Changelog¶
WAPT-2.2 Serie¶
WAPT-2.2.3.12485 (2022-12-16)¶
hash : 1724df7f
This is a bugfixe release.
[FIX] Fixed fresh install issue on WAPTServer Windows installer
[FIX] Fixes waptexit freeze when in Discovery Edition (no licence registered) and the server is not accessible during WAPT Agent shutdown
WAPT-2.2.3.12481 (2022-11-30)¶
hash : ad3855c9
This is a security release with a few related bugfixes. All Wapt 2.0 version below 2.2.3.12481 are affected.
Note : if you are using WAPTAgent deployment though GPO, don’t forget to update your waptdeploy binary in the definition GPO.
WAPT Core¶
[SEC] upgrade python from 3.8.13 to 3.8.15
[SEC] upgrade openssl from 1.1.1k to 1.1.1s
[SEC] upgrade agent kerberos lib from 1.19.3 to 1.20.1 (linux/mac)
[SEC] upgrade python modules with CVEs
pylint==2.12.2 -> 2.15.6
ujson==4.0.2 -> 5.5.0
waitress==2.0.0 -> 2.1.2
WAPT Agent¶
- [SEC] waptdeploy.exe. Use only wapt_is1 install location from registry to get the current wapt install dir.
don’t run wapt-get to check working condition.
[FIX] Add fallback method to get domain in get_hostname
[FIX] windows, replace « wapt-get.exe » –hide by « waptpythonw.exe wapt-get.py » to run session-setup because –hide does not actually hide shell window
[FIX] wakeonlan relays
[REF] code cleanup for agent common.py. removed unused imports
[FIX] waptexit: fix only_priorities argument when starting waptexit from service.
[IMP] MacOS : update build script to handle binary file signing and better debugging
WAPT Console¶
[UPD] wads: include hostname in template ipxe debian linux
[IMP] waptconsole: don’t display empty confirmation messagebox
WAPT Server¶
[FIX] server postconf: force path when running psql command in postconf (linux)
WAPT-2.2.3.12463 (2022-09-29)¶
hash : fc306143
This release is mainly a bugfix release. The main new feature is tech-preview support for MacOS on Apple M1 architecture.
Note :
due to EOL and security issue, PostgreSQL database version has been updated on WAPT Server for Windows and Redhat7 from version PostgreSQL 9.6.24 to PostgreSQL 14.5. Upgrade will be automatic on Windows during waptserversetup.exe install, and is done during postconf.sh run on Redhat7. Be sure to run the postconf.sh script after upgrade.
WAPT Server¶
[UPD] WAPT Server for Redhat7 / Centos7 ! upgrade PostgreSQL version from 9.6 to 14.5
[UPD] WAPT Server for Windows : upgrade nginx to 1.22.0
[UPD] WAPT Server for Windows : upgrade vcredist to 2022
[UPD] WAPT Server for Windows : upgrade PostgreSQL version from 9.6 to 14.5
[FIX] WAPT Server for Windows : Fix icacls for migrate_pg_db
[FIX] WAPT Server for Windows : allow install and upgrade with any server admins (does not require to use the local Administrator with RID -500 for install
[UPD] WAPT Server for Windows : waptserversetup: avoid automatic restart when installing msvc 2022
[FIX] fix upgrade procedure : migrate data text to jsonb only if table hostauditdata in data_type text
[FIX] patch create_default_users when upgrading from 1.8.2 to 2.2
[FIX] Fix unhandled redirections in TWaptServer wget
[FIX] Add RedirectMax parameter in WaptServer WGet
[UPD] added ubuntu 22.04 in waptagent bundle
[UPD] waptserver db: change primary of HostPackagesStatus, HostExtData, Packages, HostSoftwares, HostGroups, HostWebsocket, HostAuditData, ReportingSnapshots, HostWsus, LogsAPI to bigint
[FIX] postconf nginx: bad error string format
WAPT Console¶
[FIX] host config package are not editable right after creating them.
[FIX] error editing same OU package in one session
[FIX] CleanupPackagesCache proper unlock even if no assigned package
[FIX] fix Access Violation at startup when no server is defined in inifile
[FIX] waptconsole: when deleting package in private repo page, package is still listed until console is restarted but actually deleted on server.
[FIX] waptconsole : random timeout error when running commands from waptconsole
WAPT Agent¶
[FIX] setuphelpers. reintroduce running_as_system for linux and mac (uid==0)
[FIX] start waptservice only if wapt-get.ini config is exists
[FIX] add PYTHONNOUSERSITE=1 to all .sh scripts to avoid spoiling PYTHONPATH with locally installed lib in user home directory
[FIX] remove_file() was unable to remove symlinks
[FIX] reset properly Wapt core settings to default when reloading config from wapt-get.ini
[FIX] try to create a minimal wapt-get.ini file if it does not exist so that service can be started without any prior configuration.
[FIX] WAPT Agent for MacOS : use system_profiler_info for dmi_info on macosx for support for Apple m1 architecture
[FIX] WAPT Agent for MacOS : plistlib.readPlistFromBytes deprecation fix
[FIX] WAPT Agent for MacOS : core macos: use uuid from system_profiler_info instead of dmidecode
[FIX] WAPT Agent for MacOS : change postinst script for launchctl compatibility
[FIX] WAPT Agent for MacOS : macos core get_hostname return binary string instead of str -> update_status loop
[IMP] WAPT Agent for MacOS : rationalize pkg filename
WAPT-2.2.3.12454-rc2 (2022-09-26)¶
hash : 64bfc946
This is the second release candidate for WAPT 2.2.3.
The main new feature is tech-preview support for MacOS on Apple M1 architecture. Otherwise it is mainly a bugfix release.
Note :
due to EOL and security issue, PostgreSQL database version has been updated on WAPT Server for Windows and Redhat7 from version PostgreSQL 9.6.24 to PostgreSQL 14.5. Upgrade will be automatic on Windows during waptserversetup.exe install, and is done during postconf.sh run on Redhat7. Be sure to run the postconf.sh script after upgrade.
Fixes since WAPT-2.2.3-rc1:
WAPT Server for Windows¶
[FIX] Fix icacls for migrate_pg_db
WAPT Agent¶
[FIX] start waptservice only if wapt-get.ini config is exists
[FIX] add PYTHONNOUSERSITE=1 to all .sh scripts to avoid spoiling PYTHONPATH with locally installed lib in user home directory
[FIX] remove_file() was unable to remove symlinks
[FIX] waptconsole : fix AV at startup when no server is defined in inifile
WAPT Agent for MacOS¶
[FIX] use system_profiler_info for dmi_info on macosx for support for Apple m1 architecture
[FIX] plistlib.readPlistFromBytes deprecation fix
[FIX] core macos: use uuid from system_profiler_info instead of dmidecode
[FIX] change postinst script for launchctl compatibility
[FIX] macos core get_hostname return binary string instead of str -> update_status loop
[IMP] rationalize pkg filename
WAPT-2.2.3.12411-rc1 (2022-09-05)¶
hash : 29e18f23
This is mainly a bugfix release.
Note :
due to EOL and security issue, PostgreSQL database version has been updated on WAPT Server for Windows and Redhat7 from version PostgreSQL 9.6.24 to PostgreSQL 14.5. Upgrade will be automatic on Windows during waptserversetup.exe install, and is done during postconf.sh run on Redhat7. Be sure to run the postconf.sh script after upgrade.
WAPT Server¶
[UPD] WAPT Server for Redhat7 / Centos7 ! upgrade PostgreSQL version from 9.6 to 14.5
[UPD] WAPT Server for Windows : upgrade nginx to 1.22.0
[UPD] WAPT Server for Windows : upgrade vcredist to 2022
[UPD] WAPT Server for Windows : upgrade PostgreSQL version from 9.6 to 14.5
[FIX] WAPT Server for Windows : allow install and upgrade with any server admins (does not require to use the local Administrator with RID -500 for install
[UPD] WAPT Server for Windows : waptserversetup: avoid automatic restart when installing msvc 2022
[FIX] fix upgrade procedure : migrate data text to jsonb only if table hostauditdata in data_type text
[FIX] patch create_default_users when upgrading from 1.8.2 to 2.2
[FIX] Fix unhandled redirections in TWaptServer wget
[FIX] Add RedirectMax parameter in WaptServer WGet
[UPD] added ubuntu 22.04 in waptagent bundle
WAPT Console¶
[FIX] host config package are not editable right after creating them.
[FIX] error editing same OU package in one session
[FIX] CleanupPackagesCache proper unlock even if no assigned package
WAPT Agent¶
[FIX] setuphelpers. reintroduce running_as_system for linux and mac (uid==0)
WAPT-2.2.2.12388 (2022-07-22)¶
hash : 10e35aa7
This is mainly a bugfix release.
Note :
there is a change in the wapt the wapt->glpi sync is working, please refer to documentation for upgrade
Tech preview : new multiserver console support (connect to multiple wapt server using one console)
added support for ubuntu 22.04 amd64
def update_package() function can now be located in a separate update_package.py file. New package from wapt store will use this format to make setup.py more readable. Older wapt version are not impacted for package import and package install, but may be impacted if one want to update directly from waptconsole using update_package script.
WAPT Deployment Server (WADS)¶
[NEW] injecting oem key by slmgr command
[FIX] fix tftpserver window size handling (bug on Dell uefi bios)
[FIX] allow djoin with machine in default container CN=computers
[FIX] improve error message when using standard user on MS AD for djoin.exe when >10 machine quota join has been reached
[FIX] allow saving / renaming bundle names and check for empty names
[IMP] add ACL on WADS (before it needed admin level ACL)
[NEW] add post_install script windows
[NEW] add ignore_ipxescript and move conf file and ipxescript
[NEW] Basic Linux OS Deploy support : add Debian ipxe script template
[NEW] add {{server_url}} {{secondary_repo}} and {{hostname}} in get_wads_config
[NEW] add mustach templating in ipxescript
[FIX] waptconsole uploadWinPE : fix regression in upload progress bar and incomplete zip.
[FIX] add a progression form when uploading ISO and winpe
[IMP] add wapttftpserver service shutdown in upgrade sequence (throught net stop, not only taskkill)
[IMP] add tftp firewalld port opening on Redhat
WAPT Console¶
[NEW] techpreview : waptconsole reporting multiservers
[FIX] check that downloaded waptsetup version is same or newer than server
[NEW] download from wapt.tranquil.it and upload on local waptserver agents for Linux and macOS directly from the console
[NEW] Add a popumenu copy to clipboard as json for audit data.
[NEW] displays audit history audit data explorer (treeview + html template) + allow drag/drop of a audit json value subkey from value tree explorer
[IMP] waptwua : update waptwua status to “NEED-SCAN” on hosts when download_wsusscan is triggered and wsusscn2.cab file is downloaded
[IMP] package import : Don’t take care anymore of maturity for version when it’s compared to store version
[FIX] add licence validity check tolerance +1 day
[FIX] trigger downloads when triggering updates from console
[FIX] allow ~ in package names (for spaces in Org units packages)
[UPD] icons on windows update status for WUA
[NEW] new option check_package_version in waptconsole.ini
[FIX] Fix saving empty value in Editor for packages
[UPD] waptconsole reporting: add a quick search filtering zone for the query result
[FIX] Wrong message when no admin rights and waptagent need upgrade or not present
[UPD] When going outside modified rules. A popup will ask to save or not the rules. #4568
[UPD] Delete host popup
[NEW] add feature to download packages when asking hosts for update
[UPD] trigger_host_update adding possibility to download the package after update
[FIX] Saving language param
[UPD] add a NEED-SCAN waptwua.status, updated when Wapt.update() is called.
[FIX] fix layout on Windows Update part
[NEW] waptconsole: multiserver: manage packages repositories by server
[FIX] waptconsole: re-enable dataexport to csv for grids
[NEW] Explicit hint on number version when the package is not up to date (GridPackages)
[UPD] waptconsole: improved drag drop of columns into GridHosts
[NEW] waptconsole: new Htmlviewer for audit data. Popup menu
waptconsole : Html auditdataview template filename (wapttemplates) calculated from section and key, or section
[FIX] waptconsole drag/drop audit values
[IMP] waptconsole: Load AD Groups in thread
[FIX] waptserver: improved message when triggering action
WAPT Server¶
[FIX] glpi sync: simplified glpi_upload_hosts.py script.
[NEW] techpreview waptserver: endpoint update_hosts_audit_data to bulk insert hosts related data (for third party data integration)
[NEW] add multiserver endpoint for multiserver console
[FIX] waptserver update_audit_data fix on_conflicts for value_id
[IMP] waptserversetup: take in account wapt_folder parameter in waptserver.ini when upgrading a setup.
[IMP] use utc time for acls expiration check
[FIX] waptserver unable to delete some hosts when CRL is enabled
[IMP] waptserver db install: try to register jsquery extension to make json query more powerful for reporting. (must this is not yet mandatory)
[IMP] rename waptsetup-tis.exe to waptsetup.exe on server
[IMP] include waptsetup.exe in waptserversetup.exe on windows
[IMP] Download from TIS / upload to wapt server of agent installation packages
[UPD] create a full version 1.2.3.rev-hash into file wapt/version-full
[IMP] add htst header to nginx template
[DEL] Remove direct integration of GLPI sync into WAPT. Now switched to plugin sync
[FIX] added trigger_host_action ACL on /api/v3/connected_wol_relays (used by /api/v3/trigger_wakeonlan)
[IMP) force calc_md5 if new filename in server
[IMP] improve websockets performance and reliability. Now websocket ids are stored in memory instead being written in the database
WAPT Agent¶
[FIX] fix threading exception in WAPTExit and WAPTTray that could prevent status updates
[NEW] WAPTWUA superseded support. option include_potentially_superseded_updates in config wizard
[NEW] Add snap software inventory
[FIX] waptmessage unable to load sqlite on Linux and macOS
[FIX] custom waptmessage logo linux
[FIX] waptservice configuration: set the configs_dir relative to wapt-get.ini full path.
[FIX] waptservice “start_waptexit” with arguments
[FIX] bad arguments sent to waptservice triggering upgrades with “only_priorities” and “only_if_not_process_running”
[FIX] Wapt.write_audit_data_if_changed: write data if previous data has expired.
[IMP] wapt-get add-config-from-url: provide a meaningful message when hash is not provided
[FIX] update template of dynamic json config packages to match new location and naming of json config related functions.
[IMP] improve dynamic configuration handling for agent
[FIX] waptservice: ensure a random secret_key for local waptservice session
[FIX] wapt-get update-package-sources : handle properly relative path to package sources.
[IMP] wapt-get edit now open changelog.txt, VSCod* now open control file too
[UPD] change default log path to wapt/log if writable.
[IMP] waptservice waptself: localauth with file token (ie. nopassword). Handle local groups
[NEW] use –not-interactive with register if install run in silent mode en not run update if install service
[IMP] waptself, wapt-get, waptexit, wapttray: kill check threads on close, even on linux to speed up application shutdown.
