after creating them.
[FIX] Fixed waptconsole pkcs12 export and email in X509 certificates.
[IMP] Removed Python dependency in the WAPT Console.
[UPD] waptconsole: Added popup menu to Json hardware treeview.
[IMP] Improved reporting import, now select all queries by default + some code improvement
[IMP] Improved enabling or disabling ACL by double click.
[FIX] Fixed waptconsole: html audit templates. Bad search order.
[FIX] Fixed waptconsole: actions categories fixes and updates. Hide unused categories from toolbars customization.
[FIX] Fixed waptconsole: empty success message for some actions. Updated translations.
[FIX] Fixed waptconsole get agents installers: fixed MISSING -> OK status.
[UPD] Fixed waptconsole: Added Edit html template popup menu action.
[FIX] Fixed no logo resizing if smaller size.
[UPD] Load html templates for
host_overview
andhost_audit
from user’sappdata
directory if it exists, else fromwapt
.[REF] waptconsole: Refactored
TFrmHtmlViewer
to lookup templates either in user templates directory (%APPDATA%waptconsoletemplates
) or in defaultwapt
installation directory (%WAPTBASEDIR%templates
).[UPD] waptconsole: Improved drag & drop of columns into GridHosts.
[FIX] Fixed blocking action editing WSUS package if no Enterprise licence is active.
[FIX] Fixed waptconsole drag & drop audit values.
[FIX] Fixed waptconsole regression when signing unit package or modyfing stripped down WAPT packages.
[IMP] waptconsole: Load AD Groups in thread.
[FIX] Fixed waptconsole compilation without USE_WAPTPACKAGE flag.
[REF] waptconsole: Introduced an interface for uwaptpackage TWaptPackage WIP: fix compilation when USE_WAPTPACKAGE is defined TODO: implement IX509Store
[FIX] Fixed waptconsole: fixed host overview layout if no html template.
[UPD] waptconsole: host details layout changes: introduced html templates based overview if
templateshost_overview.html
file exists (mustache template).[FIX] Fixed waptconsole sendmessage gui splitter.
[IMP] waptconsole: check that downloaded waptsetup version is the same or newer than that of the WAPT Server.
[FIX] Fixed autosearch in
ttissearch
component.[NEW] waptconsole: Added a popumenu copy to clipboard as json for audit data.
[IMP] waptconsole: allow drag & drop of a audit json value subkey from value tree explorer.
[NEW] waptconsole: displays audit history and WIP audit data explorer (treeview + html template).
[FIX] Fixed reporting queries grid layout not saved properly.
[UPD] GUI Vis ACL: zebra colored lines and added possibility to change user password from one button (same action like in right click on user).
[FIX] Fixed avoiding exception if no user was selected before adding ACL rights.
[FIX] Fixed trigger downloads when triggering updates from the WAPT Console (missing import).
[UPD] Updated icons on windows update status for WUA.
[FIX] Fixed waptconsole check external repository version timeout exception raised in frontend.
[FIX] Fixed waptconsole multiserver: fixed can’t trigger action on servers other than main WAPT Server.
[FIX] Fixed waptconsole: Avoid error message of no
repo_url
for last used package template section.[FIX] Fixed modifying a password if old password was empty.
[ADD] Hide / show all columns in grids.
[NEW] new option
check_package_version
inwaptconsole.ini
.[UPD] waptconsole reporting: Added a quick search filtering zone for the query result.
[FIX] Fixed wrong message when no admin rights and the WAPT Agent needs to be upgraded or is not present.
[UPD] Host menu for upgrading hosts part.
[REF] waptconsole multiserver: Refactored
TriggerActionOnHosts
to send multiples actions to the right servers.[FIX] Fixed waptconsole: use ROOT in addition to CA windows system certificates stores when building winpe with
verify_cert
= True.[UPD] Deleted host popup.
[NEW] Possibility to download WAPT packages when asking hosts for updates.
[UPD]
trigger_host_update
adding possibility to download the WAPT package after update.[FIX] Fixed waptconsole: The WAPT Console crashed when checking newest packages if wapt-templates repository is protected with an encrypted client key.
[FIX] Fixed saving configuration when new configuration was created.
[FIX] Fixed saving language parameter.
[FIX] Fixed waptconsole: access violation when access to external repository is blocked or needs a proxy.
[FIX] Fixed waptconsole multiserver regression: unable to edit a WAPT package which was just edited.
[FIX] Fixed waptconsole edit conf package: Do not close if error when uploading to the WAPT Server.
[FIX] patched
setup_package_template_cert.py.tmpl
.[FIX] Fixed not adding “cn” in OU.
[FIX] Fixed layout on Windows Update part.
[FIX] Fixed the flow layout.
[IMP] waptconsole: WIP multiserver. Mostly works for hosts, but not for packages management.
[FIX] Fixed waptconsole: re-enable dataexport to .csv for grids.
[NEW] Explicit hint on number version when the WAPT package is not up to date (GridPackages).
[REF] Refactored private key password handling. Added a callback to clear cached key password in case of decrypt error in http client. Stores client https authentication key password in same storage as package private keys.
[REF] WIP for multiserver console. WaptCookieManager takes in accounts the domain. TODO: send allowed session cookies for cross domain auth. Lazy loading of waptserver instance. Loads list of servers in
DMWaptConsole.ReloadConfigFile
. All sections with awapt_server
key are taken in account. Shares the WaptServerSession across all waptserver connections.[FIX] Fixed bad port for veyon.
WAPT Server¶
[IMP] waptserversetup: Check if there is a CRITICAL log entry during
winsetup.py
and exit with an exitcode 1000 if it is the case.[IMP] waptserver: Do not automatically create users in wapt database when user logs in with kerberos (self-service case).
[FIX] Fixed waptserverinstall windows: regression unable to install on new windows machine if wapt was not already installed.
[REF] Server python code cleanup.
[IMP] wapttasks: use environment variable on linux to pass
config
file path.[NEW] waptserver: reduced lifetime of session cookie to default 12h.
session_lifetime
can be changed inwaptserver.ini
usingsession_lifetime
seconds parameter.[UPD] Updated to python 3.8.16 for all supported operating systems.
[FIX] Fixed stuffed setup exe naming on the WAPT Server.
[NEW] new parameter
list_subnet_skip_login_wads
.[FIX] Fixed waptserver: shorten SQL columns aliases for long
get_hosts
json queries.[SEC] Upgraded werkzeug 2.0.2 -> 2.1.1 for PYSEC-2022-203.
[NEW] waptservice websocket: Enabled certificate checking on websockets.
[IMP] waptserver: Added index on
computer_ad_ou
.[FIX] Fixed waptserver: by default, do not create stuffed
waptsetup
when a dynamic config is uploaded.[FIX] Fixed waptserversetup: if installService, configure the local service to reach newly installed server. Propose to start the WAPT Console right after for demo mode.
[NEW]
model.py
: Addedupgrade-db
action and --overwrite-version=1.2.3 option to force the replay of upgrade db.[FIX] Fixed waptserver nginx config, there can be spaces in path. quotes include.
[NEW] Be sure to not start the WAPT Server if the database structure can not be upgraded properly.
[NEW] If licences json data is empty, assume an empty list.
[IMP] Getting storage used by KBs.
[NEW] 22H2 build numbers in WindowsVersions class.
[NEW] Added
hosts_sid
endpoint routing to uwsgi in nginx configuration templates.[FIX] Fixed wapt-get build-waptagent: create waptagent.exe link on the WAPT Server.
[FIX] Fixed waptserver: ignore null bytes in audit data string values.
[FIX] Fixed waptserver: allow access to agent download without client certificate auth.
[FIX] Fixed waptserver model: remove references to unused HostExtData table.
[FIX] Fixed waptserver multiinstance with uwsgi: takes in account
application_root
for interprocessget_ws_connections
/api/v3/hosts_sid calls.[UPD] Added waptserver /api/v3/update_hosts_sid_table endpoint to fill the HostWebsocket table with the in memory ws_connections for reporting purpose.
[UPD] Changed the path of the untouched waptsetup.exe on the WAPT Server: moved to the
wapt/waptagent
folder to be consistent with other agents location Same for waptdeploy.exe.[DEL] waptserver: Removed “enable_store” setting.
[UPD] waptconsole multiserver: display unreachable servers.
[FIX] Fixed waptserversetup: Reinclude waptwua even if service is not installed to allow wapt-get usage.
[FIX] Fixed waptconsole multiserver dynamic config: bad server url for checking https certificate.
[FIX] Fixed waptconsole multiserver: Do not include a server at startup if it is not pingable.
[UPD] waptserversetup windows: Removed some additional unused files when waptservice is not installed.
[UPD] waptconsole multi servers: Do not try to update / merge repo if
repo_url
is empty.[IMP] waptserver / waptservice websockets: When registering host, return an authentication token in response, so that websockets can connect without additional roundtrip.
[IMP]
allow_unauthenticated_registration
is now likeuse_kerberos
.[FIX] Postconf, current config is now autoselected.
[UPD] waptsetup waptserversetup: Sign the installers and uninstallers using embedded iscc logic.
[UPD] waptserver db: Changed the primary key of tables HostPackagesStatus, HostExtData, Packages, HostSoftwares, HostGroups, HostWebsocket, HostAuditData, ReportingSnapshots, HostWsus, LogsAPI to bigint.
[UPD] waptserversetup: Check that the user is a LOCAL computer user and not a domain user.
[FIX] Fixed waptserversetup: postgresql upgrade. Try to fix ACLs on data directory.
[FIX] Added a conflict on apache2 in the Linux WAPT Server package to avoid old install leftovers.
[REF] Removed
enterprise_common.py
.[UPD] Upgrade nginx on Windows.
[UPD] Upgraded DB to postgresql v14 for windows.
[UPG] upgraded postgresql 9.6 to v14 on CentOS7.
[FIX] Fixed waptserver: Fixed sid map sharing in uwsgi mode (missing imports).
[FIX] Fixed waptserver websocket: Be sure to not clear a SID which would be newer than current disconnect event. Not sure if disconnect / reconnect are always synchronous.
[FIX] Fixed waptserver: Improved message when triggering action.
[IMP] Added HTST header to nginx template.
[FIX] Fixed waptserver
update_hosts_audit_data
: Updated values with same global key (host_id,value_id).[FIX] Added trigger_host_action ACL on /api/v3/connected_wol_relays (used by /api/v3/trigger_wakeonlan).
[IMP] waptserver websocket auth: Put host certificates in cache.
[UPD] waptserver websocket: Do not cache UUID twice.
[REF] waptserver websockets: use a global in memory dictionary to hold the host uuid -> SID of connected host to avoid Database insert or updates.
[FIX] Fixed server regression for custom json fields ValueError: too many values to unpack (expected 3).
[IMP] waptserver: WIP endpoint
update_hosts_audit_data
to bulk insert hosts related data.[IMP] waptserver: update api/v3/get_agents_info to match the online
wapt_agent_list.json
.[FIX] Fixed glpi sync: simplified
glpi_upload_hosts.py
script.[FIX] Fixed waptserver huey tasks:
licences_list
not properly initialized when not using defaultwaptserver.ini
.[FIX] Fixed waptserver audit table structure upgrade: typo
[FIX] Fixed avoiding GET method limits on
hosts_for_wua
.[FIX] Fixed waptserver unable to delete some hosts when CRL is enabled be tolerant if the host certificate is not issued by this server’s CA.
[FIX] Fixed waptconsole multiserver: Computers identified by fqdn uuid are not displayed properly in the grid.
[UPD] Remove references to waptsetup-tis.exe -> renamed to waptsetup.exe.
[FIX] Fixed
update_server_status
with dynamic configuration.[IMP] Include waptsetup.exe in waptserversetup.exe.
WADS¶
[REF] Remove useless code on
get_wads_config
(Login WADS).[IMP] WgetWads does not require python to work.
[FIX] Be more indulgent on json rules for WADS.
[FIX] Fixed WADS working when no logging required.
[ADD] Login in IPXE, more tests needed.
[IMP] Proper way to secure
wads_get_config
.[ADD] Login on WADS register host and get wads configuration.
[NEW] include hostname in
debian.ipxe
for OS deployment.[FIX] Fixed
djoin
with given domainuser parameter.[IMP] Added back support GET method on /api/v3/get_wads_config.
[NEW] Added asset tag in HostOSDeploy.
[IMP] Ask for a new hostname when starting to deploy if hostname equals to ‘autoregister’.
[IMP] Improved filtering keyboard faster + french translation in Make WinPE.
[FIX] Fixed missing glob import in WADS
get_iso_config
.[NEW] Adding drivers in WinPE from WADS drivers.
[IMP] Improved feedback when the
djoin
fails (already existing machine).[WADS] <Value> format in XML was incorrect and not complete for password definition.
[IMP] Last error message added for failed
djoin
.[FIX] Fixed uninstall wapttftpserver when uninstalling waptserver.
[IMP] Improved file upload with hash check wads iso files listed from the WAPT Server even if not saved in the WAPT Console.
[NEW] Added customized WinPE export to zip file.
[IMP] Improved showing the error message on upload failure.
[IMP] Improved applying default configuration on wads host if no configuration has been set.
[IMP] ISO download dialog box.
[IMP] WADS: WinPE now pinging WAPT Server. Selected language keyboard layout will be available directly in a new cmd.
[IMP] WADS: XML no longer disable UAC by default.
[FIX] Fixed
mac_address
not returned with iPXE.[ADD] Added
ipxe_script_jinja_path
and two templates.[UPD] Added file type filters for loading the post-install script.
[FIX] Restored a progression bar when uploading the ISO and the winpe files.
[IMP] kill wapttftpserver and uninstall the service before installing it.
[ADD] Added Windows 11 unattend XML template files.
[IMP] Improved searching WADS data (hosts, isos, driver bundles, configurations).
[FIX] Added tftp firewalld port opening.
[IMP] Avoid creating WinPE on Windows partition + some ACL added.
[UPD] Renamed drivers bundle filenames to sha256(filename).
[ADD] Added a template for Debian.
[UPD] GridConfigDeploy showing the platform now.
[FIX] Fixed saving bundle names.
[NEW] Injecting a:abbr:OEM (Original Equipment Manufacturer) key by slmgr command.
[FIX] Fixed SELinux rules for wads.
[FIX] Potential fix for (over 10 joins for djoin by a standard user on MSAD).
[UPD] WADS grayed when windows update repository is selected.
[UPD] Possibility to select an iso file even if not Windows.
[FIX] Fixed waptconsole
uploadWinPE
: regression in upload progress bar and incomplete zip.[FIX] Fixed wads to include non CA certificates for WinPE build.
[IMP] Added
ipxe_script
in DeployConfig table.
WAPT Agent MacOS¶
[UPD] Delete old pkg if available in pkg list.
[NEW] Added fake menu for macOS for letting user to quit the app from the MainMenu.
[FIX] Improved support for macOS MenuBar.
[FIX] Added WAPT Console .app plist file for macOS X.
[FIX] Fixed some macOS X model and serial number reports.
[FIX] Fixed macOS X
local_groups
key inhost_info
.[FIX] Updated mormot2 for gssapi on macOS X.
[NEW] support WADS security, Network masks.
[FIX] Fixed
installed_softwares
on MacOS.[NEW] Added timestamping to pkg signing.
[FIX] Fixed getting agent version in
get_wads_config
.[NEW] Added entitlements file for macOS signing.
[IMP] Force light UI when DarkMode is active on macOS.
[FIX] Fixed opening maximized self service on macOS
[FIX] Fixed loading hosts on macOS when more options in inventory is checked.
[IMP] Better handle on input (utf8 convertion).
[IMP] macOS: Updated build script to handle binary file signing and better debugging.
[IMP] Patched
dmidecode
info for macOS.[FIX] Fixed macOS core
get_hostname
return binary string instead of str -> update_status loop.[IMP] Use
system_profiler_info
fordmi_info
on macOS X.[REF]
plistlib.readPlistFromBytes
deprecation fix.[FIX] Fixed core macOS: use UUID from
system_profiler_info
instead ofdmidecode
.[FIX] Fixed duplicated macOS code in setuphelpers for
get_hostname()
.[IMP] Improved mounting content for .pkg, .mpkg, .app only if file is not symbolic.
[NEW] Added the WAPT Console to Linux and macOS gui distribution.
[IMP] Fixed keyword and name with
installed_softwares
in macOS and Linux.[FIX] Fixed register for macOS.
[FIX] Fixed custom waptmessage logo linux.
[FIX] Fixed harakiri on non Windows kills all running processes.
[FIX] Fixed restart waptservice for macOS.
[IMP] Silently attach dmg file.
[FIX] Fixed
get_file_type
in macOS.
WAPT Agent Linux¶
[FIX] Fixed
user_local_appdata
for Linux.[IMP] waptagent Debian package: removed system python3 dependency.
[IMP] Avoid loop in checkbox events on search inventory especially on operating systems other than Windows.
[IMP] Added
PYTHONNOUSERSITE
= True to all .sh scripts to avoid spoiling PYTHONPATH with locally installed libraries in user home directory.[UPD] Disable compression on unix WAPT agent bundle (each package is itself already compressed).
[NEW] Added the WAPT Console to Linux and MacOS gui distribution.
[FIX] Fixed configpackage wizard and main form layouts for Linux.
[UPD] Updated virtualtreeview for Linux visual grid lines improvements.
[IMP] Fixed keyword and name with
installed_softwares
in macOS and Linux.[FIX] Fixed harakiri on non Windows kills all running processes.