[FIX] linux : waptservice restart Linux: AttributeError: “WaptServiceRestart” object has no attribute “logger”
[IMP] macOS : normalize macos wapt install package name format
[FIX] macOS : fix registration failing in some cases
[IMP] macOS : add mpkg support
[FIX] no hash in clipboard, added missing helper for add-config-from-url in wapt-get
[IMP] limit access right to admins to log directory (in case non public stuff get written to log)
WAPT Core¶
[IMP] patch with_md5sum in make_package_filename
[IMP] add options for update-package-sources
[UPD] wapt core : use datetime in UTC for audit_data
[NEW] wapt core: allow usage of an envirnment variable « waptbasedir » to specify the location of root waptbasedir
[FIX] configuration package template setup_package_template_conf.py
[IMP] support for def update_package in file update_package.py instead of setup.py for better readability
[UPG] upgrade openssl to 1.1.1o
[NEW] core: define path Wapt.configs_dir relative to Wapt.config_filename if the dir Wapt.config_filename..conf.f exists
[FIX] waptcrypto: cert filename attribute not set when loading a cert chain
[FIX] new option copytree2 replace_at_next_reboot
[FIX] Avoid errors on get_version_from_binary() getting params
[FIX] fix keyword and name with installed_softwares in macos and linux
WAPT-2.2.1.11957 (2022-06-02)¶
WAPT Deployment Server (WADS)¶
[FIX] fix wapttftpserver restart on linux
[IMP] added xml for windows 11
[FIX] if verify_cert empty so verify_cert=0
WAPT Console¶
[FIX] CheckLicence => licence is now valid one day before the real beginning
WAPT Agents¶
[FIX] fix harakiri on linux
WAPT-2.2.1.11949 (2022-05-18)¶
hash : 1b2dfbee
This is a bugfix release
WAPT Deployment Server (WADS)¶
[FIX] waptconsole: use ROOT in addition to CA windows system certificates stores when building winpe with verify_cert=1
[FIX] fix selinux rules for WADS
[FIX] fix non ascii character support in passwords
[IMP] wgetwads: add more logging data (wget). Disable exe signature certificate as this could be blocking if CRL can not be checked in winpe environment for example
[UPD] add a timer to wait for network in WADS
[UPD] Update openssl to 1.1.1n for WADS
Other fixes¶
[FIX] fix wrong GPO link on waptserver start page
[FIX] fix some translation messages in console
[FIX] wrong element order in message in ACL GUI
[FIX] allow change password if user password has been cleared
[UPD] update mormot2 for bug in TSynDictionary.AddOrUpdate()
[UPD] update mormot statics for sqlite to 3.38.5 (required for mormot compatibility)
WAPT-2.2.1.11932 (2022-05-05)¶
hash : 6522dccb
This is a bugfix release.
WAPT Deployment Server (WADS)¶
[FIX] wapttftpserver : better handling of UEFI PXE/TFTP boot
[FIX] wads now include non CA certificates for winpe build
[FIX] Not adding « cn » in OU
[FIX] wapttftpserver : add firewalld rule on redhat based server for wapttftpserver
[FIX] WADS : improve feed back on upload WinPE
[FIX] wapttftpserver : kill wapttftpserver and uninstall service before installing it
[IMP] waptserversetup: add wapttftpserver configuration for windows
WAPT Server¶
[FIX] fix typo for rocky support as server
[FIX] waptservice websocket reconnection: disable by default low level reconnect feature
WAPT Console¶
[FIX] fix bad port configuration for veyon remote assistance support
[FIX] Define default package prefix when creating empty package
[FIX] patch setup_package_template_cert.py.tmpl
[FIX] waptconsole: fix access violation when access to external repo is blocked or need a proxy.
[IMP] package version in bold red if obsolete version compared to external repo for better accessibility
WAPT Agent¶
[FIX] waptservice websocket reconnection: disable by default low level reconnect feature
[FIX] add conf.d to rpm agent installers for the new agent configuration management
[FIX] macOS: fix get_file_type in macos
[IMP] macOS: silently attach dmg file
[IMP] waptwua : improve consistancy between WUA history and WUA status
[FIX] waptself: bad char case for png file (issue for linux)
[IMP] add dummy running_on_ac for linux and mac for compatibility
[FIX] waptutils.user_config_directory() did not work under system account.
WAPT Core¶
[IMP] mormot2 static: add 3.38.2 hash
[IMP] sync htmlviewer with latest github commits from https://github.com/BerndGabriel/HtmlViewer/tree/master
[IMP] waptguihelper: improved the design for InputDialog form
WAPT-2.2.1.11899 (2022-04-06)¶
hash : 2d82654e
This is mainly a bugfix release. A new tftpserver has been introduced and it will ease WADS installation and configuration as it will be directly integrated into WAPT.
WAPT Deployment Server (WADS)¶
[NEW] add a wapttftpserver binary on windows and linux to act as a tftp server for WADS
[FIX] WADS : don’t use redirect
[FIX] WADS : be tolerant if sendstatus can not be sent.
[IMP] WADS : handle https for drivers (continued)
[UPD] wads : get windows system certificates for WADS server bundle
[UPD] implement https verifyCert in wads and wgetwads
[IMP] add serial_number arg when calling server get_wads_config in wads
[UPD] waptconsole wads: add audit columns (created/updated) in grids.
[NEW] Add an action to prepare a host package in WADS OS Deploy grid
[NEW] wgetwads : use code signing cert of TIS to check signature of json hashes file if no signer_certificate in json file
WAPT Console¶
[UPD] OU « All » fixed to not editable on GridOrgUnits
[FIX] waptconsole: wrong client https key password used for task polling thread.
[FIX] waptwua packages : ALLOWED status in winupdates grid is kept between form display.
[FIX] Package creation did not take silent flags in account
[FIX] memory leak when refreshing packages list
[FIX] waptconsole packages list: Showing all versions when « Last version only » is not checked
[FIX] « property not found » in some grids when refreshing data.
[FIX] running plugins on multiple hosts.
[FIX] taking in account the platform when lookig for TIS store package version
[FIX] nested progress notifications in uwaptserverconnection TWaptServer
[FIX] Disabled pysources check at waptconsole startup.
[FIX] external repo ini settings dialog when importing.
[FIX] waptconsole. some ui elements are not disabled when switching to discovery on login.
WAPT Server¶
[NEW] add support for postgresql 14 on centos7
[UPD] wapt windows server: update to nginx 1.20.2
[IMP] server postinstall : put nginx backups in a different dir than nginx config
[FIX] waptserver: fix empty error message when trying to activate an existing licence
WAPT Agent¶
[NEW] added new waptguihelpers : grid_dialog, filename_dialog, input_dialog, combo_dialog
[FIX] waptdeploy multiple setupargs raise « Invalid variant operation »
[FIX] missing root certificates when exporting system store certificates in lazarus app (GetSystemCABundlePath). Must trust CA + ROOT stores
[FIX] setuphelpers: regression in maintaining backward compatibility for some const which are functions too (programfiles etc..)
[FIX] be tolerant if uuid can not be regenerated (on linux, dmidecode can’t be run as normal user in session-setup)
[FIX] fix wget waptdeploy.exe waptagent.exe in wads and detect mismatch drivers config
[FIX] waptagent regression : Revert « [UPD] waptservice : tasks don’t notify server by default to avoid too frequent updates of database. »
[FIX] wapt-get : try to fix get service password on unix.
[NEW] splitting remove_appx() with new function remove_user_appx() to avoid unexpected behavior
[NEW] Add restart-waptservice action in wapt-get.py
[FIX] fix publisher and version in installed_softwares macos
[FIX] use waptservice to check if is_enterprise in waptexit (avoid direct access to local waptdb) (fix unable to access sqlite db on linux / mac)
WAPT to GPLI connector¶
[FIX] glpi fix install_date
[FIX] regression in glpi export (Softwares)
WAPT-2.2.0.11720 (2022-03-15)¶
hash : 8e07f388
This is the first release of the 2.2 serie of WAPT.
WAPT Core¶
[NEW] Discovery mode for the WAPT Console
when checking acls, the licencing status is taken in account to enable or not actions.
maximum number of 300 managed hosts in discovery mode.
WAPT Deployment Server (WADS)¶
[NEW] tech preview Automated Windows OS deployment called WADS :
Using a winpe image (network boot or usb key boot).
Shipping wimboot, ipxe.efi, undionly.kpxe, 7z.dll.
Added openssl win64 binaries for WADS
Added wads.exe and wgetads custom binaries in distribution.
Added WADS repo option in repo rules.
Added a WAPT Console page to list raw registered hosts, upload winpe images, define default config, uplaod drivers bundles.
On WAPT Server: added
/var/www/wads/
add a non protected/wads
in nginx config.
WAPT Console¶
[NEW] add columns in private repo to display newest software version (Tranquil IT effort to parse softwares providers download sites) and newest package version (from Tranquil IT store database).
[NEW] Dynamic Agent configuration using .json files stored on the WAPT Server:
Added a
last_update_config_fingerprint
local param to keep track of current config.Added “configurations” (merged config overview) data when uploading host status to the WAPT Server.
[NEW] Dynamic Agent configuration using config packages:
Added
templates/setup_package_template_conf.py.tmpl
package template.Added a
wapt/conf.d
directory on the WAPT Agent to hold the installed .json configuration files.
[NEW] New in the WAPT Console: added option to show the host WAPT Agent configurations overview.
[NEW] New in the WAPT Console: option to display a graph of host packages dependencies.
[NEW] New in the WAPT Console reporting: tabbed interface to displays multiple query results.
[NEW] New in the WAPT Console: option to filter host inventory based on the result of a SQL query:
In reporting, right click on column which represent a host UUID and « choose as Host UUID » abnd save.
The query is then available in the combobos « Filter hosts on SQL query » in hosts inventory.
[NEW] New in the WAPT Console: add a Tech preview Tab for packages development workflow:
Create from template;
Displays
waptdev
directory sources package status;Basic git commands.
[IMP] Improved the WAPT Console send message : enable use of HTML (copy & paste). HTML Preview.
[IMP] Do not clear selection on mouse right-click when selecting package names in package edits.
[IMP] refactored the WAPT Console code to remove most python calls:
removed
waptdevutils.py
, removed calls to WaptRemoteRepo, replaced by pure fpc code.
[UPD] Updated the WAPT Console: merged selected hosts add/remove depends, add/remove conflicts in a single action/form
[UPD] Updated the WAPT Console update package source: add a checkbox to enable package version increment.
[UPD] Updated the WAPT Console “plugins” config: warn user if not saved.
[UPD] Updated the WAPT Console: removed obsolete Add ADS Groups to selected host action.
[UPD] Updated the WAPT Console action Refresh Host Inventory triggers a update_server_status instead of a full computer register.
[UPD] Updated the WAPT Console: host additional tools (rdp, vnc, etc) which requires to look for a connected IP are now run in a thread to avoid freezing the UI.
[UPD] Start of use of mormot2 for X509 and RSA crypto instead of python bindings in the WAPT Console
[FIX] waptconsole : store executable signature with new key name format (xxx.exe keys)
[FIX] duplicated panels in initial configuration package wizard.
WAPT Self-Service¶
[IMP] waptself: add logger.
WAPT Server¶
[IMP] Improved the WAPT Server authentication: try ldap authentication only if
ldap_auth_server
is defined.[UPD] Updated the WAPT Server licencing: use waptlicences.pyd instead of pure python code.
[UPD] Updated the WAPT Server: add config options
wads_folder
andagent_folder
.[UPD] Updated the WAPT Server: improve GLPI export, add “smodel” on GLPI exports and add “monitors”.
[IMP] force en_US.utf8 locale for linux services.
[IMP] add /api/v3/latest_installed_package_version.
[UPD] upgraded jquery to v3.6.0.
WAPT Service¶
[NEW] Added
/opt/wapt/wapt-get.bin
to linux distributions.[NEW] New in the WAPT service: added a WaptUnregisterComputer task and unregister_computer socketio action.
[IMP] Improved the WAPT service: improved logger.
[IMP] Improved the WAPT service and the WAPT Agent take into account the licencing status:
Added a
licences
local params to store the current registered licences retrieved from the WAPT Server during the last update.
[UPD] waptcrypto.py: made optional the joining of signer certificate when signing claims.
[UPD] Updated the WAPT Deployment utility: increased timeout from 4s to 15s when pinging the current http WAPT service.
[UPD] Upgraded dmidecode to v3.3 on windows.
[UPD] Updated the WAPT service: do not check battery level for WaptAuditPackage task.
[REF] Installers : merged
wapt.iss
andcommon.iss
.[FIX] wapttasks: took in account non default config filename.
[FIX] Fixed the WAPT service: reporting properly the user which created a task (either locally or using websockets).
[FIX] Fixed the WAPT service: fixed icons in package local webpage.
wapt-get¶
[IMP] wapt-get new config actions. Added actions:
add-config-from-file;
add-config-from-base64;
add-config-from-url;
with parameters:
--not-interactive
: Disables dialog to ask credential users (for batch mode);--waptbasedir
: Forces a different wapt-base-dir then default dir ofwaptutils.py
;--devmode
: Enables devmode. dbpath is set to memory and certificate/key paths are inuserappdata
;--json-config-name
: The name of the .json file given with the action json-config-from-file/base64/url;--json-config-priority
: The priority of the json file given with the action json-config-from-file/base64/url.
[UPD] Removed update-packages action synonym for scan-packages.
[IMP] wapt-get added update-status action in service mode wapt-get -S update-status.
[IMP] Enabled
--CAKeyFilename
and--CACertFilename
wapt-get options[IMP] Added logger for waptguihelper pyd module. if
--loglevel
=debug
in commandline, logger is activated.[IMP] Reporting the
use_repo_rules
flag to the WAPT Server in wapt_statusReport
is_enterprise
flag to the WAPT ServerReport installed antivirus and monitors in host inventory
[IMP] Audit loop granularity based on actual installed packages:
Added get_next_audit_datetime() on Wapt class.
waptaudit_task_period
attribute is now in the Wapt class instead of the WAPT service.
[UPD] Removed the not functional
--dry-run
wapt-get option.[IMP] Improved register computer fallback from kerberos to password based authentication:
Do not send audit data when registering to limit workload.
[IMP] Try registering computer if update_server_status fails because of authentication.
[IMP] waptpython.exe, waptpythonw.exe, and nssm.exe are now signed with Tranquil code signing key.
[NEW] added pylint and black modules. Added black configuration to vscode project template.
[NEW] Added
setuphelpers.getscreens
.[IMP] Improved SetupHelpers unzip : new
extract_with_full_paths
argument (default True).[NEW] New SetupHelpers
listening_sockets()
.[IMP] Added
templates/setup_package_template_portable_exe.py.tmpl
andtemplates/setup_package_template_portable_zip.py.tmpl
package templates.
Others stuff¶
[IMP] Added
windows_version_prettyname
andwindows_version_releaseid
inhost_info
.[IMP] Always use RunAsAdminWait to copy package certificate to the local WAPT service
waptssl
directory.[IMP] Improved the WAPT Console config: stores WAPT Server certificate in
AppUser
folder (roamingwaptconsolesslserver
).[IMP] Reset TLS client key password in the WAPT Console config if connection error.
[UPD] Retire python
GetPrivateKeyPath
, raise exception ifGetPrivateKey
does not succeed.[FIX] Clear cached TLS client key password when validating the the WAPT Console config dialog.
[IMP] Improve GLPIlpi settings windows.
[IMP] Clean up the html error page from the WAPT Server when checking the WAPT Server and WAPT repository URL.
[FIX] Don’t reenter the private key password dialog if already asking the user. This issue can be triggered if several therad are using a key, or if cooperative multitasking like TAction messages (OnUpdate) triggers a Get with client side certificate authentication.
[SEC] Fix
dhparam
on the WAPT Server postconf.[FIX] Fix failover on file version with remove_outdated_binaries().