[ADD] Added snap software inventory.
[FIX] Fixed waptservice linux restart Linux: AttributeError:
WaptServiceRestart
object has no attribute logger.[NEW] Linux OS deployment.
[FIX] Added firewalld rule on RedHat based server for wapttftpserver.
WAPT-2.2 Serie¶
WAPT-2.2.3.12481 (2022-11-30)¶
hash: ad3855c9
This is a security release with a few related bugfixes. All WAPT 2.0 versions below 2.2.3.12481 are affected.
Note: if you are using WAPTAgent deployment via GPO, do not forget to update your waptdeploy binary in the definition of the GPO.
WAPT Core¶
[SEC] Upgraded python from 3.8.13 to 3.8.15.
[SEC] Upgraded openssl from 1.1.1k to 1.1.1s.
[SEC] Upgraded WAPT Agent kerberos lib from 1.19.3 to 1.20.1 (Linux / macOS).
[SEC] Upgraded python modules with CVEs:
pylint==2.12.2 -> 2.15.6.
ujson==4.0.2 -> 5.5.0.
waitress==2.0.0 -> 2.1.2.
WAPT Agent¶
- [SEC] waptdeploy.exe: Use only wapt_is1 install location from registry to get the current wapt installation directory.
Do not run wapt-get to check working condition.
[FIX] Added fallback method to get domain in
get_hostname
.[FIX] Fixed windows, replaced wapt-get.exe --hide by waptpythonw.exe wapt-get.py to run session-setup because --hide does not actually hide the shell window.
[FIX] Fixed WakeOnLAN relays.
[REF] Cleaned up the WAPT Agent
common.py
: removed unused imports.[FIX] Fixed waptexit: fix
only_priorities
argument when starting waptexit from service.[IMP] MacOS: Updated build script to handle binary file signing and better debugging.
WAPT Console¶
[UPD] WADS: Include hostname in template iPXE Debian Linux.
[IMP] WAPT Console: Do not display empty confirmation messagebox.
WAPT Server¶
[FIX] waptserver postconf: Force path when running psql command in postconf (linux).
WAPT-2.2.3.12463 (2022-09-29)¶
hash: fc306143
This release is mainly a bugfix release. The main new feature is tech-preview support for MacOS on Apple M1 architecture.
Note :
due to EOL and security issue, the PostgreSQL database version has been updated on the WAPT Server for Windows and RedHat7 from version PostgreSQL 9.6.24 to PostgreSQL 14.5. The upgrade will be automatic on Windows during waptserversetup.exe install, and is done during postconf.sh run on RedHat7. Be sure to run the postconf.sh script after upgrading.
WAPT Server¶
[UPD] WAPT Server for RedHat7 / Centos7: Upgraded PostgreSQL version from 9.6 to 14.5.
[UPD] WAPT Server for Windows: Upgraded nginx to 1.22.0.
[UPD] WAPT Server for Windows: Upgraded vcredist to 2022.
[UPD] WAPT Server for Windows: Upgraded PostgreSQL version from 9.6 to 14.5.
[FIX] WAPT Server for Windows: Fixed icacls for
migrate_pg_db
.[FIX] WAPT Server for Windows: Allow install and upgrade with any server admins (does not require to use the local Administrator with RID -500 for installing).
[UPD] WAPT Server for Windows: waptserversetup: avoid automatic restart when installing MSVC 2022.
[FIX] Fixed upgrade procedure: migrate data text to jsonb only if table hostauditdata in
data_type
text.[FIX] Patched
create_default_users
when upgrading from 1.8.2 to 2.2.[FIX] Fixed unhandled redirections in TWaptServer wget.
[FIX] Added
RedirectMax
parameter in WaptServer WGet[UPD] Added ubuntu 22.04 in waptagent bundle.
[FIX] Fixed postconf nginx: bad error string format.
WAPT Console¶
[FIX] Fixed host configuration package that were not editable right after creating them.
[FIX] Fixed error editing same OU package in one session.
[FIX] Fixed
CleanupPackagesCache
proper unlock even if no assigned package.[FIX] Fixed access violation at startup when no server is defined in
waptconsole.ini
file.[FIX] Fixed waptconsole: When deleting a package in the private repo page, package is still listed until the WAPT Console is restarted, but the package is actually deleted on the WAPT Server.
[FIX] Fixed waptconsole: Random timeout error when running commands from waptconsole
WAPT Agent¶
[FIX] Fixed setuphelpers: reintroduce
running_as_system
for Linux and macOS (uid==0).[FIX] Fixed start waptservice only if
wapt-get.ini
configuration exists.[FIX] Fixed
remove_file()
: Was unable to remove symlinks.[FIX] Reset properly Wapt core settings to default when reloading config from
wapt-get.ini
.[FIX] Try to create a minimal
wapt-get.ini
file if it does not exist so that the service can be started without any prior configuration.[FIX] Fixed WAPT Agent for macOS: use
system_profiler_info
fordmi_info
on macOS for support for Apple m1 architecture.[FIX] Fixed WAPT Agent for macOS:
plistlib.readPlistFromBytes
deprecation fix.[FIX] Fixed WAPT Agent for macOS: core macOS: use UUID from
system_profiler_info
instead ofdmidecode
.[FIX] Fixed WAPT Agent for macOS: change postinst script for
launchctl
compatibility.[FIX] Fixed WAPT Agent for macOS: macOS core:
get_hostname
returned binary string instead of str ->update_status
loop.[IMP] Fixed WAPT Agent for macOS: Rationalize pkg filename.
WAPT-2.2.3.12454-rc2 (2022-09-26)¶
hash: 64bfc946
This is the second release candidate for WAPT 2.2.3.
The main new feature is tech-preview support for MacOS on Apple M1 architecture. Otherwise it is mainly a bugfix release.
Note :
due to EOL and security issue, PostgreSQL database version has been updated on WAPT Server for Windows and RedHat7 from version PostgreSQL 9.6.24 to PostgreSQL 14.5. Upgrade will be automatic on Windows during waptserversetup.exe install, and is done during postconf.sh run on RedHat7. Be sure to run the postconf.sh script after upgrade.
Fixes since WAPT-2.2.3-rc1:
WAPT Server for Windows¶
[FIX] Fixed icacls for
migrate_pg_db
.
WAPT Agent¶
[FIX] Start waptservice only if wapt-get.ini config is exists
[FIX] Added
PYTHONNOUSERSITE
= True to all .sh scripts to avoid spoiling PYTHONPATH with locally installed libraries in user home directory.[FIX] Fixed
remove_file()
that was unable to remove symlinks.[FIX] Fixed waptconsole : fix AV at startup when no server is defined in ini file.
WAPT Agent for macOS¶
[FIX] Use
system_profiler_info
fordmi_info
on macOS for support for Apple m1 architecture.[FIX] Fixed
plistlib.readPlistFromBytes
deprecation.[FIX] Fixed core macOS: use uuid from system_profiler_info instead of dmidecode
[FIX] change postinst script for launchctl compatibility
[FIX] macOS core get_hostname return binary string instead of str -> update_status loop
[IMP] rationalize pkg filename
WAPT-2.2.3.12411-rc1 (2022-09-05)¶
hash: 29e18f23
This is mainly a bugfix release.
Note :
due to EOL and security issue, PostgreSQL database version has been updated on WAPT Server for Windows and RedHat7 from version PostgreSQL 9.6.24 to PostgreSQL 14.5. Upgrade will be automatic on Windows during waptserversetup.exe install, and is done during postconf.sh run on RedHat7. Be sure to run the postconf.sh script after upgrade.
WAPT Server¶
[UPD] WAPT Server for RedHat7 / Centos7 ! upgrade PostgreSQL version from 9.6 to 14.5
[UPD] WAPT Server for Windows : upgrade nginx to 1.22.0
[UPD] WAPT Server for Windows : upgrade vcredist to 2022
[UPD] WAPT Server for Windows : upgrade PostgreSQL version from 9.6 to 14.5
[FIX] WAPT Server for Windows : allow install and upgrade with any server admins (does not require to use the local Administrator with RID -500 for install)
[UPD] WAPT Server for Windows : waptserversetup: avoid automatic restart when installing MSVC 2022
[FIX] fix upgrade procedure : migrate data text to jsonb only if table hostauditdata in data_type text
[FIX] patch create_default_users when upgrading from 1.8.2 to 2.2
[FIX] Fix unhandled redirections in TWaptServer wget
[FIX] Add RedirectMax parameter in WaptServer WGet
[UPD] added ubuntu 22.04 in waptagent bundle
WAPT Console¶
[FIX] host config package are not editable right after creating them.
[FIX] error editing same OU package in one session
[FIX] CleanupPackagesCache proper unlock even if no assigned package
WAPT Agent¶
[FIX] setuphelpers. reintroduce running_as_system for linux and mac (uid==0)
WAPT-2.2.2.12388 (2022-07-22)¶
hash: 10e35aa7
This is mainly a bugfix release.
Note
There is a change in the wapt the wapt->glpi sync is working, please refer to documentation for upgrade.
Tech preview: new multiserver console support (connect to multiple wapt server using one console).
Added support for ubuntu 22.04 amd64.
def update_package() function can now be located in a separate
update_package.py
file. New packages from wapt store will use this new format to makesetup.py
simpler and more readable. Older wapt version are not impacted for package import and package install, but may be impacted if one wants to update directly from the WAPT Console usingupdate_package
script.
WAPT Deployment Server (WADS)¶
[NEW] injecting oem key by slmgr command
[FIX] fix tftpserver window size handling (bug on Dell uefi bios)
[FIX] allow djoin with machine in default container CN=computers
[FIX] improve error message when using standard user on MS AD for djoin.exe when >10 machine quota join has been reached
[FIX] allow saving / renaming bundle names and check for empty names
[IMP] add ACL on WADS (before it needed admin level ACL)
[NEW] add post_install script windows
[NEW] add ignore_ipxescript and move conf file and ipxescript
[NEW] Basic Linux OS Deploy support : add Debian ipxe script template
[NEW] add {{server_url}} {{secondary_repo}} and {{hostname}} in get_wads_config
[NEW] add mustach templating in ipxescript
[FIX] waptconsole uploadWinPE : fix regression in upload progress bar and incomplete zip.
[FIX] add a progression form when uploading ISO and winpe
[IMP] add wapttftpserver service shutdown in upgrade sequence (throught net stop, not only taskkill)
[IMP] add tftp firewalld port opening on RedHat
WAPT Console¶
[NEW] techpreview: waptconsole reporting multiservers.
[FIX] Fixed check that downloaded waptsetup version is same or newer than server.
[NEW] Download from https://wapt.tranquil.it and upload on local waptserver agents for Linux and macOS directly from the WAPT Console.
[NEW] Added a popupmenu Copy to clipboard as json for audit data.
[NEW] Display audit history audit data explorer (treeview + html template) + allow drag/drop of a audit json value subkey from value tree explorer.
[IMP] waptwua: update waptwua status to NEED-SCAN on hosts when
download_wsusscan
is triggered andwsusscn2.cab
file is downloaded.[IMP] Package import: Don’t take care anymore of maturity for version when it’s compared to store version.
[FIX] Added licence validity check tolerance +1 day.
[FIX] Fixed trigger downloads when triggering updates from the WAPT Console.
[FIX] Allow ~ in package names (for spaces in Organizational Unit packages).
[UPD] Updated icons on windows update status for WUA.
[NEW] New option
check_package_version
inwaptconsole.ini
.[FIX] Fixed saving empty value in Editor for packages.
[UPD] waptconsole reporting: Added a quick search filtering zone for the query result.
[FIX] Wrong message when no admin rights and waptagent need upgrade or not present.
[UPD] When going outside modified rules. A popup will ask to save or not the rules.
[UPD] Delete host popup.
[NEW] Added feature to download packages when asking hosts for update.
[UPD]
trigger_host_update
adding possibility to download the package after update.[FIX] Saving language parameter.
[UPD] Added a NEED-SCAN waptwua.status, updated when Wapt.update() is called.
[FIX] Fixed layout on Windows Update form.
[NEW] waptconsole: multiserver: manage packages repositories by server.
[FIX] waptconsole: re-enable dataexport to csv for grids.
[NEW] Explicit hint on number version when the package is not up to date (GridPackages)
[UPD] waptconsole: Improved drag drop of columns into GridHosts
[NEW] waptconsole: New Htmlviewer for audit data and Html auditdataview template filename (
wapttemplates
) calculated from section and key, or section.[FIX] waptconsole drag/drop audit values.
[IMP] waptconsole: Load Active Directory Groups in thread.
[FIX] waptserver: Improved message when triggering action.
WAPT Server¶
[FIX] glpi sync: simplified
glpi_upload_hosts.py
script.[NEW] techpreview waptserver: endpoint
update_hosts_audit_data
to bulk insert hosts related data (for third party data integration).[NEW] Added multiserver endpoint for multiserver WAPT Console.
[FIX] waptserver update_audit_data fix on_conflicts for value_id.
[IMP] waptserversetup: take in account wapt_folder parameter in
waptserver.ini
when upgrading a setup.[IMP] Use utc time for acls expiration check.
[FIX] Fixed waptserver unable to delete some hosts when CRL is enabled.
[IMP] waptserver db install: try to register jsquery extension to make json query more powerful for reporting (this is not yet mandatory).
[IMP] Renamed waptsetup-tis.exe to waptsetup.exe on the WAPT Server.
[IMP] Include waptsetup.exe in waptserversetup.exe on Windows.
[IMP] Download from TIS / upload to the WAPT Server of the installation packages of the WAPT Agents.
[UPD] Create a full version 1.2.3.rev-hash into file
wapt/version-full
[IMP] Added HTST header to nginx template.
[DEL] Removed direct integration of GLPI sync into WAPT. Now switched to plugin sync
[FIX] Added trigger_host_action ACL on /api/v3/connected_wol_relays (used by /api/v3/trigger_wakeonlan)
[IMP] Force calc_md5 if new filename in server.
[IMP] Improved websockets performance and reliability. Now websocket ids are stored in memory instead being written in the database.
WAPT Agent¶
[FIX] Fixed threading exception in WAPTExit and WAPTTray that could prevent status updates.
[NEW] WAPTWUA superseded support. option include_potentially_superseded_updates in configuration wizard.
[NEW] Added snap software inventory.
[FIX] waptmessage unable to load sqlite on Linux and macOS.
[FIX] Fixed custom waptmessage logo on Linux.
[FIX] Fixed waptservice configuration: sets the
configs_dir
relative towapt-get.ini
full path.[FIX] Fixed waptservice ‘start_waptexit’ with arguments
[FIX] Fixed bad arguments sent to waptservice triggering upgrades with ‘only_priorities’ and ‘only_if_not_process_running’
[FIX]
Wapt.write_audit_data_if_changed
: writes data if previous data has expired.[IMP] wapt-get add-config-from-url: provides a meaningful message when hash is not provided.
[FIX] Updated the template of dynamic json configuration packages to match the new location and the naming of json config related functions.
[IMP] Improved dynamic configuration handling for the WAPT Agent.
[FIX] waptservice: ensure a random secret_key for local waptservice session.
[FIX] wapt-get update-package-sources: handles properly relative path to package sources.
[IMP] wapt-get edit now opens changelog.txt, VSCod* now open
control
file too.[UPD] Changed default log path to
wapt/log
if writable.[IMP] waptservice waptself: local authentication with file token (ie. nopassword), handling of local groups.
[NEW] use
--not-interactive
with register if install run in silent mode and not run update if install service.[IMP] waptself, wapt-get, waptexit, wapttray: kill check threads on close, even on linux to speed up application shutdown.
[FIX] Linux: waptservice restart Linux: AttributeError: ‘WaptServiceRestart’ object has no attribute ‘logger’.
[IMP] macOS: normalize macos wapt install package name format.
[FIX] macOS: Fixed registration failing in some cases.
[IMP] macOS: Added mpkg support.
[FIX] Fixed no hash in clipboard, added missing helper for
add-config-from-url
in wapt-get.[IMP] Limit access right to admins to log directory (in case non public stuff get written to log)
WAPT Core¶
[IMP] Patched with_md5sum in
make_package_filename
.[IMP] Added options for update-package-sources.
[UPD] wapt core: use datetime in UTC for
audit_data
.[NEW] wapt core: allow usage of an environment variable “waptbasedir” to specify the location of root waptbasedir.
[FIX] configuration package template
setup_package_template_conf.py
.[IMP] Support for
def update_package
in fileupdate_package.py
instead ofsetup.py
for better readability.[UPG] Upgraded openssl to 1.1.1o.
[NEW] core: define path Wapt.configs_dir relative to Wapt.config_filename if the dir Wapt.config_filename..conf.f exists.
[FIX] Fixed
waptcrypto
: certificate filename attribute was not set when loading a certificate chain.[FIX] Fixed new option copytree2 replace_at_next_reboot.
[FIX] Avoid errors on
get_version_from_binary()
getting params.[FIX] Fixed keyword and name with installed_softwares in macOS and Linux.
WAPT-2.2.1.11957 (2022-06-02)¶
WAPT Deployment Server (WADS)¶
[FIX] Fixed wapttftpserver restart on Linux.
[IMP] Added xml template for windows 11 deployment.
[FIX] if
verify_cert
is empty, thenverify_cert = False
.
WAPT Console¶
[FIX] CheckLicence => licence is now valid one day before the real beginning.