[IMP] Add
asset_tag
to sysinfo api.[FIX]
Get_antivirus_info
: test if timestamp attribute exists.[IMP] New getscreens function.
[IMP] Added columns uuid manufacturer and product serialnumber in database.
[UPD] Added
mac_addresses
toLocalSysinfo
.[UPD] Expanded LocalSysinfo with uuid, serial_number and sku_number, fixed keys with underscore.
[IMP] Improved matching of reachable IPs of client using new GetReachableIP from mormot2.
[UPD] GetReachableIP: connection tests are performed in parallel using mormot GetReachableAddr instead of one after the other to reduce delay when launching IP based command to remote hosts from the WAPT Console.
[FIX] Take
--config
option
in account for wapt-get fpc code.[UPD] waptcrypto: implemented
TX509Certificate.CN
, removedTX509Certificate.DN
.[UPD] Updated SetupHelpers need_install: now comparing software versions with 4 members. Assumes that 1.2 == 1.2.0.0 and 1.2.3.4.5 == 1.2.3.4, remove_previous_version: use version with 4 members.
WAPT-2.1 Serie¶
WAPT-2.1.2.10652 (2022-01-10)¶
hash : 7dd63b61
[UPD] shorten the default package filename. If
target_os
is alnum, do not include md5sum in the filename. Iftarget_os
is in tags, do not duplicate it in filename[FIX] disable debug data for linux
[FIX] try to circumvent issue with Trend antivirus blocking the WaptTaskManager. Looks like the issue is with platform.win32_ver using win32api.GetVersionEx…
[FIX] Installed softwares invalid conditions
[FIX] fix local_user and local_group on macOS
[FIX] removed workaround on 60s delay for websocket disconnect
[FIX] use CompressGZip instead of CompressZLib on the WAPT Server, compression is GZip
[FIX] Allow “~” in package filenames
[FIX] try to not update records in database if data has not changed
[FIX] Wake on lan relay now equals is remote repository, close #2940
[FIX] fix group members
[FIX] return only local and user group (ignore nsswitch)
[FIX] backported the WAPT Exit utility (improved detailed logging) from 2.2
[FIX] backport waptlicences py module from 2.2
[SEC] check that hostname matches https certificate in the WAPT Console http client.
[FIX] backport uwaptlicencing: allow empty json licencing data
[FIX] fix WaptHttpPostData
[FIX] check valid uri in wapthttputils waptwget WaptWget_Try
[FIX] init LastModifiedDate to “” if not found in THttpResponse
[FIX] add a 50ms report delay for httpprogressnotification
isolate wapt python engine: PyFlags:= [pfNoUserSiteDirectory, pfIsolatedFlag];
[FIX] Fixed SetupHelpers: backported changes from 2.2 is_linux64 type_rhel fix installed_softwares for type_redhat upd uninstall_apt with autoremove
[FIX]
user_appdata
=user_local_appdata
for unix[IMP] introduced get_powershell_str, get_default_app remove_appx
[IMP] introduce InitLogger for the WAPT Exit utility
[FIX] Fixed the WAPT Console: generalize the use of a fallback package_uuid in case of old packages without package_uuid field.
[FIX] Fixed the WAPT Console: use editable dropdown in frmpackagedetails for maturity
[FIX] backport issue with inc version of some group packages when importing
[FIX] Disable client side ssl authentication on root WAPT Server url (regression)
[FIX] isolate from user python env when building binary packages
[UPD] improved feedback message for license activation on the WAPT Server.
[UPD] wapt-scanpackages.py: add option -d to disable update of database Packages table.
[FIX] The -b switch is True by defaut, so there were no way to disable update of database table.
[UPD] Updated the WAPT Console: be tolerant for old package without package_uuid
[UPD] strip ending slash in {{data.wapt.hostname}} server template properties to avoid double slashes in templates result
[UPD] backport openssl build parameter from 2.2
[FIX] Fixed the WAPT Agent url link in the WAPT Server index page.
[FIX] setproctitle only for unix
[FIX] locate packages in host packages grid using package_uuid instead of id, so that refreshing grid works properly with a multiselection of hosts.
[UPG][SEC] upgrade python version from 3.8.11 to 3.8.12
[FIX] remove python3 dependencie. Now python3 is included in wapt
WAPT-2.1.2.10605 (2021-11-30)¶
hash : e2a0e2a0
[FIX] Fixed the WAPT Console: backport edit multiple hosts add/remove depends/conflicts (issue « no password available yet » when kerberos enabled) backport IpExecute from 2.2
[FIX] unable to edit stripped down package with integrated package editor. (setup.py file hash issue) update package size
[FIX] bad path for nginx dhparam for Windows server
[FIX] upgrade mormot2
[FIX] waptself local admin NOPASSWORD setting did not work anymore log authentication user when task is triggered from local wapt webservice don ot raise exception in check_auth_groups but return (None, None) instead to avoid Error 500 in browser backport fix for integer attributes in packages index backport fix for loading ssl libraries
[FIX] Update wake on lan with broadcasts
[FIX] Error « Add: Unexpected [%] object property in an array » for old package with empty package uuid
[FIX] Acl handle boolean as global ACL
[FIX][SEC] issue with acls : action is enabled when acl is set to json false
WAPT-2.1.2.10588-rc1 (2021-11-22)¶
hash : e70d9039
[FIX] fix installed_softwares for older debian and improve inventory performance
[FIX] fix glpi inventory failure (exception on int conversion)
[SEC] [FIX] invalid condition on package hash check
[SEC] [FIX] cleanup nginx config templates
[NEW] add uwsgi support for Debian server
[FIX] add user information in audit
[FIX] Improve lazarus ini parser to support other values than “1”/”0” as boolean values (True, true, 1, 01, etc. same behavior as python iniparse)
[IMP] support for message previsualisation and templates in waptmessage editor and better multiline support
[UPD] waptsetup : do not use kerberos by default
[NEW] show certificate when double click in acl tab
[IMP] Do not propose to start the WAPT Console after install (due to different user context)
WAPT-2.1.1.10568 (2021-11-08)¶
hash : 978c00ae
This is a bugfix version with some small improvements. The main fix is for websocket issue.
[IMP] Prevent multiple websockets connections from same host uuid on the WAPT Server (bugged wapt clients can maintain multiple websockets, which leads to a lack of avalable connections on the WAPT Server)
[FIX] Fixed restart of the WAPT service with exit code 10 (managed by the nssm service manager)
[FIX] Fixed case on the WAPT service where different threads access simultaneously to a shared Wapt instance
[IMP] Introduced some randomness when the WAPT service reconnects its websocket.
[IMP] Checking more cases to determine if token for websocket has to be updated.
[IMP] Introducted a wait in the socket client until it is actually disconnected before trying to reconnect to avoid multiple websocket threads from same client.
[IMP] Do not re-create a new SocketIOClient at each reconnection, but reuse existing one to minimize risk of multiple connections.
[FIX] Do not consider “%” char as unsafe in filenames
[IMP] Improved logging of the WAPT service (logger wapttasks report main actions triggered by the service in
waptlogwaptservice.log
). Removed “flask.app” logger config.[IMP] Remove the WAPT packages’s persistent directory on the WAPT client when a WAPT package is forgotten
[IMP] Added
ignore_empty_names
argument to SetupHelpers.installed_softwares[IMP] Improved display of
package_uuid
with command wapt-get list[IMP] Added redhat_based tag for WAPT package operating system tags
[FIX] Fixed
decrypt_fernet
/fernet_encrypt
functions[IMP] Improved the reporting of key as name in softwares inventory for softwares without a descriptive name
[FIX] The
server_uuid
column in hosts database updates properly.[FIX] Fixed the removal of packages when
only_if_not_process_running
=True
.
Known issues:
When the websocket is reconnecting, if the IP adrress has changed, the main IP adrress is not updated in IP adrress column in the WAPT Console.
WAPT-2.1.0.10550 (2021-10-08)¶
hash : 953c9552
This is a bugfix version with some small improvements.
[FIX] Fixed mass add / remove on multiple host at once.
[FIX] Fixed issue when editing a package without a « description_en » attribute in control file.
[FIX] Fixed drag drop when editing selfservice package.
[IMP] Improved feedback when uploading WAPT packages.
[IMP] Improved handling of the list of wakeonlan relay.
[IMP] Improved remote repository is now by default a wakeonlan relay.
[FIX] Fixed access violation error when viewing certificate list.
[FIX] Fixed do not enable verbose logging by default on the WAPT Console, the WAPT Exit utility and waptselfservice (might fill up %APPDATA% …).
[FIX] Fixed use
templates/wapt-logo.png
in the WAPT Exit utility if it exists.[IMP] Improved login error message.
WAPT-2.1.0.10517 (2021-09-30)¶
hash : fa2af298
This is the first release of the 2.1 branch. It is mainly a incremental improvement with many small but worthy fixes on the 2.0 branch.
The WAPT service
[IMP] During upgrade, wapt-get session_setup is not run if no userspace configuration is defined for the installed WAPT packages.
The WAPT Deployment utility
[IMP] Improved automatic proxy detection and configuration possible with the new
--http_proxy
=True
/False
parameter or explicit url command line parameter.[IMP] Disabled https verification when downloading waptagent.exe if a fingerprint is provided (allows installation with on out-of-date computer with expired certificate store).
[IMP] Do nothing if no –waptsetupurl argument is provided (it reduces the probability of false positive on antivirus check).
[IMP] Double check WAPT installed version after install and report error message if it does not match (allow detection of installation that have been blocked by a misconfigured antivirus for example).
The WAPT Console
[NEW] tech preview: new tab to provide basic package editing functionnality directly in the WAPT Console without having to open Pyscripter or VSCode.
[NEW] New tech preview: new tab to browse the developement directory directly from the WAPT console.
[NEW] Single Sign On with Kerberos authentication (if
service_auth_type
=waptserver-ldap
anduse_kerberos
=True
).[NEW] New button to display WAPT packages that have a specific WAPT package as a dependency in the private repository tab.
[NEW] New message box to decrypt message sent by the WAPT Agents (using
encrypted_data_str
/print_encrypted_data
in waptcrypto). This allows an admin to upload sensitive information from desktop that will be asymetrically signed by the Administrator’s public key.[NEW] New set of icons and many small visual improvments.
[NEW] New software inventory tab to display installed software (not packages) and see which hosts have that specific software.
[NEW] New button to delete Windows Update KB files that are not used anymore by any computers. This allows to keep the Windows Update storage volume under control.
[NEW] New tab to have a user-friendly display of the certificates that are deployed on a specific host.
[NEW] New tab to display the certificates that are available on a WAPT repository.
[NEW] New warning icons on the hosts tab when the computer needs a restart (after a windows update for example).
[NEW] New filter by OS option.
[NEW] New icons in the OU tree view if a OU package exists for that Organizational Unit.
[NEW] New information message about the choice of maturity when creating new WAPT Agent and by default uploading in DEV maturity (to avoid being directly deployed to all client computers, this allow to test the new WAP Agent on a subset of computer before full scale deployment).
[IMP] Made GLPI export configuration more intuitive.
[IMP] Improved the WAPT Console plugin versatility. All inventory attribute can now be used in command lines (it use the « mustache » template syntax, eg. {{ main_ip }} {{ computer_fqdn }} {{ host_capabilities.os_version }} « {{#host_capabilities.tags}}{{.}},{{/host_capabilities.tags}} » etc.
[IMP] Allow non standard port in the WAPT Console configuration.
waptself
[NEW] allow custom logo in waptselfservice
[NEW] Single Sign On using Kerberos (
needs service_auth_type
=waptserver-ldap
anduse_kerberos
=True
)[IMP] allow customisation of package details view using template engine
WAPT Exit utility
[IMP] allow custom logo (on Windows, Linux and macOS)
wapt-get
[NEW] better handling of licence information. Now the licence is uploaded on the WAPT Server and it is not necessary to install it on every admin WAPT Console computer
[IMP] propagate ExitCode from Python calls for better error handling
[IMP] better handling of websocket reconnection (check of socket status every 120s)
[IMP] periodic check of the UUID and the current certificate of the WAPT Agent for consistency between the WAPT Agent and the client computer
[NEW] waptsetup et waptserversetup new parameters:
set_verify_cert
andset_kerberos
WAPT-2.0 Serie¶
WAPT-2.0.0.9470 (2021-10-07)¶
hash : 5065cb57
This is a security release with a few related bugfixes. All Wapt 2.0 version below 2.0.0.9467 are affected.
[SEC] fix for vuln in urllib3 CVE-2021-33503 (CVSS Score: 7.5 High, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
[SEC] Sanitize filename used when downloading files on local client. (CVSS Score : 7.5 High, CVSS;3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C). Enforced on wget and local filenames for downloaded packages (chars “\” “..” @ | ( ) : / , [ ] < > * ? ; ` n are removed or replaced).
[SEC] Do not use PackageEntry filename attribute to build target package filename as it is not signed.
[UPD] wapt-get remove: reraise exception if there is exception in uninstall script return traceback in “errors” key return code 3 if there are errors when removing packages in wapt-get remove.
[FIX] handles wildcards in certificates in the WAPT Console config and create waptsetup update UI in external repositories config when setting CA bundle.
[FIX] use PackageEntry.localpath only for local status of a package.
[UPD] split PackageEntry non_control_attributes into repo_attributes and local_attributes. local_attributes are not put into Packages index as they are not relevant for remote access.
[UPD] update python modules requirements following urllib3 upgrade idna==3.2 (from 2.10) certifi==2021.5.30 (from 2020.12.5) requests==2.26.0 (from 2.25) urllib3==1.26.6 (from 1.26.5)
WAPT-2.0.0.9450 (2021-08-10)¶
hash : 7bc6920c
This is a security fix version affected by CVE-2021-38608.
Please visit the security bulletin to learn more.
WAPT-2.0.0.9449 (2021-06-22)¶
hash : 70283a14
This is a bugfix version with some small improvements.
WAPT Agent
[FIX] Fixed Windows Update fix in the progress bar.
[IMP] Allow the WAPT Agent to upgrade even when on batteries.
The WAPT Server
[IMP] Many fixes in GLPI sync.
[FIX] Better handling of service_delete exception cases.
[FIX] Fixed database migration handling with
create_defaults_users
procedure.[FIX] Fixed on windows skip the WAPT Agent build if there is no available certificate for signing.
The WAPT Core
[IMP] Improved the compatibility of
Packages
file for easing upgrade from WAPT 1.8.2.[IMP] Improved the WAPT Deployment utility: behavior to avoid wrong red flag from AV softwares.
Caveat¶
For macOS support one should use the WAPT Agent 2.1 version available in nightly channel.
WAPT-2.0.0.9428 (2021-05-06)¶
hash : 4b33cf96
This is a bugfix version with many small improvements.
WAPT Console:
[IMP] Improve CreateWaptSetup form layout.
[IMP] Restore focused column visibility when refreshing grid data.
[FIX] Fix wrong path for wapt-get.py in vscode project.
[UPD] Update No fallback in rules to true by default.
[FIX]
enable-check-certificate
with wildcard.[FIX] take into account the
use_http_proxy_for_repo
ini setting (if not present, assumeFalse
).[FIX] Fix
setup_package_template_msu.py.tmpl
for package Wizard.[IMP] Add new template for creating package with certificate.
[IMP] Add option to check downloaded package with VirusTotal in package import GUI.
[IMP] Add update-package source action directly in Private repository in the WAPT Console.