WAPT Agents¶
[FIX] Fixed harakiri on Linux.
WAPT-2.2.1.11949 (2022-05-18)¶
hash: 1b2dfbee
This is a bugfix release.
WAPT Deployment Server (WADS)¶
[FIX] Fixed waptconsole: use ROOT in addition to CA windows system certificates stores when building winpe with
verify_cert = True
.[FIX] Fixed selinux rules for WADS.
[FIX] Fixed non ascii character support in passwords.
[IMP] wgetwads: add more logging data (wget). Disable exe signature certificate as this could be blocking if CRL can not be checked in winpe environment for example.
[UPD] add a timer to wait for network in WADS.
[UPD] Update openssl to 1.1.1n for WADS.
Other fixes¶
[FIX] fix wrong GPO link on waptserver start page
[FIX] fix some translation messages in console
[FIX] wrong element order in message in ACL GUI
[FIX] allow change password if user password has been cleared
[UPD] update mormot2 for bug in TSynDictionary.AddOrUpdate()
[UPD] update mormot statics for sqlite to 3.38.5 (required for mormot compatibility)
WAPT-2.2.1.11932 (2022-05-05)¶
hash: 6522dccb
This is a bugfix release.
WAPT Deployment Server (WADS)¶
[FIX] wapttftpserver : better handling of UEFI PXE/TFTP boot
[FIX] wads now include non CA certificates for winpe build
[FIX] Not adding “cn” in OU
[FIX] wapttftpserver : add firewalld rule on redhat based server for wapttftpserver
[FIX] WADS : improve feed back on upload WinPE
[FIX] wapttftpserver : kill wapttftpserver and uninstall service before installing it
[IMP] waptserversetup: add wapttftpserver configuration for windows
WAPT Server¶
[FIX] fix typo for rocky support as server
[FIX] waptservice websocket reconnection: disable by default low level reconnect feature
WAPT Console¶
[FIX] fix bad port configuration for veyon remote assistance support
[FIX] Define default package prefix when creating empty package
[FIX] patch setup_package_template_cert.py.tmpl
[FIX] waptconsole: fix access violation when access to external repo is blocked or need a proxy.
[IMP] package version in bold red if obsolete version compared to external repo for better accessibility
WAPT Agent¶
[FIX] waptservice websocket reconnection: disable by default low level reconnect feature
[FIX] add conf.d to rpm agent installers for the new agent configuration management
[FIX] macOS: fix get_file_type in macos
[IMP] macOS: silently attach dmg file
[IMP] waptwua : improve consistancy between WUA history and WUA status
[FIX] waptself: bad char case for png file (issue for linux)
[IMP] add dummy running_on_ac for linux and mac for compatibility
[FIX] waptutils.user_config_directory() did not work under system account.
WAPT Core¶
[IMP] mormot2 static: add 3.38.2 hash
[IMP] sync htmlviewer with latest github commits from https://github.com/BerndGabriel/HtmlViewer/tree/master
[IMP] waptguihelper: improved the design for InputDialog form
WAPT-2.2.1.11899 (2022-04-06)¶
hash: 2d82654e
This is mainly a bugfix release.
A new tftpserver has been introduced and it will ease WADS installation and configuration as it will be directly integrated into WAPT.
WAPT Deployment Server (WADS)¶
[NEW] add a wapttftpserver binary on windows and linux to act as a tftp server for WADS
[FIX] WADS : don’t use redirect
[FIX] WADS : be tolerant if sendstatus can not be sent.
[IMP] WADS : handle https for drivers (continued)
[UPD] wads : get windows system certificates for WADS server bundle
[UPD] implement https verifyCert in wads and wgetwads
[IMP] add serial_number arg when calling server get_wads_config in wads
[UPD] waptconsole wads: add audit columns (created/updated) in grids.
[NEW] Add an action to prepare a host package in WADS OS Deploy grid
[NEW] wgetwads : use code signing cert of TIS to check signature of json hashes file if no signer_certificate in json file
WAPT Console¶
[UPD] OU “All” fixed to not editable on GridOrgUnits
[FIX] waptconsole: wrong client https key password used for task polling thread.
[FIX] waptwua packages : ALLOWED status in winupdates grid is kept between form display.
[FIX] Package creation did not take silent flags in account
[FIX] memory leak when refreshing packages list
[FIX] waptconsole packages list: Showing all versions when “Last version only” is not checked
[FIX] “property not found” in some grids when refreshing data.
[FIX] running plugins on multiple hosts.
[FIX] taking in account the platform when lookig for TIS store package version
[FIX] nested progress notifications in uwaptserverconnection TWaptServer
[FIX] Disabled pysources check at waptconsole startup.
[FIX] external repo ini settings dialog when importing.
[FIX] waptconsole. some ui elements are not disabled when switching to discovery on login.
WAPT Server¶
[NEW] add support for postgresql 14 on centos7
[UPD] wapt windows server: update to nginx 1.20.2
[IMP] server postinstall : put nginx backups in a different dir than nginx config
[FIX] waptserver: fix empty error message when trying to activate an existing licence
WAPT Agent¶
[NEW] added new waptguihelpers : grid_dialog, filename_dialog, input_dialog, combo_dialog
[FIX] waptdeploy multiple setupargs raise “Invalid variant operation”
[FIX] missing root certificates when exporting system store certificates in lazarus app (GetSystemCABundlePath). Must trust CA + ROOT stores
[FIX] setuphelpers: regression in maintaining backward compatibility for some const which are functions too (programfiles etc..)
[FIX] be tolerant if uuid can not be regenerated (on linux, dmidecode can’t be run as normal user in session-setup)
[FIX] fix wget waptdeploy.exe waptagent.exe in wads and detect mismatch drivers config
[FIX] waptagent regression : Revert “[UPD] waptservice : tasks don’t notify server by default to avoid too frequent updates of database.”
[FIX] wapt-get : try to fix get service password on unix.
[NEW] splitting remove_appx() with new function remove_user_appx() to avoid unexpected behavior
[NEW] Add restart-waptservice action in wapt-get.py
[FIX] fix publisher and version in installed_softwares macos
[FIX] use waptservice to check if is_enterprise in waptexit (avoid direct access to local waptdb) (fix unable to access sqlite db on linux / mac)
WAPT to GPLI connector¶
[FIX] glpi fix install_date
[FIX] regression in glpi export (Softwares)
WAPT-2.2.0.11720 (2022-03-15)¶
hash: 8e07f388
This is the first release of the 2.2 serie of WAPT.
WAPT Core¶
[NEW] Discovery mode for the WAPT Console
when checking acls, the licencing status is taken in account to enable or not actions.
maximum number of 300 managed hosts in discovery mode.
WAPT Deployment Server (WADS)¶
[NEW] tech preview Automated Windows OS deployment called WADS :
Using a winpe image (network boot or usb key boot).
Shipping wimboot, ipxe.efi, undionly.kpxe, 7z.dll.
Added openssl win64 binaries for WADS
Added wads.exe and wgetads custom binaries in distribution.
Added WADS repo option in repo rules.
Added a WAPT Console page to list raw registered hosts, upload winpe images, define default config, uplaod drivers bundles.
On WAPT Server: added
/var/www/wads/
add a non protected/wads
in nginx config.
WAPT Console¶
[NEW] add columns in private repo to display newest software version (Tranquil IT effort to parse softwares providers download sites) and newest package version (from Tranquil IT store database).
[NEW] Dynamic Agent configuration using .json files stored on the WAPT Server:
Added a
last_update_config_fingerprint
local param to keep track of current config.Added ‘configurations’ (merged config overview) data when uploading host status to the WAPT Server.
[NEW] Dynamic Agent configuration using config packages:
Added
templates/setup_package_template_conf.py.tmpl
package template.Added a
wapt/conf.d
directory on the WAPT Agent to hold the installed .json configuration files.
[NEW] New in the WAPT Console: added option to show the host WAPT Agent configurations overview.
[NEW] New in the WAPT Console: option to display a graph of host packages dependencies.
[NEW] New in the WAPT Console reporting: tabbed interface to displays multiple query results.
[NEW] New in the WAPT Console: option to filter host inventory based on the result of a SQL query:
In reporting, right click on column which represent a host UUID and “choose as Host UUID” abnd save.
The query is then available in the combobos “Filter hosts on SQL query” in hosts inventory.
[NEW] New in the WAPT Console: add a Tech preview Tab for packages development workflow:
Create from template;
Displays
waptdev
directory sources package status;Basic git commands.
[IMP] Improved the WAPT Console send message : enable use of HTML (copy & paste). HTML Preview.
[IMP] Do not clear selection on mouse right-click when selecting package names in package edits.
[IMP] refactored the WAPT Console code to remove most python calls:
removed
waptdevutils.py
, removed calls to WaptRemoteRepo, replaced by pure fpc code.
[UPD] Updated the WAPT Console: merged selected hosts add/remove depends, add/remove conflicts in a single action/form
[UPD] Updated the WAPT Console update package source: add a checkbox to enable package version increment.
[UPD] Updated the WAPT Console ‘plugins’ config: warn user if not saved.
[UPD] Updated the WAPT Console: removed obsolete Add ADS Groups to selected host action.
[UPD] Updated the WAPT Console action Refresh Host Inventory triggers a update_server_status instead of a full computer register.
[UPD] Updated the WAPT Console: host additional tools (rdp, vnc, etc) which requires to look for a connected IP are now run in a thread to avoid freezing the UI.
[UPD] Start of use of mormot2 for X509 and RSA crypto instead of python bindings in the WAPT Console
[FIX] waptconsole : store executable signature with new key name format (xxx.exe keys)
[FIX] duplicated panels in initial configuration package wizard.
WAPT Self-Service¶
[IMP] waptself: add logger.
WAPT Server¶
[IMP] Improved the WAPT Server authentication: try ldap authentication only if
ldap_auth_server
is defined.[UPD] Updated the WAPT Server licencing: use waptlicences.pyd instead of pure python code.
[UPD] Updated the WAPT Server: add config options
wads_folder
andagent_folder
.[UPD] Updated the WAPT Server: improve GLPI export, add ‘smodel’ on GLPI exports and add ‘monitors’.
[IMP] force en_US.utf8 locale for linux services.
[IMP] add /api/v3/latest_installed_package_version.
[UPD] upgraded jquery to v3.6.0.
WAPT Service¶
[NEW] Added
/opt/wapt/wapt-get.bin
to linux distributions.[NEW] New in the WAPT service: added a WaptUnregisterComputer task and unregister_computer socketio action.
[IMP] Improved the WAPT service: improved logger.
[IMP] Improved the WAPT service and the WAPT Agent take into account the licencing status:
Added a
licences
local params to store the current registered licences retrieved from the WAPT Server during the last update.
[UPD] waptcrypto.py: made optional the joining of signer certificate when signing claims.
[UPD] Updated the WAPT Deployment utility: increased timeout from 4s to 15s when pinging the current http WAPT service.
[UPD] Upgraded dmidecode to v3.3 on windows.
[UPD] Updated the WAPT service: do not check battery level for WaptAuditPackage task.
[REF] Installers : merged
wapt.iss
andcommon.iss
.[FIX] wapttasks: took in account non default config filename.
[FIX] Fixed the WAPT service: reporting properly the user which created a task (either locally or using websockets).
[FIX] Fixed the WAPT service: fixed icons in package local webpage.
wapt-get¶
[IMP] wapt-get new config actions. Added actions:
add-config-from-file;
add-config-from-base64;
add-config-from-url;
with parameters:
--not-interactive
: Disables dialog to ask credential users (for batch mode);--waptbasedir
: Forces a different wapt-base-dir then default dir ofwaptutils.py
;--devmode
: Enables devmode. dbpath is set to memory and certificate/key paths are inuserappdata
;--json-config-name
: The name of the .json file given with the action json-config-from-file/base64/url;--json-config-priority
: The priority of the json file given with the action json-config-from-file/base64/url.
[UPD] Removed update-packages action synonym for scan-packages.
[IMP] wapt-get added update-status action in service mode wapt-get -S update-status.
[IMP] Enabled
--CAKeyFilename
and--CACertFilename
wapt-get options[IMP] Added logger for waptguihelper pyd module. if
--loglevel
=debug
in commandline, logger is activated.[IMP] Reporting the
use_repo_rules
flag to the WAPT Server in wapt_statusReport
is_enterprise
flag to the WAPT ServerReport installed antivirus and monitors in host inventory
[IMP] Audit loop granularity based on actual installed packages:
Added get_next_audit_datetime() on Wapt class.
waptaudit_task_period
attribute is now in the Wapt class instead of the WAPT service.
[UPD] Removed the not functional
--dry-run
wapt-get option.[IMP] Improved register computer fallback from kerberos to password based authentication:
Do not send audit data when registering to limit workload.
[IMP] Try registering computer if update_server_status fails because of authentication.
[IMP] waptpython.exe, waptpythonw.exe, and nssm.exe are now signed with Tranquil code signing key.
[NEW] added pylint and black modules. Added black configuration to vscode project template.
[NEW] Added
setuphelpers.getscreens
.[IMP] Improved SetupHelpers unzip : new
extract_with_full_paths
argument (default True).[NEW] New SetupHelpers
listening_sockets()
.[IMP] Added
templates/setup_package_template_portable_exe.py.tmpl
andtemplates/setup_package_template_portable_zip.py.tmpl
package templates.
Others stuff¶
[IMP] Added
windows_version_prettyname
andwindows_version_releaseid
inhost_info
.[IMP] Always use RunAsAdminWait to copy package certificate to the local WAPT service
waptssl
directory.[IMP] Improved the WAPT Console config: stores WAPT Server certificate in
AppUser
folder (roamingwaptconsolesslserver
).[IMP] Reset TLS client key password in the WAPT Console config if connection error.
[UPD] Retire python
GetPrivateKeyPath
, raise exception ifGetPrivateKey
does not succeed.[FIX] Clear cached TLS client key password when validating the the WAPT Console config dialog.
[IMP] Improve GLPIlpi settings windows.
[IMP] Clean up the html error page from the WAPT Server when checking the WAPT Server and WAPT repository URL.
[FIX] Don’t reenter the private key password dialog if already asking the user. This issue can be triggered if several therad are using a key, or if cooperative multitasking like TAction messages (OnUpdate) triggers a Get with client side certificate authentication.
[SEC] Fix
dhparam
on the WAPT Server postconf.[FIX] Fix failover on file version with remove_outdated_binaries().
[IMP] Add
asset_tag
to sysinfo api.[FIX]
Get_antivirus_info
: test if timestamp attribute exists.[IMP] New getscreens function.
[IMP] Added columns uuid manufacturer and product serialnumber in database.
[UPD] Added
mac_addresses
toLocalSysinfo
.[UPD] Expanded LocalSysinfo with uuid, serial_number and sku_number, fixed keys with underscore.
[IMP] Improved matching of reachable IPs of client using new GetReachableIP from mormot2.
[UPD] GetReachableIP: connection tests are performed in parallel using mormot GetReachableAddr instead of one after the other to reduce delay when launching IP based command to remote hosts from the WAPT Console.
[FIX] Take
--config
option
in account for wapt-get fpc code.[UPD] waptcrypto: implemented
TX509Certificate.CN
, removedTX509Certificate.DN
.[UPD] Updated SetupHelpers need_install: now comparing software versions with 4 members. Assumes that 1.2 == 1.2.0.0 and 1.2.3.4.5 == 1.2.3.4, remove_previous_version: use version with 4 members.
WAPT-2.1 Serie¶
WAPT-2.1.2.10652 (2022-01-10)¶
hash: 7dd63b61
[UPD] shorten the default package filename. If
target_os
is alnum, do not include md5sum in the filename. Iftarget_os
is in tags, do not duplicate it in filename[FIX] disable debug data for linux
[FIX] try to circumvent issue with Trend antivirus blocking the WaptTaskManager. Looks like the issue is with platform.win32_ver using win32api.GetVersionEx…
[FIX] Installed softwares invalid conditions
[FIX] fix local_user and local_group on macOS
[FIX] removed workaround on 60s delay for websocket disconnect
[FIX] use CompressGZip instead of CompressZLib on the WAPT Server, compression is GZip
[FIX] Allow ‘~’ in package filenames
[FIX] try to not update records in database if data has not changed
[FIX] Wake on lan relay now equals is remote repository
[FIX] fix group members
[FIX] return only local and user group (ignore nsswitch)
[FIX] backported the WAPT Exit utility (improved detailed logging) from 2.2
[FIX] backport waptlicences py module from 2.2
[SEC] check that hostname matches https certificate in the WAPT Console http client.
[FIX] backport uwaptlicencing: allow empty json licencing data
[FIX] fix WaptHttpPostData
[FIX] check valid uri in wapthttputils waptwget WaptWget_Try
[FIX] init LastModifiedDate to ‘’ if not found in THttpResponse
[FIX] add a 50ms report delay for httpprogressnotification
isolate wapt python engine: PyFlags:= [pfNoUserSiteDirectory, pfIsolatedFlag];
[FIX] Fixed SetupHelpers: backported changes from 2.2 is_linux64 type_rhel fix installed_softwares for type_redhat upd uninstall_apt with autoremove
[FIX]
user_appdata
=user_local_appdata
for unix[IMP] introduced get_powershell_str, get_default_app remove_appx
[IMP] introduce InitLogger for the WAPT Exit utility
[FIX] Fixed the WAPT Console: generalize the use of a fallback package_uuid in case of old packages without package_uuid field.