WAPT Agent:
[IMP] Use task queue for the forced installs instead of running them inline.
[FIX] Database not opened when we check Hosts who are secondary repositories.
[IMP] Restart partial download of Windows Update files.
[IMP] Improved icons handling in WaptSelfService.
[IMP] On macOS use host certificate store by default for https certificate validation.
[IMP]
reload_config_if_updated
now reload config ifpublic_certs_dir
has changed.[FIX] WUA: better handling of return code « does not apply to this computer ».
WAPT Server:
[FIX] Fixed bad migration of PGSQL databse server side.
[FIX] Improved database upgrade in corner cases.
SetupHelpers
[FIX] Fixed
register_windows_uninstall
calculation and using correct x86_64 environment with register_uninstall and unregister_uninstall.[IMP] Improved inline function description for documentation.
WAPT-2.0.0.9343 (2021-04-08)¶
hash : 117d62b8
This is mainly a bugfix release after the initial 2.0.0 release.
WAPT Console:
[IMP] Show an explicit message if the user can not build a customized WAPT Agent.
[IMP] Enabled remote repo sync if there are repo configured (making
remove_repo_support
parameter obsolete).[IMP] Better filtering on
maturities
.[FIX] Fixed templates for vscode
WAPT Server:
[IMP] Include certificates from WaptUsers table in result of /api/v3/known_signers_certificates.
WAPT ACL handling:
[UPD] ACL: added an action to show the user certificate.
[UPD] Creates default (empty) WaptUserAcls record on user login even for non ldap logins.
[IMP] Better naming for ACL domains.
SetupHelpers
[FIX] Fixed
register_uninstall
.[FIX] Do not change silently
maturity
andlocale
incheck_package_attributes
.[FIX] Fixed regression in wget resume.
Other technical stuff:
[IMP] Added support for installation on OracleLinux.
[FIX] Tightened files ACLs on Linux + fixes + SELinux fixes in postconf.
[IMP] Introduced mORMot2 framework in Lazarus code.
[FIX] Fixed datetime conversion in the WAPT Console.
WAPT-2.0.0.9300 (2021-03-30)¶
hash : 018b8b57
This is the first release of the 2.0 series. After one year in development and more than 1600 commits it brings a bunch of new features and enhancement to the last major update of WAPT 1.8.2. On the technical side WAPT 2.0 now embed Python3 and now support 8 new platforms (some of them backported to 1.8.2).
The switch to Python3 may require minor adjustment to the existing package that may have been development in-house (refer to the corresponding doc page). The packages offered by Tranquil IT through the WAPT Store are already compatible with WAPT 2.0.
From a sysadmin point of view¶
[NEW] ACLs.
[IMP] WAPT Server side ACLs in addition to certificate validation.
[IMP] User management interface with certificate listing.
WAPT Console:
[IMP] gui: change maturity directly from the WAPT Console.
[IMP] gui: all WAPT package types are grouped in one tab.
[IMP] helpers: build and upload locally development package from the WAPT Console.
[IMP] helpers: import default reporting queries from internet.
[IMP] helpers: restart the WAPT Agent and restart client computer from the WAPT Console.
[IMP] Package wizard: support for RPM/DEB/PKG/DMG.
[IMP] Remote repositories: status bar for progression of creation/ update of
sync.json
for repo sync.[IMP] Windows Updates: new search bar, view host with specific KB.
[IMP] Faster import and resigning of package, change of maturity, etc.
[IMP] waptmessage: better handling of user oriented notification.
[IMP] Better logging of WAPT Console actions and WAPT Agent activity.
Performance improvements for larger installations:
[IMP] Better handling of insert / update of inventory.
[IMP] Better handling of websocket updates.
[IMP] GLPI integration: synchronize WAPT inventory to GLPI server.
Better OS integration:
[IMP] TLS certificate handling: certifi uses local OS certificate store instead of Python certifi integrated certificate store.
[IMP] Increased the number of supported platform, improved packaging for Linux (deb and rpm) with support for a WAPT Agent running on arm64 and macOS BigSur 64bit.
Package development:
[IMP] Improved package wizard.
[IMP] Many small fixes and improvements to SetupHelpers and better support for Linux and macOS.
[IMP] Improve os targeting now you can specify targeted OS and specific version of OS : eg. Debian(>=9,<=10).
From a technical point of view¶
Python: switch from Python2.7 to Python3:
Linux: use of venv by default with distrib python 3 version.
Windows: switch python3 install to embedded edition 3.8.7.
Different installer for WinXP / WinVista / Win2k3r2 / win2k8 (nonr2) (recent CPython version does not support older Windows systems anymore).
Better handling of passwords with special chars.
Upgraded WAPT core libs and scripting environment.
Upgraded to Python3 and Python libraries, changed kerberos and websocket libraries.
Upgraded to Lazarus 3.0.10 and FPC 3.2.
Caveat¶
Support for non supported Windows version (WinXP, WinVista, Win2k8 (non-R2) and Win2k3) is still baking in the oven and should be ready shortly after the 2.0 release date.
Redhat8 and derivative distributions: for upgrade it is necessary to remove WAPT SELinux rules before using postconf again.
WAPT 1.8 Serie¶
WAPT-1.8.2.7393 (2021-11-16)¶
hash : 75a5de09
This is a security release. All WAPT 1.8 version below 1.8.2.7393 are vulnerable.
[SEC] Upgraded babel python module from 2.5.1 to 2.9.1.
- [UPD] Updated python lib upgrades urllib3, and requests:
chardet==4.0.0 requests==2.26.0 urllib3==1.26.7
WAPT-1.8.2.7388 (2021-10-07)¶
This is a security release. All Wapt 1.8 version below 1.8.2.7388 are vulnerable.
Security changelog wapt-1.8.2.7388*
[SEC] Fixed for vuln in urllib3 CVE-2021-33503 (CVSS Score: 7.5 High, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
[SEC] Sanitized filename used when downloading files on local client (CVSS Score: 7.5 High, CVSS;3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O RC:C). Enforced on wget and local filenames for downloaded packages (chars “\” “..” @ | ( ) : / , [ ] < > * ? ; ` n are removed or replaced).
[SEC] Do not use PackageEntry filename attribute to build target package filename as it is not signed.
[FIX] Fixed the WAPT Console config: when retrieving WAPT Server side https certificate, do not write UTF16 strings in waptconfig. Removed wildcards from CN of certificate to compose certificate filename.
- [UPD] Updated python modules requirements following urllib3 upgrade
certifi==2021.5.30 chardet==3.0.2 idna==2.8 requests==2.21.0 urllib3==1.24.3
WAPT-1.8.2.7373 (2021-08-10)¶
hash : e96e569c
This is a security fix version affected by CVE-2021-38608.
Please visit the security bulletin to learn more.
WAPT-1.8.2.7372 (2021-06-21)¶
WAPT Agent
[FIX] Fixed regression on macOS build after dependency upgrade.
[FIX] Fixed
_update_db
: error in for the calculation ofnext_update_on
for WAPT package attributesvalid_until
andforced_install_on
.[IMP] Be sure to not use waptguihelper when running as system user.
[UPD] Added
--use-gui
for vscode / pyscripter build-upload of a WAPT package.
The WAPT Server
[FIX] Fixed regression on proxy setting for the WAPT Server.
SetupHelpers
[IMP] Added the function
split_arg_string
to split a command line into executable / args list.
WAPT-1.8.2.7357 (2021-02-09)¶
WAPT Core:
[FIX] Be tolerant with
target_os
=all
in windows.[FIX] Fixed
installed_softwares
, ignore error when key can not be opened because of encoding issues (_winreg
does not handle unicode, but ansi).[IMP] show “” instead of None in wapt-get tables.
[FIX] Updated timestamping of the WAPT Server and openssl hash: http://timestamp.globalsign.com/scripts/timestamp.dll.
[FIX] Be tolerant if no “id” attribute in installed packages report.
[FIX] Match properly packages with
target_os
=all
.[IMP] Prepared
installed_packages
for upgrade to wapt 1.9.[IMP] Added
Timeit
class for test purposes.[IMP] Disabled sending unused data
waptwua_rules_packages
.[FIX] Fixed waptupgrade: regression Bug introduced in revision 85686e4d631adb6e13b25146f3a81f3c09ca082d.
[FIX] Fixed CA certificate PEM string stored as utf16 in certificate chain when creating a certificate signed by a CA (enterprise).
WAPT Console:
[IMP] Increased width of AD-Site combobox.
[IMP] Report packages install_id in the WAPT Console.
WAPT Agent:
[IMP] wapt-get: add
--newest-only
for search.[IMP] Improved the WAPT Exit utility: add ExceptionLogger. Change the way exceptions are handled in threads to try to fix issues when the WAPT Exit utility hangs and can not be closed.
WAPT Server:
[FIX] Do not actually update the listening websocket session ID if it is already set in hosts table.
[IMP] wapttasks: force remove tasks locks at service startup.
WAPT-1.8.2.7334 (2020-12-03)¶
hash : 2d15afd9
This is a bugfix release. Ubuntu 16.0.4 amd64 and Debian 10 armhf clients are now supported.
Fixes and enhancements¶
[FIX] Fixed base proxy string « » when editing a profile package.
[FIX] Fixed « Unable to create file » when editing a profile package.
[FIX] Do not allow to save a self-service rules packages without a name.
[FIX] Fixed Access violation when importing from file.
[FIX] Fixed issue with download_icons.
[FIX] Improved search in the WAPT Console (search on concatenation of software name and software version).
[FIX] Fixed extract CN from ssl client certificate authentication for
get_auth_token
when windows client computer has an organization (in this case client csr/certificate has a CN=<uuid>,O=<org> subject).[FIX] Fixed regression on wakeonlan introduced by backported code from 1.9.
[FIX] PostgreSQL database not correctly migrating from some 1.8.1.X.
[IMP] Added key param for
install_msi_if_needed
in setuphelpers_windows.py.[FIX] Fixed
no_fallback
in repositories rules.[FIX] Soupsieve python lib is set to 1.9.6 in requirements because later version are Python3 only.
[FIX] Patch for SocketIO with proxy.
[FIX] Fixed triggers for repository sync in PostgreSQL who were not correctly migrated (Enterprise).
[IMP] Two new builders for both the WAPT Server and WAPT Agents: Ubuntu 16.0.4 LTS / ARM x86 Debian 10 (Enterprise).
[IMP] Revert dhparam bits size to 1024 bits in Windows WAPT Server because it took too much time to generate. It can be generated afterward.
[IMP] Increase default clockskew for signed action to 6 hours (before it was only 1 hour).
[FIX] Fixed security in waptcrypto: prevent infinite loop in SSLCABundle.:code:certificate_chain if issuer certificate and signed certificate have the same subject but one has no
authority_key_identifier
.[FIX] waptcrypto: fixed
revoke_cert
, handle list of DNS names for certificates, fixedAuthorityKeyIdentifier
when regenerating certificate from CSR.[FIX] Fixed the WAPT service for
verify_cert_ldap
in the WAPT Agent.[FIX] Patched pltis_utils to display properly long integer in WAPTWUA. The
wsusscn2.cab
file may report KBs with incorrect huge download size up to 1TB.[FIX] On a fresh install the admin ACL rights were not properly set up which required a service restart to get them fixed.
[FIX] Force admin password change on upgrade if the old hash is SHA-1.
[FIX] Minor fixes for uWSGI support.
[FIX] Fixed temporary directories not removed after package import or edit.
[FIX] Fixed duplicated auth_module_ad.py module in bad waptwaptenterprise directory on a windows WAPT Server.
[IMP] Warning of WAPT licence expiration message changed from 14 days to 60 days before expiration.
[FIX] Fixed broadcast for wakeonlan.
[FIX] Fixed additional WAPT Server password issues when non ascii character.
Library changes¶
[UPD] Update OpenSSL binary from 1.0.2r to 1.0.2u.
[UPD] Update Python4Delphi lib to 20201020 release.
[UPD] Build now with Lazarus 2.0.8 and FPC 3.0.4.
WAPT-1.8.2.7269 (2020-06-16)¶
hash : 757cdc76
[FIX] Fixed database schema upgrade script for upgrade from WAPT version 1.8.1-6742. Fresh 1.8.2 installation or upgrade from 1.7 or from 1.8.0 or 1.8.1-6758 should not have the issue.
[IMP] Add key for
install_msi_if_needed
.[FIX] Fixed for
no_fallback
for waptwua (Enterprise).
WAPT-1.8.2.7267 (2020-06-12)¶
hash : 46f40312
[FIX] Fixed database schema upgrade script for upgrade from WAPT version 1.8.1-6742. Fresh 1.8.2 installation or upgrade from 1.7 or from 1.8.0 or 1.8.1-6758 should not have the issue.
WAPT-1.8.2.7265 (2020-06-11)¶
hash : 339f1996
This is mostly a bugfix release. Support for Linux and macOS clients has also been greatly improved.
Notable enhancements¶
[IMP] Improved support for the WAPT Agent running on Linux and macOS. Now the support is almost identical on Windows, Linux and MacOS (all versions):
[IMP] The WAPT Agent installs as a service with kerberos registration.
[IMP] the WAPT Self-service gui available on the 3 platforms (note: support for the latest version of macOS, Catalina, is expected for 1.8.3).
[IMP] Improved the WAPT Exit utility (on Linux and macOS it is not yet started on system shutdown, it can be triggered by a scheduled task).
[IMP]
session-setup
for configuring user sessions.[IMP] Send message to users and propose upgrades (Enterprise only).
[IMP] OU handling (Enterprise only).
[IMP] The WAPT Self-service authentication can be delegated to the WAPT Server (Enterprise only).
better SetupHelpers coverage.
[IMP] New supported platforms. Now WAPT for linux (WAPT Server and Agent) and macOS (WAPT Agent only) supports:
Ubuntu 18.04 and 20.04;
Debian 8, 9 and 10;
Centos7 (CentOS 8 as a preview);
MacOS Sierra, HighSierra, Mojave (note: support for MacOS Catalina expected for WAPT 1.8.3).
[IMP] Streamlining of development environment for packaging on Linux using VSCode.
[FIX] Better handling of websocket cleanup when a host is not properly registered. Should improve stability on large WAPT installations.
[IMP] The selfservice can now be configured for external authentication for desktops that are not in an Active Directory Domain.
[IMP] The selfservice users can now authenticate on the WAPT Server even when out of the corporate network.
[IMP] The session setup in run for all packages immediately after wapt-get upgrade or wapt-get install, so that new packages are already configured in the context of each logged in users (no need to logout / login) (Enterprise only).
[IMP] If secondary repositories are defined in
waptconsole.ini
, additional packages can be selected when editing hosts, groups or self-service packages.[IMP] When editing group or self-service packages, one can define the Target OS of the package.
[IMP] Remote message to logged in users is using the same custom dialog box for Windows, Linux and macOS.
[IMP] Remote message to logged in users can display the same custom logo as self-service (Enterprise only).
[IMP] The IP/Subnet match in repository access rules is based on the « main IP » of the host (source IP from which the host is reaching the WAPT Server, if the WAPT Server is public, this is usually the external IP of the router) (Enterprise only).
[IMP] Added Remote host Shutdown and remote host Reboot from the WAPT Console if enabled in
wapt-get.ini
(allow_remote_shutdown
andallow_remote_reboot
) (Enterprise only).[IMP] Added a no fallback checkbox in repositories access rule to prevent host using main repository in case secondary ones are not reachable (when main repository bandwidth is limited, having all hosts reaching the main repository can slow down access to the main site) (Enterprise only).