[FIX] Fixed the WAPT Console: use editable dropdown in frmpackagedetails for maturity
[FIX] backport issue with inc version of some group packages when importing
[FIX] Disable client side ssl authentication on root WAPT Server url (regression)
[FIX] isolate from user python env when building binary packages
[UPD] improved feedback message for license activation on the WAPT Server.
[UPD] wapt-scanpackages.py: add option -d to disable update of database Packages table.
[FIX] The -b switch is True by defaut, so there were no way to disable update of database table.
[UPD] Updated the WAPT Console: be tolerant for old package without package_uuid
[UPD] strip ending slash in {{data.wapt.hostname}} server template properties to avoid double slashes in templates result
[UPD] backport openssl build parameter from 2.2
[FIX] Fixed the WAPT Agent url link in the WAPT Server index page.
[FIX] setproctitle only for unix
[FIX] locate packages in host packages grid using package_uuid instead of id, so that refreshing grid works properly with a multiselection of hosts.
[UPG][SEC] upgrade python version from 3.8.11 to 3.8.12
[FIX] remove python3 dependencie. Now python3 is included in wapt
WAPT-2.1.2.10605 (2021-11-30)¶
hash: e2a0e2a0
[FIX] Fixed the WAPT Console: backport edit multiple hosts add/remove depends/conflicts (issue “no password available yet” when kerberos enabled) backport IpExecute from 2.2
[FIX] unable to edit stripped down package with integrated package editor. (setup.py file hash issue) update package size
[FIX] bad path for nginx dhparam for Windows server
[FIX] upgrade mormot2
[FIX] waptself local admin NOPASSWORD setting did not work anymore log authentication user when task is triggered from local wapt webservice don ot raise exception in check_auth_groups but return (None, None) instead to avoid Error 500 in browser backport fix for integer attributes in packages index backport fix for loading ssl libraries
[FIX] Update wake on lan with broadcasts
[FIX] Error “Add: Unexpected [%] object property in an array” for old package with empty package uuid
[FIX] Acl handle boolean as global ACL
[FIX][SEC] issue with acls : action is enabled when acl is set to json false
WAPT-2.1.2.10588-rc1 (2021-11-22)¶
hash: e70d9039
[FIX] fix installed_softwares for older debian and improve inventory performance
[FIX] fix glpi inventory failure (exception on int conversion)
[SEC] [FIX] invalid condition on package hash check
[SEC] [FIX] cleanup nginx config templates
[NEW] add uwsgi support for Debian server
[FIX] add user information in audit
[FIX] Improve lazarus ini parser to support other values than ‘1’/’0’ as boolean values (True, true, 1, 01, etc. same behavior as python iniparse)
[IMP] support for message previsualisation and templates in waptmessage editor and better multiline support
[UPD] waptsetup : do not use kerberos by default
[NEW] show certificate when double click in acl tab
[IMP] Do not propose to start the WAPT Console after install (due to different user context)
WAPT-2.1.1.10568 (2021-11-08)¶
hash: 978c00ae
This is a bugfix version with some small improvements. The main fix is for websocket issue.
[IMP] Prevent multiple websockets connections from same host uuid on the WAPT Server (bugged wapt clients can maintain multiple websockets, which leads to a lack of avalable connections on the WAPT Server)
[FIX] Fixed restart of the WAPT service with exit code 10 (managed by the nssm service manager)
[FIX] Fixed case on the WAPT service where different threads access simultaneously to a shared Wapt instance
[IMP] Introduced some randomness when the WAPT service reconnects its websocket.
[IMP] Checking more cases to determine if token for websocket has to be updated.
[IMP] Introducted a wait in the socket client until it is actually disconnected before trying to reconnect to avoid multiple websocket threads from same client.
[IMP] Do not re-create a new SocketIOClient at each reconnection, but reuse existing one to minimize risk of multiple connections.
[FIX] Do not consider ‘%’ char as unsafe in filenames
[IMP] Improved logging of the WAPT service (logger wapttasks report main actions triggered by the service in
waptlogwaptservice.log
). Removed ‘flask.app’ logger config.[IMP] Remove the WAPT packages’s persistent directory on the WAPT client when a WAPT package is forgotten
[IMP] Added
ignore_empty_names
argument to SetupHelpers.installed_softwares[IMP] Improved display of
package_uuid
with command wapt-get list[IMP] Added redhat_based tag for WAPT package operating system tags
[FIX] Fixed
decrypt_fernet
/fernet_encrypt
functions[IMP] Improved the reporting of key as name in softwares inventory for softwares without a descriptive name
[FIX] The
server_uuid
column in hosts database updates properly.[FIX] Fixed the removal of packages when
only_if_not_process_running
=True
.
Known issues:
When the websocket is reconnecting, if the IP adrress has changed, the main IP adrress is not updated in IP adrress column in the WAPT Console.
WAPT-2.1.0.10550 (2021-10-08)¶
hash: 953c9552
This is a bugfix version with some small improvements.
[FIX] Fixed mass add / remove on multiple host at once.
[FIX] Fixed issue when editing a package without a “description_en” attribute in control file.
[FIX] Fixed drag drop when editing selfservice package.
[IMP] Improved feedback when uploading WAPT packages.
[IMP] Improved handling of the list of wakeonlan relay.
[IMP] Improved remote repository is now by default a wakeonlan relay.
[FIX] Fixed access violation error when viewing certificate list.
[FIX] Fixed do not enable verbose logging by default on the WAPT Console, the WAPT Exit utility and waptselfservice (might fill up %APPDATA% …).
[FIX] Fixed use
templates/wapt-logo.png
in the WAPT Exit utility if it exists.[IMP] Improved login error message.
WAPT-2.1.0.10517 (2021-09-30)¶
hash: fa2af298
This is the first release of the 2.1 branch. It is mainly a incremental improvement with many small but worthy fixes on the 2.0 branch.
The WAPT service
[IMP] During upgrade, wapt-get session_setup is not run if no userspace configuration is defined for the installed WAPT packages.
The WAPT Deployment utility
[IMP] Improved automatic proxy detection and configuration possible with the new
--http_proxy
=True
/False
parameter or explicit url command line parameter.[IMP] Disabled https verification when downloading waptagent.exe if a fingerprint is provided (allows installation with on out-of-date computer with expired certificate store).
[IMP] Do nothing if no –waptsetupurl argument is provided (it reduces the probability of false positive on antivirus check).
[IMP] Double check WAPT installed version after install and report error message if it does not match (allow detection of installation that have been blocked by a misconfigured antivirus for example).
The WAPT Console
[NEW] tech preview: new tab to provide basic package editing functionnality directly in the WAPT Console without having to open Pyscripter or VSCode.
[NEW] New tech preview: new tab to browse the developement directory directly from the WAPT console.
[NEW] Single Sign On with Kerberos authentication (if
service_auth_type
=waptserver-ldap
anduse_kerberos
=True
).[NEW] New button to display WAPT packages that have a specific WAPT package as a dependency in the private repository tab.
[NEW] New message box to decrypt message sent by the WAPT Agents (using
encrypted_data_str
/print_encrypted_data
in waptcrypto). This allows an admin to upload sensitive information from desktop that will be asymetrically signed by the Administrator’s public key.[NEW] New set of icons and many small visual improvments.
[NEW] New software inventory tab to display installed software (not packages) and see which hosts have that specific software.
[NEW] New button to delete Windows Update KB files that are not used anymore by any computers. This allows to keep the Windows Update storage volume under control.
[NEW] New tab to have a user-friendly display of the certificates that are deployed on a specific host.
[NEW] New tab to display the certificates that are available on a WAPT repository.
[NEW] New warning icons on the hosts tab when the computer needs a restart (after a windows update for example).
[NEW] New filter by OS option.
[NEW] New icons in the OU tree view if a OU package exists for that Organizational Unit.
[NEW] New information message about the choice of maturity when creating new WAPT Agent and by default uploading in DEV maturity (to avoid being directly deployed to all client computers, this allow to test the new WAP Agent on a subset of computer before full scale deployment).
[IMP] Made GLPI export configuration more intuitive.
[IMP] Improved the WAPT Console plugin versatility. All inventory attribute can now be used in command lines (it use the “mustache” template syntax, eg. {{ main_ip }} {{ computer_fqdn }} {{ host_capabilities.os_version }} “{{#host_capabilities.tags}}{{.}},{{/host_capabilities.tags}}” etc.
[IMP] Allow non standard port in the WAPT Console configuration.
waptself
[NEW] allow custom logo in waptselfservice
[NEW] Single Sign On using Kerberos (
needs service_auth_type
=waptserver-ldap
anduse_kerberos
=True
)[IMP] allow customisation of package details view using template engine
WAPT Exit utility
[IMP] allow custom logo (on Windows, Linux and macOS)
wapt-get
[NEW] better handling of licence information. Now the licence is uploaded on the WAPT Server and it is not necessary to install it on every admin WAPT Console computer
[IMP] propagate ExitCode from Python calls for better error handling
[IMP] better handling of websocket reconnection (check of socket status every 120s)
[IMP] periodic check of the UUID and the current certificate of the WAPT Agent for consistency between the WAPT Agent and the client computer
[NEW] waptsetup et waptserversetup new parameters:
set_verify_cert
andset_kerberos
WAPT-2.0 Serie¶
WAPT-2.0.0.9470 (2021-10-07)¶
hash: 5065cb57
This is a security release with a few related bugfixes. All Wapt 2.0 version below 2.0.0.9467 are affected.
[SEC] fix for vuln in urllib3 CVE-2021-33503 (CVSS Score: 7.5 High, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
[SEC] Sanitize filename used when downloading files on local client. (CVSS Score : 7.5 High, CVSS;3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C). Enforced on wget and local filenames for downloaded packages (chars ‘\’ ‘..’ @ | ( ) : / , [ ] < > * ? ; ` n are removed or replaced).
[SEC] Do not use PackageEntry filename attribute to build target package filename as it is not signed.
[UPD] wapt-get remove: reraise exception if there is exception in uninstall script return traceback in ‘errors’ key return code 3 if there are errors when removing packages in wapt-get remove.
[FIX] handles wildcards in certificates in the WAPT Console config and create waptsetup update UI in external repositories config when setting CA bundle.
[FIX] use PackageEntry.localpath only for local status of a package.
[UPD] split PackageEntry non_control_attributes into repo_attributes and local_attributes. local_attributes are not put into Packages index as they are not relevant for remote access.
[UPD] update python modules requirements following urllib3 upgrade idna==3.2 (from 2.10) certifi==2021.5.30 (from 2020.12.5) requests==2.26.0 (from 2.25) urllib3==1.26.6 (from 1.26.5)
WAPT-2.0.0.9450 (2021-08-10)¶
hash: 7bc6920c
This is a security fix version affected by CVE-2021-38608.
Please visit the security bulletin to learn more.
WAPT-2.0.0.9449 (2021-06-22)¶
hash: 70283a14
This is a bugfix version with some small improvements.
WAPT Agent
[FIX] Fixed Windows Update fix in the progress bar.
[IMP] Allow the WAPT Agent to upgrade even when on batteries.
The WAPT Server
[IMP] Many fixes in GLPI sync.
[FIX] Better handling of service_delete exception cases.
[FIX] Fixed database migration handling with
create_defaults_users
procedure.[FIX] Fixed on windows skip the WAPT Agent build if there is no available certificate for signing.
The WAPT Core
[IMP] Improved the compatibility of
Packages
file for easing upgrade from WAPT 1.8.2.[IMP] Improved the WAPT Deployment utility: behavior to avoid wrong red flag from AV softwares.
Caveat¶
For macOS support one should use the WAPT Agent 2.1 version available in nightly channel.
WAPT-2.0.0.9428 (2021-05-06)¶
hash: 4b33cf96
This is a bugfix version with many small improvements.
WAPT Console:
[IMP] Improve CreateWaptSetup form layout.
[IMP] Restore focused column visibility when refreshing grid data.
[FIX] Fix wrong path for wapt-get.py in vscode project.
[UPD] Update No fallback in rules to true by default.
[FIX]
enable-check-certificate
with wildcard.[FIX] take into account the
use_http_proxy_for_repo
ini setting (if not present, assumeFalse
).[FIX] Fix
setup_package_template_msu.py.tmpl
for package Wizard.[IMP] Add new template for creating package with certificate.
[IMP] Add option to check downloaded package with VirusTotal in package import GUI.
[IMP] Add update-package source action directly in Private repository in the WAPT Console.
WAPT Agent:
[IMP] Use task queue for the forced installs instead of running them inline.
[FIX] Database not opened when we check Hosts who are secondary repositories.
[IMP] Restart partial download of Windows Update files.
[IMP] Improved icons handling in WaptSelfService.
[IMP] On macOS use host certificate store by default for https certificate validation.
[IMP]
reload_config_if_updated
now reload config ifpublic_certs_dir
has changed.[FIX] WUA: better handling of return code “does not apply to this computer”.
WAPT Server:
[FIX] Fixed bad migration of PGSQL databse server side.
[FIX] Improved database upgrade in corner cases.
SetupHelpers
[FIX] Fixed
register_windows_uninstall
calculation and using correct x86_64 environment with register_uninstall and unregister_uninstall.[IMP] Improved inline function description for documentation.
WAPT-2.0.0.9343 (2021-04-08)¶
hash: 117d62b8
This is mainly a bugfix release after the initial 2.0.0 release.
WAPT Console:
[IMP] Show an explicit message if the user can not build a customized WAPT Agent.
[IMP] Enabled remote repo sync if there are repo configured (making
remove_repo_support
parameter obsolete).[IMP] Better filtering on
maturities
.[FIX] Fixed templates for vscode
WAPT Server:
[IMP] Include certificates from WaptUsers table in result of /api/v3/known_signers_certificates.
WAPT ACL handling:
[UPD] ACL: added an action to show the user certificate.
[UPD] Creates default (empty) WaptUserAcls record on user login even for non ldap logins.
[IMP] Better naming for ACL domains.
SetupHelpers
[FIX] Fixed
register_uninstall
.[FIX] Do not change silently
maturity
andlocale
incheck_package_attributes
.[FIX] Fixed regression in wget resume.
Other technical stuff:
[IMP] Added support for installation on OracleLinux.
[FIX] Tightened files ACLs on Linux + fixes + SELinux fixes in postconf.
[IMP] Introduced mORMot2 framework in Lazarus code.
[FIX] Fixed datetime conversion in the WAPT Console.
WAPT-2.0.0.9300 (2021-03-30)¶
hash: 018b8b57
This is the first release of the 2.0 series. After one year in development and more than 1600 commits it brings a bunch of new features and enhancement to the last major update of WAPT 1.8.2. On the technical side WAPT 2.0 now embed Python3 and now support 8 new platforms (some of them backported to 1.8.2).
The switch to Python3 may require minor adjustment to the existing package that may have been development in-house (refer to the corresponding doc page). The packages offered by Tranquil IT through the WAPT Store are already compatible with WAPT 2.0.
From a sysadmin point of view¶
[NEW] ACLs.
[IMP] WAPT Server side ACLs in addition to certificate validation.
[IMP] User management interface with certificate listing.
WAPT Console:
[IMP] gui: change maturity directly from the WAPT Console.
[IMP] gui: all WAPT package types are grouped in one tab.
[IMP] helpers: build and upload locally development package from the WAPT Console.
[IMP] helpers: import default reporting queries from internet.
[IMP] helpers: restart the WAPT Agent and restart client computer from the WAPT Console.
[IMP] Package wizard: support for RPM/DEB/PKG/DMG.
[IMP] Remote repositories: status bar for progression of creation/ update of
sync.json
for repo sync.[IMP] Windows Updates: new search bar, view host with specific KB.
[IMP] Faster import and resigning of package, change of maturity, etc.
[IMP] waptmessage: better handling of user oriented notification.
[IMP] Better logging of WAPT Console actions and WAPT Agent activity.
Performance improvements for larger installations:
[IMP] Better handling of insert / update of inventory.
[IMP] Better handling of websocket updates.
[IMP] GLPI integration: synchronize WAPT inventory to GLPI server.
Better OS integration:
[IMP] TLS certificate handling: certifi uses local OS certificate store instead of Python certifi integrated certificate store.
[IMP] Increased the number of supported platform, improved packaging for Linux (deb and rpm) with support for a WAPT Agent running on arm64 and macOS BigSur 64bit.
Package development:
[IMP] Improved package wizard.
[IMP] Many small fixes and improvements to SetupHelpers and better support for Linux and macOS.
[IMP] Improve os targeting now you can specify targeted OS and specific version of OS : eg. Debian(>=9,<=10).
From a technical point of view¶
Python: switch from Python2.7 to Python3:
Linux: use of venv by default with distrib python 3 version.
Windows: switch python3 install to embedded edition 3.8.7.
Different installer for WinXP / WinVista / Win2k3r2 / win2k8 (nonr2) (recent CPython version does not support older Windows systems anymore).
Better handling of passwords with special chars.
Upgraded WAPT core libs and scripting environment.
Upgraded to Python3 and Python libraries, changed kerberos and websocket libraries.
Upgraded to Lazarus 3.0.10 and FPC 3.2.
Caveat¶
Support for non supported Windows version (WinXP, WinVista, Win2k8 (non-R2) and Win2k3) is still baking in the oven and should be ready shortly after the 2.0 release date.
RedHat8 and derivative distributions: for upgrade it is necessary to remove WAPT SELinux rules before using postconf again.