[FIX] Make sure the WUA install task are executed after packages are installed (Enterprise only).
Other enhancements¶
[IMP] The Cmd console is hidden when wapt-get session-setup is running, to limit annoyance for users.
[IMP] Improved WUA direct download option in the WAPT Console (Enterprise only).
[IMP] Can now use Microsoft url for WUA in rules (Enterprise only).
[FIX] Improved background icons loading in WAPT Self-service.
[FIX] Better inventory of
lastboottime
andget_domain_info
.[FIX] Better handling of other local install of Python on client computer (eg. conflict with local Anaconda Python installation).
[IMP] Allows to have multiple private repo content displayed in the WAPT Console.
[IMP] Remote repository: it is now possible to prevent a fallback.
[FIX] Better handling of icons in the WAPT Self-service.
[IMP] Improved support for VSCode.
[FIX] Better handling of ipv6 in the WAPT Console and the inventory.
[IMP]
wapt_admin_filter
: local admininistrators can be filtered out like normal user in the WAPT Self-service.[IMP] Larger support for SetupHelpers on macOS.
[FIX] The WAPT Server logs are properly redirected to
/var/log/waptserver.log
.[FIX] Fixed package caching: packages are deleted after each successful installation (rather than at the end of the whole upgrade) to better preserve local disk space.
[IMP] Allow usage of url for changelog in control file.
[IMP] Better support for Windows Update download directly from Microsoft if the WAPT Server is not reachable.
[FIX] Better handling of upgrade from Community version to Enterprise version.
[IMP] Improved local store skin and translations.
[FIX] Bugfixes and minor GUI improvements.
Library changes in WAPT-1.8.2.7265¶
[CHANGE] Replaced python-ldap with ldap3.
[FIX] Upgraded ujson on the WAPT Server and the WAPT Agent running on Linux.
Removed features with WAPT-1.8.2.7265¶
[REMOVED] Autoconfiguration of repositories based on SRV DNS fields (it was not working anymore anyway).
Caveats when using WAPT-1.8.2.7265¶
[CAV] waptexit is not run automatically on shutdown on Linux or macOS (current issue with systemd / launched integration).
[CAV] wapttray is not yet available on Linux and macOS.
[CAV] MacOS Catalina is supported by the WAPT Agent, however WAPTSelfService and waptexit are not yet supported.
WAPT-1.8.2.7265 RC2 (2020-05-29)¶
hash git : 339f1996
Avertissement
This is a Release Candidate version for testing and evaluation only and should not be installed on production system.
This is mostly a bugfix release. Support for Linux and macOS clients has greatly improved.
Notable enhancements over 1.8.2 RC1¶
[IMP] Improved the session setup in run for all packages immediately after :command:`` or install, so that new packages are already configured in the context of each logged in users (no need to logout / login) (Enterprise only).
[IMP] If secondary repositories are defined in
waptconsole.ini
, additional packages can be selected when editing hosts, groups or self-service packages.[IMP] When editing group or self-service packages, one can define the target OS of the package.
[IMP] Remote message to logged in users is using the same custom dialog box for windows, linux and macOS.
[IMP] Remote message to logged in users can display the same custom logo as self-service (Enterprise only).
[IMP] The IP / Subnet match in repository access rules is based on the main IP of the host (source IP from which the host is reaching the WAPT Server, if the WAPT Server is public, this is usually the external IP of the router) (Enterprise only).
[IMP] Added remote host shutdown and remote host reboot from the WAPT Console if enabled in wapt-get.ini (
allow_remote_shutdown
andallow_remote_reboot
) (Enterprise only).[IMP] Added a no fallback checkbox in repositories access rule to prevent hosts using main repository in case secondary repositories are not reachable (when main repository bandwidth is limited, having all hosts reaching the main repository can slow down access to the main site) (Enterprise only).
[FIX] Make sure WUA install task are executed after packages install (Enterprise only).
Other enhancements over 1.8.2 RC1¶
[IMP] the cmd console is hidden when session-setup is running, to limit annoyance for users.
[IMP] WUA direct download option in the WAPT Console (Enterprise only).
[IMP] Can now use Microsoft url for WUA in rules (Enterprise only).
[IMP] Improved background icons loading in self-service.
Removed features¶
None
Caveats¶
Same as RC1
WAPT-1.8.2.7165 RC1 (2020-05-29)¶
hash git : 1387b38f
Avertissement
This is a Release Candidate version for testing and evaluation only and should not be installed on production system.
This is mostly a bugfix release. Support for Linux and macOS clients has greatly improved.
Notable enhancements in WAPT-1.8.2.7165 RC1¶
[IMP] improve support for the WAPT Agent on Linux and macOS. Now the support is almost identical on Windows, Linux and macOS (all versions):
[IMP] The WAPT Agent installs as a service with kerberos registration.
[IMP] waptselfservice gui available on the 3 platforms (note: support for the lastest version of MacOS, Catalina, is expected for 1.8.3).
[IMP] Improved the WAPT Exit utility (on Linux an macOS it is not yet started on system shutdown, it can be triggered by a scheduled task).
[IMP] session-setup for configuring user sessions.
[IMP] send messagebox to users and propose upgrades (Enterprise only).
[IMP] OU handling (Enterprise only).
[IMP] waptselfservice authentication can be delegated to the WAPT Server (Enterprise only).
[IMP] Better SetupHelpers coverage.
[IMP] add new supported platform. Now WAPT for linux (WAPT Server and Agent) and MacOS (WAPT Agent only) supports:
Ubuntu 18.04 and 20.04;
Debian 8, 9 and 10;
Centos7 (CentOS 8 as a preview);
MacOS Sierra, HighSierra, Mojave (note: support for MacOS Catalina expected for WAPT 1.8.3).
[IMP] streamlining of development environment for packaging on Linux using VSCode.
[FIX] better handling of websocket cleanup when a host is not properly registered. Should improve stability on large WAPT installation.
[IMP] selfservice can now be configured for external authentication for desktops that are not in an Active Directory Domain.
[IMP] selfservice users can now authenticate on selfserver even when out of the corporate network.
Other enhancements in WAPT-1.8.2.7165 RC1¶
[FIX] Better inventory of
lastboottime
andget_domain_info
.[FIX] Better handling of other local install of Python on client computer (eg. conflict with local Anaconda Python installation).
[IMP] Allow to have multiple private repo content displayed in the WAPT Console.
[IMP] Improved remote repository to make possible to prevent a fallback.
[FIX] Better handling of icons in selfservice.
[IMP] Improved support for VSCode.
[FIX] Better handling of ipv6 in the WAPT Console and inventory.
[IMP]
wapt_admin_filter
: local admin can be filtered out like normal user in selfservice.[IMP] Added a larger support for SetupHelpers on macOS.
[FIX] WAPT Server logs are properly redirected to
/var/log/waptserver.log
.[FIX] Better support for package caching: packages are deleted after each successful installation (rather than at the end of the whole upgrade) to better keep local disk space.
[IMP] Allow usage of url for changelog in control file.
[IMP] Better support for Windows Update download directly from Microsoft if the WAPT Server is not reachable.
[FIX] Better handling of upgrade from Community version to Enterprise version.
[IMP] Improved local store skin and translation.
[FIX] Bugfixes and minor gui improvements.
Library changes in WAPT-1.8.2.7165 RC1¶
[REF] replaced python-ldap with ldap3.
[FIX] upgraded ujson on the WAPT Agent and Server on Linux.
Removed featured with WAPT-1.8.2.7165 RC1¶
autoconfiguration of repositories based on SRV DNS fields (it was not working anymore anyway).
Caveats when using WAPT-1.8.2.7165 RC1¶
[CAV] The WAPT Exit utility is not run automatically on shutdown on Linux or MacOS (current issue with systemd / launched integration).
[CAV] the WAPT System Tray utility is not yet available on Linux and macOS.
[CAV] MacOS Catalina is supported by the the WAPT Agent, however WAPTSelfService and the WAPT Exit utility are not yet supported.
WAPT-1.8.1-6758 (2020-03-06)¶
(hash bb93ce41)
WAPT Server:
[REF] Refactoring in postconf.py to remove old migration scripts from MongoDB.
[REF] Refactoring for winsetup.py to create now a
dhparam
for nginx on Windows.[REF] Refactoring for repositories: changed
repo_diff
toremote_repo_diff
and added the parameterremote_repo_websockets
(defaultTrue
) to the WAPT Server.[IMP] disable cache on nginx for Windows and Linux on wapt packages / exe.
WAPT Agents:
[REF] Changed the parameter
waptservice_admin_auth_allow
towaptservice_admin_filter
.[REF] Deleted resync functions for remote repo.
[IMP] Improved the default parameter
local_repo_sync_task_period
to2h
.[FIX] Fixed wapt-get / WAPT service debug when downloading a WAPT package on Linux while not using a sudo account.
[FIX] Fixed plist in macOS.
[IMP] Can now have relative path for WAPT packages / directories in wapt-get.
[IMP] Templates have by default setup_uninstall / update etc…
[IMP] Improved templates for vscode.
The WAPT Console
[IMP] Added possibility of template packages for .deb / .rpm / .pkg.
[FIX] Fixed error with .msi, .exe, etc in PackageWizard explorer.
[IMP] Can now choose
editor_for_packages
directly in the WAPT Console configuration file.[UPD] Some cosmetic / translations improvements for GUI to deploy the WAPT Agent.
WAPT-1.8.1-6756 (2020-02-17)¶
(hash 43394f3b)
Bug fixes and small improvements
[IMP] Improved the WAPT Console: improve the refresh of hosts grid when a lot of hosts are selected (improved by a factor of around 5).
[FIX] Fixed the WAPT Server Database connections management: do not close the database on teardown as it should not occur, and seems to trigger some issue when triggering a lot of tasks on remote hosts (error « database is closed »).
[FIX] Fixed the WAPT Console: Do not « force » install when triggering the upgrade on remote hosts, to avoid reinstalling softwares when already up to date.
[IMP] use ldap authentication only if session and admin fail (avoid waiting for timeout when ldap is not available but one wants to login with plain admin user).
[FIX] wapt-get upload: encode user and password in
http_upload_package
to allow non ascii in admin password.[IMP] Improved the WAPT Console: Disable auto search on keywords.
[IMP] Use DMI
System_Information.Serial_Number
information for serialnr Host field instead ofChassis_Information.Serial_Number
because System_Information is more often properly defined.[ADD] Added
uuid
to the list of searched fields when only “host” is checked in filters in the WAPT Console.[IMP] Improved Nginx config: disable caching.
[IMP] Fixed vscode project template.
WAPT-1.8.1-6742 (2020-02-12)¶
(hash 80dbdbe7)
Major changes¶
[ADD] In the WAPT Console, added a page to show packages install status summary (merge) of all selected hosts, grouped by
package
,version
,install status
, with count of hosts;
Context menu allow to apply selectively the pending actions. On enterprise, one can apply safely the updates (only packages for which there is no running process on client side).
[IMP] Prevent users from saving a host package if targeted host(s) do not accept their personal certificate. (Checked on the WAPT Console when editing / mass updating host packages, and on the WAPT Server when uploding packages).
The personal certificate file .crt MUST contain at first the personal certificate, followed by the issuer CA certificates, so that WAPT can rebuild the certificate chain and check intersection with host’s trusted certificates.
Important note about SSL client side authentication¶
In the Nginx configuration, be sure to reset the headers X-Ssl-Authenticated
and X-Ssl-Client-DN
as the WAPT Server trusts these headers if the SSL cient side authentication is enabled in waptserver.ini
.
If SSL client side authentication is setup these headers can be populated by proxy_set_header
with result of ssl_verify_client
as explained in ./wapt-security/security-configuration-certificate-authentication.html#enabling-client-side-certificate-authentication.
Fixes and detailed changelog¶
[FIX] Fixed security and updated waitress module to 1.4.3 (CVE-2020-5236).
[FIX] Fixed security with blank
X-Ssl*
headers in default nginx templates.[FIX] Fixed regression in kerberos register_host did not work anymore.
[IMP] On the WAPT Server,
<repository root>/wapt/ssl
dir is moved automatically on winsetup / postconf to (per default)<repository root>/ssl
, a/ssl
location is added. This/ssl
should be accessible from clients at the location specified by the WAPT Server parameterclients_signing_crl_url
(inwaptserver.ini
).[IMP] Improved logs readability. Log count of used database connections from pool on the WAPT Server to troubleshoot database connection issues. Log level can be specified by subcomponent with
loglevel_waptcore
,loglevel_waptserver
,loglevel_waptserver.app
,loglevel_waptws
,loglevel_waptdatabase
defined inwaptserver.ini
;[IMP] Reworked explicit database Open/close on the WAPT Server to not get a database connection from pool if not useful. It prevents exhaustion of database connections;
[IMP] waptwinsetup: do not create unused directories
wapt-group
andwaptserverlog
;[ADD] Added .msu and .msix extensions for Package wizard setup file dialog;
[ADD] Fallback with os._exit(10) for the WAPT service restart. Added a handler in nssm.exe configuration to honor the restart;
[IMP] Increased waitress threads to 10 on the WAPT service;
[IMP] Lowered the default number of pooled database connections (
db_max_connections
) to 90, to be lower than postgresql default of 100;[IMP] Improved the WAPT Server: allow kerberos or ssl authentication check in the WAPT Server only if enabled in
waptserver.ini
config file;[IMP] Improved the WAPT Console: Allow update of host package only if user certificate is actually allowed on the host (based on last update of host status in database);
[ADD] Added in the WAPT Console / build of the WAPT Agent: added checkbox to specify to include or not non certificate authority certificates in build. The normal setup would be to uncheck this, to not deploy non CA certificates, on wapt root CA;
[IMP] Add and option to disable automatic hiding of panels…
[IMP] Add explicit
AllowUnauthenticatedRegistration
task to the Windows waptserversetup.[IMP] waptsetup: Remove explicit VCRedistNeedsInstall task. Use
/VCRedistInstall
=True
/False
if you need to force install or force not install vcredist VC_2008_SP1_MFC_SEC_UPD_REDIST_X86.[FIX] wapt-get.exe: use wapt-get.ini for wapt-get scan-packages and wapt-get update-packages” actions.
[FIX] wapt-get: authentication asked when checking if the WAPT Server is available (ping) and client ssl authentication is enabled.
[IMP] WAPT client: if client ssl authentication failed with http error 400, retry without ssl authentication to be able to ask for new certificate signing.
[FIX] Fixed the WAPT Server register behavior: revert over rev 6641: sign host certificate if an authenticated user is provided or data is signed with a key which can be verified by existing certificate in database for this host uuid.
[IMP] Improved the WAPT Server register behavior: when receiving 401 from the WAPT Server when registering, retry registering without ssl authentication.
[IMP] wapt client: be sure to have proper host private key saved on disk when receiving signed certificate from the WAPT Server.
[IMP] Improved the WAPT Console: advanced filters for selected host packages status. Filter on Install status and Section + keyword. Pending button to show only pending installations / removes.
[ADD] wapt-get make-template / edit package: Add
.vscode
directory. Add template project for vscode;[FIX] Fixed the WAPT Console: ssl authentication for mass package dependencies / conflicts updates;
[FIX] Fixed the WAPT Console: import packages from external repos with ssl authentication.
[IMP] Backports from master:
target OS in import packages;
choose editor for packages in linux in cmdline.
[IMP] backports from master:
Refactoring for
HostCapabilities.waptos
;Added new
target_os
unix for mac and linux sotarget_os
=windows
,darwin
(for mac),linux
orunix
.
[FIX]
WAPT.wapt_base_dir
.[FIX]
makepath
in Linux / macOS.[IMP] Refactoring / fixes for SetupHelpers.
[FIX] Fixed
rights_to_check
in repo-sync client.[FIX] for repo-sync:
[ADD] Added two SetupHelpers for linux:
type_debian
andtype_redhat
.[IMP] Indent the local
sync.json
.
[IMP] Use
get_os_version
andwindows_version_from_registry
instead ofwindows_version
.[IMP] Improved
windows_version_registry
forget_os_version
on windows.[IMP] Backported
host_capabilities.os
from master.[FIX] Fixed make-template for malformed .exe installer.
[ADD] Added automatic maintenance of a CSR for client authentication certificates signed by the WAPT Server:
Default CSR lifetime to 30 days.
Check renewal of client certificate CSR every hour.
[ADD] Added a parameter for the next update time of CRL.
[ADD] Added
clients_signing_crl_url
,clients_signing_crl_days
,known_certificates_folder
to the parameters of the WAPT Server.[ADD] Added a
/ssl
location in nginx templates.[ADD] Added
crl_urls
in client authentication signed certificates.[ADD] Added a scheduled task to renew the WAPT Server side CRL.
[ADD] Added
clients_signing_crl
WAPT Server parameter to add the WAPT client certificate to the WAPT Server’s CRL when host is unregistered.[ADD] Added revoke_cert method to
SSLCRL
class.[ADD] Added a
authorityKeyIdentifier
to the client authentication CSR.[IMP] Force restart if Windows task is broken.
[FIX] Fixed the WAPT service: use
sys._exit(10)
to ask nssm to restart service in case of unhandled exception in the WAPT service (loops, etc.).[FIX] Fixed the WAPT Agent: do not log / store into database Wapt.runstatus if not changed.
[FIX] Fixed the WAPT Server postconf for rights on some wapt directories.
[ADD] Added mutual conflicts to deb/rpm packages for the WAPT Agent and the WAPT Server to avoid simultaneous install.
WAPT-1.8.0-6641 (2020-01-24)¶
(hash 3dbb3de8)
Major changes¶
[ADD] Added WAPT Agent for Linux Debian 8, 9 , 10, Linux Centos 7, Ubuntu 18, 19 and MacOS. The packages are named
wapt-agent
and available in https://wapt.tranquil.it/wapt/releases/latest/.[IMP] Improved the repository access rules defined in the WAPT Console. Depending of client IP, site, computername, one can define which secondary repository URL to use (Enterprise only).
As a consequence, the DNS query method (with SRV records) is no more supported for repositories
[IMP] The package and signature process has been changed to be compatible with python3. Serialization of dict is now sorted by key alphabetically to be deterministic across python versions. The WAPT Agents prior to version 1.7.1 will not be able to use new packages. (see git hash SHA-1: f571e55594617b43ed83003faeef4911474a84db).
[NEW] A WAPT Agent can now be declared as a secondary remote repository. Integrated syncing with main WAPT Server repository is handled automatically. (Enterprise only)
[NEW] The WAPT Console can now run without elevated privileges. The build of
waptagent
/waptupgrade
package are done in a temporary directory. When editing a package from the WAPT Console, :program:`PyScripter`should be launched with elevated privileges.
Note
One could deploy the WAPT Agent with GPO without actually rebuilding a waptagent
.
Command line options are available on stock waptsetup-tis.exe to configure repo url (/repo_url =
), WAPT Server url (/wapt_server =
), WAPT Server certificate bundle location (/CopyServersTrustedCA =
), packages certificates checking (/CopyPackagesTrustedCA =
), /use_random_uuid
, /StartPackages
, /append_host_profiles
, /DisableHiberBoot
, /waptaudit_task_period
.
Some options are still missing and may be added in a future release.
[IMP] package filename now includes a hash of package content to make it easier to check if download is complete and if package has been scanned (improved speed for large number of packages).
[SEC] the WAPT admin password MUST be regenerated (with postconf); if it is not pbkdf2 based. See in your
waptserver.ini
file,wapt_password
MUST start with $pbkdf2-.
Fixes and detailed changelog¶
[SEC] The WAPT Agent can optionally be digitally signed, if (1) Microsoft signtool.exe is present in
<wapt>utils` and (2) if there is a pkcs#12 :mimetype:
.p12` file with the same name as the personal certificate .crt file, and (3) the certificate is encrypted with the same password;[IMP] wapt-get.py can be run on linux and macos in addition to windows;
[IMP] Improved the WAPT Console host’s packages status reporting: now displays current version with NEED-UPGRADE, NEED-REMOVE, ERROR status and future version with NEED-INSTALL status;
The status is stored in the WAPT Server’s database HostPackagesStatus
so it can be queried for reporting;
[IMP] Improved SetupHelpers: there now different SetupHelpers for each operating system family;
[ADD] Added in the WAPT Console: action to safely trigger upgrades on remote hosts only if associated processes (
impacted_process
control attribute) are not running, to avoid disturbing users (Enterprise only);[ADD] wapt-get --service upgrade: added handling of
--force
,--notify_server_on_start
=0/1
,notify_server_on_finish`= ``0/1`
switches;[IMP] package signature’s date is now taken in account when comparing packages;
[ADD]
host_ad_site
key in[global]
inwapt-get.ini
to define a fake Active Directory site for the host;[ADD] Added in the WAPT Console / packages grid: if multiple packages are selected, the associated show clients grid shows the status of packages for all selected clients (Enterprise only);
[ADD]
waptagent
build: added checkbox to enable repository rules lookup when installing The WAPT Agent (Enterprise only);[ADD] Added in the WAPT Console / import packages: do not reimport existing dependencies. Checkbox to disable import of dependencies;
[IMP] wapt-scanpackages speed optimizations: do not re-extract certificates and icon for skipped package entries. use md5 from filename if supplied when scanning.
[FIX] Fixed arguments in the WAPT Exit utility for
only_if_not_process_running
andinstall_wua_updates
(bool);[FIX] Fixed the WAPT Agent / WAPT WUA enabled setting reset to False when upgrading with
waptagent
and enabled;[FIX] Fixed the WAPT Server / waptwua repository: all cabs files are now in root directory instead of microsoft original file tree. The files are moved when upgrading to 1.8;
[IMP] waptupgrade package: increment build number if building a new WAPT Agent of the same main wapt version;
[NEW] New WAPT Server parameter
trusted_signers_certificates_folder
:Path to trusted signers certificate directory. If defined, only packages signed by this trusted CA are accepted on the WAPT Server when uploading through the WAPT Server;
[NEW] New WAPT Server parameter
remote_repo_support
: if true, a task is scheduled to scan repositories (wapt
,waptwua
,wapt-hosts
) that creates async.json
file for remote secondary repositories;[IMP] when building the WAPT Agent, do not include non CA packages certificates by default in the WAPT Agent. A checkbox is available to still enable non CA certificates to be scanned and added;
[IMP] when building the WAPT Agent, one can add or remove certificates in the grid with Ctrl+Del or drag and drop;
[FIX] Fixed the WAPT Console / host packages status grid: fixed F5 refresh;
[IMP] Improved the WAPT Console / build of the WAPT Agent: build an Enterprise WAPT Agent even if no valid licence (Enterprise only);
[FIX]
forced_update_on
control attribute: do not take into account fornext_update_on
if in the past;[IMP] Improved the WAPT Console: try to accept the WAPT Server password with non ASCII characters;
[REMOVED] waptstarter: remove socle from default host profile;
[IMP]
waptagent
build: rework of the WAPT Server certificate path relocation when building / installing;[SEC] do not sign the WAPT Agent certificate if no valid human authentication (admin, passwd or ldap) or kerberos authentication has been provided:
be explicit on authentication methods;
store registration authentication method in database only if valid human authentication or kerberos authentication has been provided;
when registering, be sure we trust an already signed certificate with CN matching the host;
store the signed host certificate in the WAPT Server database on proper registration;
[IMP] some syntax preparation work for future python3;
[IMP] some preparation work for detailed ACL handling (Enterprise only);
[FIX] Do not enable client ssl authentication by default in the WAPT Server as nginx reverse proxy server is perhaps misconfigured;
Python libraries / modules updates¶
use waitress for the WAPT service wsgi server instead of unmaintained Rocket`;
Flask-SocketIO 3.0.1 –> Flask-SocketIO 4.2.1;
MarkupSafe 1.0 –> MarkupSafe 1.1.1;
python_ldap-2.4.44 –> python_ldap-3.2.0;
WAPT 1.7 and older¶
WAPT-1.7.4-6237 (2019-11-18)¶
(hash 1c00cefd)
[FIX] Fixed the WAPT Server: add fix to workaround flask-socketio bug (AttributeError: “Request” object has no attribute “sid”);
[IMP] Improved the WAPT Server: be sure the database is closed before trying to open it (for dev mode);
[IMP] Improved the WAPT Server: add logs messages when an exception message is sent back to the user;
WAPT-1.7.4-6234 (2019-11-14)¶
(hash ad237eee)
[IMP] Improved the WAPT Server: upgrade peewee database python module to 3.11.2. Explicit connection handling to database to track potential limbo connections (which could lead to database pool exhaustion);
[FIX] waptwua: trap exception when pushing WU to Windows cache to allow valid updates to be installed even if some could not be verified properly;
WAPT-1.7.4-6232 (2019-10-31)¶
(hash2090b0e6d52cecfb04f8fa4c279e7c0a0252d6e2
[FIX] wapt-get session-setup: fix bad print in session_setup. Regression introduced in b30b1b1a550a4 (1.7.4.6229);
WAPT-1.7.4-6230 (2019-10-23) (not released)¶
(hash 391d382f)
[IMP] return the WAPT Server git hash version and edition in ping and
usage_statistics
;[IMP] be sure to have
server_uuid
on windows when during setup;[FIX] .git partially included in built package
manifest
;
WAPT-1.7.4-6229 (2019-10-23)¶
(hash b30b1b1a)
[FIX] 100% cpu load on one core on the WAPT Server even when Idle;
python-engineio upgrade to 3.10.0;
python-socketio upgraded to 4.3.1;
[IMP] Do not try run session_setup on packages which do not have one defined;
[IMP] limit text output on the WAPT Console (for faster output);
WAPT-1.7.4-6223 (2019-10-15)¶
(hash 86ddeaa2d)
[FIX] Newlines in packages installs logged output;
[FIX] Allow nonascii utf8 encoded user and password for the WAPT Server basic authentication;
[UPD] Updated the WAPT Console: Default package filtering to x64 and the WAPT Console locale to avoid mistakes when importing;
[IMP] Improved the WAPT Console: increase default Port Socket listening test timeout (for rdp, remote service access etc..) to 3s instead of 200ms;
[IMP] Improved the WAPT Console: sort OU by description in treeview:
Right click changes current row selection in OU treeview;
[NEW] option to set
waptservice_password
=NOPASSWORD
in waptstarter installer;[FIX] grid sorting for package / version / size of packages;
[FIX] Do not create the WAPT Console link for starter;
[NEW] wapt-scanpackages: add an option to update the local packages database table from
Packages
file index;[FIX] regression introduced in previous build:
maturities
=PROD
andmaturities
=''
are equivalent when filtering allowed packages;[FIX] Fixed the WAPT Console: grid headers too small for highdpi;
[UPD] waptupgrade package filename: keep old naming without all arch (for backward compatibility);
[IMP]
waptservice_timeout
=20
seconds now;[FIX] Active Directory authentication for the WAPT Console with non ASCII chars;
[IMP] missing french translations for columns in Import packages grid;
[FIX] be sure to terminate output threads in waptwinutils.run;
[IMP] avoid showOnTop flickering for VisLoading;
[IMP]
setuphelpers.run_powershell
: added$ProgressPreference
=SilentlyContinue
prefix command;[SEC] Secured the WAPT service: protect test of
host_cert
date if file is deleted outside of service scope;[IMP] WaptBaseRepo class:
packages cache handling when repo parameters (filters…) are changed;
allow direct setting of cabundle for WaptBaseRepo;
keep a fingerprint of input config parameters;
[UPD] set a fallback calculated
package_uuid
value in database for compatibility with old package status reports;
WAPT-1.7.4-6196 (2019-09-27)¶
(hash f9cb3ebd)
[IMP] revert package naming of waptupgrade to previous one to ease upgrade from previous wapt;
[IMP] increase
waptservice_timeout
to 20 seconds per default;[FIX] Active Directory authentication when there are non ascii chars (encoding);
[FIX] missing french translations for columns in Import packages grid;
[IMP] set a fallback calculated
package_uuid
in database for old package withoutpackage_uuid
attribute in database status report;[NEW] wapt-scanpackages: add an option to update the local Packages database table from Packages file index;
[NEW] option to filters
maturities
;
WAPT-1.7.4-6192 (2019-09-17)¶
(hash 3e00ac6688)
[SEC] update python modules python-engineio and werkzeug to fix vulnerability CVE-2019-14806
GHSA-j3jp-gvr5-7hwq
[UPD] Python modules:
eventlet 0.24.1 –> eventlet 0.25.1;
flask 1.0.2 –> flask 1.1.1;
greenlet 0.4.13 –> greenlet 0.4.15;
itsdangerous 0.24 –> itsdangerous 1.1.0;
peewee 3.6.4 –> peewee 3.10;
python-socketio 1.9.0 –> python-socketio 4.3.1;
python-engineio 3.8.1 –> python-engineio 3.9.3;
websocket-client 0.50 –> websocket-client 0.56;
[UPD] default
request_timeout
= 15s for client websockets;[FIX] when building packages, excluded directories (for example .git or .svn) were still included in
manifest
file;[UPD] Do not canonicalize package filenames by default when scanning The WAPT Server repository to ease migration from previous buggy wapt;
[FIX] package filename not rewritten in
Packages
when renaming package;[NEW] wapt-scanpackages: added explicit option to trigger rename of packages filenames which do not comply with canonic form;
[NEW] wapt-scanpackages: added option to provide proxy;
[UPD] return OK by default in package’s audit skeleton;
[IMP] Improved the WAPT Console cosmetic: minheight 18 pixels for grid headers
[FIX] Fixed the WAPT Server database model: bad default datatype in
model.py
forcreated_by
andupdated_by
(were not used until now);[FIX]
ensure_unicode
for .msi output: try cp850 before utf16 to avoid Chinese garbage in run output;[NEW] added
connected_users
tohosts_for_package
provider;[FIX] use win32api to get local connected IPV4 IP address instead of socket module. In some cases, socket can not retrieve the IP;
[FIX] wapt-get unregister command not working properly;
[NEW] Waptselfservice: added option in
wapt-get.ini
to disable unfiltered packages view of local admin;[IMP] Waptselfservice: 4K improvements;
[FIX] Waptselfservice:
packages restricted were shown in selfservice / now corrected;
if the repo have no packages segmentation error / now corrected;
if the repo have changed segmentation error / now corrected;
WAPT-1.7.4.6165 (2019-08-02)¶
(hash f153fab4)
Improvements¶
[NEW] added unregister action to wapt-get;
[UPD] improvements with the alt logo in the self-service;
Changes¶
[UPD] use version to build the package name of unit, groups and profile type package, like for base packages;
[UPD] added logs to uwsgi;
Fixes¶
[FIX] bugfixes with the icons of the app self-service;
[FIX] bugfixes with the logos in the self-service;
[UPD] Updated the WAPT Exit utility: do not cancel tasks on CloseQuery;
[UPD] patch
server.py
earlier to avoid execute cannot be used while an asynchronous query is underway;[FIX] Fixed the WAPT Exit utility doing nothing if
allow_cancel_upgrade
=False
andwaptexit_disable_upgrade
=False
;[FIX] fix issue with merge of wsus rules (can cause memory errors if more than one wsus package is applied on a host) (Enterprise only);
[FIX] fix wua auto
install_scheduling
issue;[FIX] Fixed the WAPT Exit utility: add a watchdog to workaround some cases where it hangs (threading issue??);
WAPT-1.7.4.6143 (2019-06-25)¶
(hash da870a2c)
Improvements¶
[IMP] wapt self service application is now fully usable. It is available in
<wapt>waptself.exe
;[ADD] option to set a random UUID instead of BIOS UUID at setup. This is to workaround for bugged BIOS with duplicated ids;
[IMP] better Sphinxdocs for WAPT Libraries;
Changes¶
[UPD] behavior change: Use computer FQDN from tcpip registry entry (first NV Hostname key) then fixed domain then DHCP;
[FIX] inverted Zip and signature steps in package build operations to workaround issue with Bad Magic Number when signing already zipped big packages;
[NEW] Add
use_ad_groups
wapt-get[global]
parameter to activate groups from AD (this is a time consuming task, so better not activate it…);
Fixes¶
[FIX] appendprofile infinite loop during setup;
[FIX] read forced uuid from
wapt-get.ini
earlier to avoid loading a bad host certificate in memory if changing from bios uuid to forced uuid;[FIX] setting
use_random_uuid
inwaptagent.iss
;[FIX] waptstarter setup: force deactivate the WAPT Server, hostpackages;
[FIX] include waptself in waptstarter, do not include innosetup in waptstarter;
[FIX]
ensure_unicode
: add utf16 decoding test before cp850;[FIX] add
ensure_unicode
for tasks logs to avoid unicode decode errors in get_tasks_status callback;[NEW] host status: add
boot_count
attribute;[FIX] fix potential float / unicode error when scanning windows updates (Enterprise only);
[FIX] handles properly excluded files in package signatures;
[FIX] Fixed the WAPT Exit utility: avoid some work after checking if the WAPT service is running if it is not running;
[FIX] a case where WAPTLocalJsonGet could loop forever if authentication fails;
[FIX]
setup.pyc
inmanifest
but not in zipped package:exclude exactly [”.svn”,”.git”, “.gitignore”,”
setup.pyc
”] when signing and zipping;inc_build before signing;
[UPD] add
use_ad_groups
setting in the WAPT Agent build. Default to False (Enterprise only);[FIX] better detection of
waptbasedir
forpython27.dll
loading;[FIX] allow to sign source package directory to workaround a bug in python zipfile (bad magic number);
[NEW] added a
htpasswd
password file method for restricted access to only add_host method:
allows add_host if provided host certificate is already signed by the WAPT Server and content can be verified;
[FIX] wapt-get.exe crash with « can not load… » when python 3.7 is installed from MS store;
[FIX] load
private_dir
conf parameter earlier;[UPD] put a rnd- in front of randomly generated uuid;
added a checkbox to use random uuid (if not already defined in wapt-get.ini
);
[UPD] SSL CA certifi library;
[IMP] utf8 decode user /password in localservice authentication;
[UPD] allow authentication on the local WAPT service with token;
[NEW] filter packages on hosts based on the
valid_from
andvalid_until
control attributes;
force update sooner if valid_from
or valid_until
or forced_install_on
is sooner than regular planned update_period
;
[FIX] events reporting from service tasks;
[FIX] Fixed the WAPT Exit utility: waptexit not closing of writing for running tasks but auto upgrade has been disabled;
[ADD] added
waptexit_disable_upgrade
option to waptexit to remove the triggering of upgrade from the WAPT Exit utility, but keep the waiting for pending and running tasks:“running_tasks” key in the WAPT service checkupgrades.json. Was not reflecting an up to date state.
[NEW] add new packages attributes:
name
,valid_from
,valid_until
,forced_install_on
;[FIX] regression on profile packages not taken in account;
WAPT-1.7.4.6082 (2019-05-20)¶
(hash 38e08433)
Fixes¶
[FIX] waptexit not closing if waiting for running tasks but auto upgrade has been disabled;
[FIX] events reporting from service’s tasks;
Updated¶
[ADD]] new packages attributes:
name
,valid_from
,valid_until
,forced_install_on
;[ADD]
waptexit_disable_upgrade
option to waptexit to remove the triggering of upgrade from the WAPT Exit utility, but keep the waiting for pending and running tasks;[IMP] added
running_tasks
key in the WAPT service heckupgrades.json. Was not reflecting an up to date state.[IMP] waptself:
early support of high DPI;
loading of icons in the background;
WAPT-1.7.4.6078 (2019-05-17)¶
(hash 5b6851ae)
Fixes¶
[FIX] takes profile packages (AD based groups) into account (Enterprise only)
WAPT-1.7.4.6077 (2019-05-15)¶
(hash 4be40c534c4627)
Fixes¶
[FIX] Fixed regression on the WAPT Deployment utility unable to read current
waptversion
from registry;[FIX] be more tolerant to broken or inexistent wmi layer (for the WAPT Console on wine for example);
WAPT-1.7.4.6074 (2019-05-09)¶
(hash 95a146c002)
Fixes and improvements over RC2¶
[IMP] waptself.exe preview application updated. Loads icons in the background.
Known issues:
does not work with repositories behind proxies and client side authentication;
WAPT https Server certificate is not checked when downloading icons);
High DPI not handled properly;
Cosmetic and ergonomic improvements still to come;
[IMP] Improved the WAPT Server setup on windows: opened port 80 on firewall in addition to 443;
[IMP] Improved the WAPT Server on Debian: added www-data group to wapt user even if user wapt already exists;
[IMP] Improved the WAPT Server on CentOS: added waptwua directory to SELinux
httpd_sys_content_t
context;[FIX] Improved the WAPT Server client authentication: commented out
ssl_client_certificate
andssl_verify_client
;
By default because old client’s certificate does not have proper clientAuth
attribute (error http 400);
[FIX] problem accessing to 32bit uninstall registry view from 32bit wapt on Windows server 2003 x64 and Windows server 2008 x64:
it looks like it is not advisable to try to access the virtual Wow6432Node virtual node with disabled redirection;
[FIX] Fixed SetupHelpers
installed_softwares
regular expression search on name;
https://github.com/tranquilit/WAPT/issues/7
[IMP] Improved the WAPT service: for planned periodic upgrade, use single WaptUpgrade task like the one used in websocket;
[IMP] Improved the WAPT Exit utility: cancel all tasks if closing the form;
[FIX] wapt-get: wapt-get service mode with events: refactor using uWAPTPollThreads;
[FIX] veyon cli executable name updated;
[IMP] wapt-get: check CN and subjectAltNames in lowercase for enable-check-certificate action;
WAPT-1.7.4 RC2 (2019-04-30)¶
(hash 5ef3487)
Security¶
upgrade urllib3 to 1.24.2 for CVE-2019-11324 (high severity);
upgrade jinja2 to 2.10.1 for CVE-2019-10906;
New¶
[NEW] Wapt self service application preview;
Improvements¶
[IMP] propose to copy the newly created CA certificate to ssl local service dir, and restart the WAPT service. Useful for first time use;
Fixes¶
[FIX]
sign_needed
for wapt-signpackages.py;[FIX] missing StoreDownload table create;
[FIX] bug in fallback
package_uuid
calculation. It didn’t include the version;
WAPT-1.7.4 RC1 (2019-04-16)¶
(hash 4cdcaa06c83b)
Changes¶
[UPD] handling of subjectAltName attribute for the WAPT https Server certificates checks in the WAPT Console (useful when certificate is a multi hostname commercial certificate). Before, only CN was checked against host’s name;
[UPD] client certificate authentication for the WAPT Console;
[UPD] versioning of wapt includes now the Git revision count;
Details¶
[FIX] replace openssl command line call with waptcrypto call to create tls certificate on linux server WAPT install;
[FIX] Added dnsname subjectAltName extension to self signed certificate of the WAPT Server on linux wapt nginx server configuration;
[FIX] pkcs12 export;
[NEW] handling of SubjectAlternativeName in certificates for the WAPT Server X509 certificate check in addition to CN:
Added a SubjectAltName when creating self signed certificate on linux wapt nginx server in postconf;
For old installation, the certificate is not updated. It should be done manually;
[FIX] fix check_install returning additional packages to install which are already installed (when private repository is using
locale
ormaturities
):
Added missing attributes in waptdb.installed_matching;
[NEW] added client certificate path and client private key path for the WAPT Console access to client side ssl authentication protected servers;
[FIX] fix regression with wapt-get edit <package>:
made filter_on_host_cap
a global property of Wapt class instead of a function parameter;
[FIX] regression if there are spaces in OU name. The WAPT Console was stripping space for https://roundup.tranquil.it/wapt/issue911and https://roundup.tranquil.it/wapt/issue908;
[IMP] allow “0”..”9”, “A”..”Z”, “a”..”z”, “-“,”_”,”=”,”~”,”.” in package names for OU packages. Replaces space with ~ in package names and “,” with “_”;
[IMP] make sure we have a proper package name in packages edit dialogs;
[IMP] Improved the WAPT service config: allow
waptupdate_task_period
to be empty inwapt-get.ini
to disable it in the WAPT service;[FIX] waptutils: fix regression on wget() if user-agent is overridden;
[FIX] waptwua: fix an error in install progress % reporting for wua updates;
[IMP] Refactored the WAPT System Tray utility for consistency. Makes use of uwaptpollthreads classes;
[IMP] Improved the WAPT Exit utility: some changes to try to fix cases when it does not close automatically;
[IMP] build: add git Revcount (commit count) to exe metadata.
[FIX] Fixed the WAPT Console: hosts for package grid not refreshed if not focused.
[FIX] internal: use synapse httpsend for the WAPT Exit utility / wapt-get / the WAPT System Tray utility local service http queries to workaround authentication retry problems with indy.
[ADD] wapt-get.exe: added
--locales
to override temporarily locales formwapt-get.ini
.[ADD] Added
WaptServiceUser
andWaptServicePassword
/WaptServicePassword64
command line parameters in wapt-get.exe.[FIX] Fixed timeout checking in
checkopenport
.[ADD] core: Added logs for WAPT Self-service authentication.
[ADD] Added to the WAPT service:
keywords.json
service action.[ADD] Added to the WAPT service: filter keywords (.csv) on
packages.json
provider.[IMP] Improved the WAPT Console: replace tri-state checkbox by a radio group for wua enabled setting in the Create teh WAPT Agent dialog.
[IMP] Improved the WAPT service local webservice: temporary workaround to avoid costly icons retrieval in local service.
[FIX] Simplified
installed_wapt_version
in waptupgrade package to avoid potential install issues.[IMP] Improved the WAPT Console layout: anchors for running task memo.
[FIX] Makefullyvisible for main form to avoid forms outside the visible area when disconnecting a second display.
[FIX] Fixed layout of tasks panel for Windows 10.
[FIX] Added
token_lifetime
to the WAPT Server side (instead of using clockskew for token duration).[UPD] Updated default unit days instead of minutes for wua scan download install and install_delay.
[ADD] Added optional export of key and certificate as
PKCS12
file in create key dialog. (to check SSL client authentication in browsers…).[FIX] Fixed winsetup.py for backslashes in nginx.
[FIX] Fixed wapt-get json output / flush error.
[IMP] Improved the cache
host_certificate_fingerprint
and issuer id in local database so that we do not need to read private directory to gethost_capabilities
. It allows to use wapt-get list-upgrade as normal user.[UPD] Do not make DNS query in the WAPT Console Login / waptconfig to avoid DNS timeout if domain DNS server is not reachable.
[FIX] Fixed warning message introduced in previous revision when adding a new ini config on login (Enterprise only).
[FIX] Fixed waptwua to handle redirect for wsusscn2 head request (Enterprise only).
[UPD] Report only 3 members on the
wapt_version
capability attribute.[IMP] Improved WAPT core: refactor WaptUpgrade task: check task to append and then append them to tasks queue in WaptUpgrade.run instead of doing it in caller code. Avoid timeout when upgrading;
[IMP] Improved WAPT core: self service rules refactoring;
[IMP] Improved WAPT core: notify the WAPT Server when audit on waptupgrade;
[IMP] Improved WAPT core: fix
update_status
not working when old packages have nopersistent_dir
in the database;[IMP] Improved core: tasks, events action in the WAPT service: timeout in milliseconds instead of seconds for consistency;
WAPT-1.7.3.11 (2019-03-25)¶
(hash 92ccb177d5c)
[FIX] Fixed the WAPT Console: use repo specific ca bundle to check remote WAPT repo Server certificate (different from main wapt repo);
[FIX] Fixed the WAPT Console / hosts for packages: fixed F5 to do a local refresh;
[FIX] Improved update performance with repositories with a lot of packages;
[FIX] Improved the WAPT System Tray utility reporting:
fix faulty inverted logic for
notify_user
parameter;
[FIX] Fixed the WAPT Console: bad filtering of hosts for package (Enterprise only);
[FIX] Fixed the WAPT Exit utility to close even if Running task if no pending task / no pending updates;
[FIX] Fixed the WAPT Exit utility: fixed potential case where the WAPT Exit utility remains running with high cpu load;
[FIX] Fixed the WAPT Console: fixed HostsForPackage grid not filtered properly (was unproperly using Search expr from first page);
[FIX] Fixed the WAPT service: None has no
check_install_is_running
error on startup of the WAPT service;[FIX] Fixed WAPT core: set
persistent_dir
andpersistent_source_dir
attributes on setup module for install_wapt;[FIX] Fixed WAPT core: fixed bug in guessed
persistent_dir
for dev mode;[FIX] Fixed WAPT core: fixed error resetting status of stuck processes in local database (check_install_running);
[FIX] Fixed the WAPT service: trap error setting runstatus in database in tasks manager loop:
Do not send runstatus to the WAPT Server each time it is set;
[UPD] Updated WAPT core: define explicitly the
private_dir
of Wapt object;[UPD] WAPT Server: do not refuse to provide authtoken if FQDN has changed (this does not introduce specific risk as request is signed against UUID);
[UPD] Updated WAPT core: if
package_uuid
attribute is not set in package’scontrol
(old wapt), it is set to a reproductible hash when package is appended to local waptdb so we can use it to lookup packages faster (dict);[NEW] New in the WAPT Console: added audit scheduling setup in the WAPT Agent dialog (Enterprise only):
added
set_waptaudit_task_period
in innosetup installers;
[IMP] Improved SetupHelpers: add win32_displays to default wmi keys for report;
[IMP] Improved WAPT Server setup: create X509 certificate / RSA key for hosts ssl certificate signing and authentication during setup of the WAPT Server;
[IMP] Improved the WAPT Exit utility: added sizeable border and icons;
[IMP] Improved showing the progress of long tasks;
[IMP] Improved the WAPT service: process update of WAPT packages as a task instead of waiting for its completion when upgrading (to avoid timeout when running upgrade the WAPT service task):
added
update_packages
optional (defaultTrue
) parameter for upgrade the WAPT service action;
[NEW] Added audit scheduling setup in the WAPT Agent compilation dialog (Enterprise only);
[NEW] New in SetupHelpers: added
setuphelpers.get_local_profiles
;[IMP] Improved the WAPT Server: do not refuse to provide authentication token for websockets authentication if FQDN has changed;
[IMP] Flush stdout before sending status to the WAPT Server;
[IMP] Improved waptcrypto handling alternative object names in CSR build;
[IMP] Improved wapt-get:
--force
option on wapt-get.exe service mode;[NEW] Use client side authentication for waptwua too;
[CHANGE] WAPT Server setup: nginx windows config: relocate logs and pid;
[ADD] Added conditional client side ssl authentication in nginx config;
[CHANGE] In the WAPT Console: refactored wget, wgets for the WaptRemoteRepo and the WAPT Server to use requests.Session object to handle specific ssl client authentication and proxies:
Be sure to set privateKey password dialog callback to decrypt client side ssl authentication key;
[IMP] Improved waptcrypto: added waptcrypto.is_pem_key_encrypted;
[IMP] Improved the WAPT Console: make sure the WAPT Agent window is fully visible;
[IMP] Improved the WAPT Console: make sure Right click select row on all grids;
[ADD] Aded in the WAPT Console: import from remote repo: add certificate and key for client side authentication;
WAPT-1.7.3.10 (2019-03-06)¶
(hash ec8aa25ef)
Security¶
[UPD] upgraded OpenSSL dlls to 1.0.2r for https://www.cert.ssi.gouv.fr/avis/CERTFR-2019-AVI-080/ (moderate risk);
New¶
[IMP] much reworked wizard pages embedded in waptserversetup.exe windows server installer. Install of the WAPT Server on Windows is easy again:
register server as a client of the WAPT Server;
create new key / certificate pair;
build waptagent.exe and waptupgrade.exe package;
configure package prefix;
[NEW] if client certificate signing is enabled on the WAPT Server (
waptserver.ini
config), the WAPT Server will sign a CSR for the client when the client is first registered. See Configuration de l’authentification par certificat côté client .[NEW] wapt-get: added new command
create-keycert
to create a pair of RSA key / x509 certificate in batch mode. Self signed or signed with a CA key/certificate:
(options are case sensitive…)
option
/CommonName
: CN to embed in certificate;options
/Email
,/Country
,/Locality
,/Organization
,/OrgUnit
: additional attributes to embed in certificate;option
/PrivateKeyPassword
: specify the password for private key in clear text form;option
/PrivateKeyPassword64
: specify the password for private key in base64 encoding form;option
/NoPrivateKeyPassword
: ask to create or use an unencrypted RSA private key;option
/CA
=True
(or False)): create a certification authority certificate if True (default to True);option
/CodeSigning
=True
(or False) ): create a code signing certificate if True (default to True);option
/ClientAuth
=True
(or False): create a certificate for authenticating a client on the WAPT https Server with ssl authentication. (default to True);option
/CAKeyFilename
: path to CA private key to use for signing the new certificate (defaults to%LOCALAPPDATA%waptconsolewaptconsole.ini
[global]
default_ca_key_path
setting);option
/CACertFilename
: path to CA certificate to use for signing the new certificate (defaults to%LOCALAPPDATA%waptconsolewaptconsole.ini
[global]
default_ca_cert_path
setting);option
/CAKeyPassword
: specify the password for CA private key in clear text form to use for signing the new certificate (no default);option
/CAKeyPassword64
: specify the password for CA private key in base64 encoding form to use for signing the new certificate (no default);option
/NoCAKeyPassword
: specify that the CA private to use for signing the new certificate is unencrypted;option
/EnrollNewCert
: copy the newly created certificate in<wapt>ssl
to be taken in account as an authorized packages signer certificate;option
/SetAsDefaultPersonalCert
: setpersonal_certificate_path
in configuration inifile[global]
section (default%LOCALAPPDATA%waptconsolewaptconsole.ini
);
[NEW] wapt-get: added new commands build-waptagent to compile a customized WAPT Agent in batch mode:
copy waptagent.exe and pre-waptupgrade locally (if not
/DeployWaptAgentLocally
, upload to the WAPT Server with https);option
/DeployWaptAgentLocally
: copy the newly built waptagent.exe and prefix-waptupgrade_xxx.wapt to local WAPT Server repository directory.\waptserver\repository\wapt\
;
[NEW] wapt-get register: added options for easy configuration of wapt when registering:
--pin-server-cert
: pin the WAPT Server certificate. (check that CN of certificate matches hostname of WAPT Server and WAPT repo);--wapt-server-url
: setwapt_server
setting inwapt-get.ini
;--wapt-repo-url
: setrepo_url
setting inwapt-get.ini
. (if not provided, and there is notrepo_url
set inwapt-get.ini
, extrapolaterepo_url
from the WAPT Server url);
[NEW] wapt-get: added check-valid-codesigning-cert / CheckPersonalCertificateIsCodeSigning action;
Improvements and fixes¶
python libraries updates
cryptography from 2.3.1 –> cryptography 2.5.0;
pyOpenSSL 18.0.0 –> pyOpenSSL 19.0.0;
[FIX] Do not reset host.server_uuid in the WAPT Server database when host disconnect from websocket. Set
host.server_uuid
in the WAPT Server database when host gets a token;[FIX] modify isAdminLoggedIn to try to fix cases when we are admin but function return false;
[FIX] ensure valid package name in package wizard (issue959);
[FIX] regression when using python cryptography 2.4.2 openssl bindings for windows XP WAPT Agent (openssl bindings of the python cryptopgraphy default WHL >= 2.5 does not work on Windows XP);
[FIX] trap exception when creating database tables from scratch fails, allowing upgrade of structure;
[FIX] reduce the risk of database is locked error;
[FIX] deprecation warning for verifier and signer when checking crl signature;
[FIX]
persistent_dir
calculation in package’s call_setup_hook when package_uuid is None in local wapt database (for clients migrated from pre 1.7 wapt, error None has no len() in audit log);[FIX] regression: do not try to use host_certificate / key for client side ssl authentication if they are not accessible;
[IMP] define proxies for crl download in wapt-get scan-packages;
[IMP] fixed bad normalization action icon;
[IMP] paste from clipboard action available in most packages editing grid;
[IMP] propose to define package root dev path, package prefix, the WAPT Agent or new private key / certificate when launching the WAPT Console;
[IMP] remove the need to define waptdev directory when editing groups / profiles / wua packages / self-service packages;
[IMP] grid columns translations in French;
[IMP] Improved the WAPT Exit utility responsiveness improvements. Events check thread and tasks check thread are now separated.
[NEW] added ClientAuth checkbox when building certificate in the WAPT Console;
[NEW] added
--quiet
-q
option topostconf.py
[MISC] add an example of client side certificate authentication
[ADD] added clientAuth extended usage to x509 certificates (default True) for https client authentication using personal certificate;
[NEW] use of ssl client certificate and key in the WAPT Console for authenticating with the WAPT Server;
[FIX] ssl client certificate authentication not taken in account for the WAPT Server api and host repository;
[ADD] added
is_client_auth
property for certificates;default None for
is_client_auth
certificate / CSR build;do not fallback to host’s client certificate authentication if it is not clientAuth capable (if so, http error 400);
[MISC] waptcrypto: added SSLPKCS12 to encapsulate pcks#12 key / certificate in certificate store;
[MISC] added splitter for log memo in Packages for hosts panel;
[FIX] store fixes;
[FIX] be tolerant when no
persistent_dir
in waptwua packages;
min wapt version 1.7.3 for self service packages and waptwua packages,
[FIX] WsusUpdates has no attribute
downloaded
;
WAPT-1.7.3.7 (2019-02-19)¶
(hash 373f7d92)
Bug fixes¶
[FIX]] softs normalization dialog closed when typing F key (Enterprise only);
[IMP] include waptwua in the WAPT Nginx Server windows locations (Enterprise only);
[FIX] force option from service or websockets not being taken in account in install_msi_if_needed or install_exe_if_needed;
[IMP] improved win updates reporting (uninstall behavior) (Enterprise only);
[ADD] added uninstall action for winupdates in the WAPT Console (Enterprise only);
[FIX] reporting from dmi « size type » fields with non integer content (Enterprise only);
Improvements¶
[IMP] Improved the WAPT Exit utility: allow minimize button;
[IMP] Improved the WAPT Exit utility: layout changes;
[IMP] AD authentication: less restrictive on user name sanity check (Enterprise only);
[IMP] handling of updates of data for winupdates with additional download urls (Enterprise only);
[ADD] added some additional info fields to WsusUpdates table (Enterprise only);
[ADD] added filename to Packages table for reporting and store usage (Enterprise only);
[ADD] added uninstall win updates to the WAPT Console (Enterprise only);
[ADD] added windows updates uninstall task capabilities (Enterprise only);
[ADD] added filename to Packages table;
[IMP] increased default clockskew tolerance for client socket io;
WAPT-1.7.3.5 (2019-02-13)¶
Bug fixes¶
[FIX] regression in package filenames (missing _);
[FIX] Fixed mismatch for the WAPT Console
[global]
waptwua_enabled
setting;[FIX] Fixed default in the WAPT Console EnableWaptWUAFeatures to True;
WAPT-1.7.3.4 (2019-02-13)¶
Bug fixes¶
[FIX] Fixed the WAPT Exit utility: install of and empty list of Windows Updates (Enterprise only);
[FIX] wapt-get.exe WaptWUA commands: fixed import of waptwua client module for waptwua-scan download install (Enterprise only);
[FIX]
install_delay
for Windows Updates stored as a time_delta in waptdb (Enterprise only);
Improvements¶
[ADD] versioning on group packages filenames;
[ADD] button to create AD Host profiles (package automatically installed/removed based on AD Grouo memberships)
[IMP] reduce the WAPT System Tray utility notifications occurrences.
notify_user
=False
per default[FIX] Fixed the WAPT Exit utility: details panel does not show the pending packages to install;
[FIX] always install the missing dependencies in install (even if upgrade action should have queued dependencies installs before) for some corner known cases;
[FIX] get the WAPT Server certificate chain popup action when building the WAPT Agent;
[ADD] action to create a key / certificate in the WAPT Console conf;
[IMP] hide inactive / disabled WaptWUA actions in Host popup menu;
[ADD] checkbox to display newest only for groups;
[ADD] Added in the WAPT Console the config parameter
licences_directory
to specify the location (directory) of licenses (Enterprise only);[IMP] Improved the WAPT Agent build dialog: Removed the Append host’s profiles option;
[IMP] remove waptenterprise directory if waptsetup community is deployed over a waptenterprise edition;
WAPT-1.7.3.3 (2019-02-11)¶
[IMP] Core:
better support for
locales
,maturities
andarchitecture
packages filtering;
[NEW] Self service rule packages (Enterprise only):
Package to define which packages can be installed / remove for groups of users;
WAPT Windows Updates rules packages (Enterprise only);
[NEW] package to define which Windows Updates are allowed / forbidden to be deployed by Wapt WUA Agents;
WAPT Agent build:
[ADD] Added the option for
use_fqdn_as_uuid
when building waptagent.exe;[ADD] Added the option to define the profile package to be deployed upon WAPT install on hosts;
[ADD] Added the options to enable WaptWUA (Windows updates with Wapt) (Enterprise only);
Host Profile packages (Enterprise only):
[IMP] specific packages (like Group packages) which are installed or removed depending of
wapt-get.ini
[global]
host_profiles
ini key;[NEW] if a profile package name matches Computer’s AD Groups, it is deployed automatically;
Reporting (Enterprise only):
[NEW] import / export queries as json files;
[IMP] softwares names normalization as a separate dialog;
WAPT Exit utility:
[IMP] reworked to make it more robust;
[IMP] takes in account packages to remove;
[IMP] takes in account Wapt WUA Updates (Enterprise only):
command line switch: /install_wua_updates;
wapt-get.ini setting: [waptwua]
install_at_shutdown
=True
;checkbox in the WAPT Exit utility to skip install of Windows Updates;
WAPT Console Custom commands:
[NEW] ability to define custom popupmenu commands which are launched for the selection of hosts. Custom variables {uid};
Other improvements:
[IMP] French translations fixes;
Changelog 1.7.2¶
[NEW] Reporting (Enterprise only):
basic SQL reporting capability;
duplicate action / copy paste for reporting queries;
[ADD] SetupHelpers: added SetupHelpers
processes_for_file
andget_computer_domain
;
Libraries updates¶
python 2.7.15 on Windows;
openssl-1.0.2p;
upgraded to python-requests 2.20.0 (Security Fix);
Improvements¶
[IMP] Do not refresh GridHostsForPackage if not needed (Enterprise only);
[IMP] Do not add a newline to log text output for LogOutput;
[IMP] Improved handling of update_host_data hashes to reduce amount of data sent to the WAPT Server on each update_server_status;
[IMP] Set python27.dll path in wapt-get and waptconsole.exe (fix cases with multiple python installations);
[FIX] Removal of packages when upgrading host via websockets;
[IMP] Do not get host capabilities if not needed when updating;
[IMP] Do not check package control signatures in wapt-get when loading list of packages for development tasks;
[IMP] Moved static WAPT Server assets to a /static root split base.html and index.html templates for blueprints;
[FIX] Fixed selective pending wua install or downloads (Enterprise only);
[FIX] Fixed WUA updates filter logic (Enterprise only);
[IMP] Improved uninstall host packages if
use_hostpackages
is set to false:add a forced update in the task loop when host capabilities have been changed;
include
use_host_packages
andhost_profiles
in host’s capabilities.
[FIX] Fixed regression not removing implicit packages.
[IMP] More tolerant to unicode errors in update_host_data to avoid hiding actual exception behind an encoding exception.
[FIX] Fixed order of columns not kept when exporting reports (Enterprise only)
[IMP] Improved
install_msi_if_needed
,install_exe_if_needed
: check ifkillbefore
is not empty or None[IMP] Changed tasks’s progress and runstatus to property
[FIX] Fixed audit aborted due to exception: “NoneType” object is not iterable (Enterprise only)
[ADD] SetupHelpers: Added
setuphelpers.get_app_path
andsetuphelpers.get_app_install_location
:add fix_wmi procedure to re-register WMI on broken hosts;
some wmi fallbacks to avoid unregistered hosts when WMI is broken on them.
[ADD] Added online wua scans (Enterprise only)
[ADD] Added random
package_uuid
when signing a package metadata which could be used later as a primary key:creates a random
package_uuid
when installing in DEV mode;creates a random
package_uuid
when installing a package withoutpackage_uuid
.
[IMP] Moved and renamed
EnsureWUAUServRunning
to SetupHelpers;[ADD] Added
pending_reboot_reasons
to inventory;[IMP] Improved the display of WAPT package versions for missing packages;
[ADD] wapt-get sign-packages: added setting
maturity
and inc version in sign-packages action;[ADD] Added WindowsUpdates’s host History grid below WindowsUpdate grid (Enterprise only);
[IMP] Improved storing of Host Windows update history in the WAPT Server database (Enterprise only);
[IMP] keep selected or focused rows in grids;
[IMP] Improved updates Packages table when uploading a Package / Group. This table is meant mainly for reporting purpose;
[IMP] Disables indexes for some BinaryJson fields;
[FIX] Fixed Windows Updates
install_date
reporting (Enterprise only);[ADD] Added a checkbox to enable
use_fqdn_as_uuid
when building waptagent.exe;[IMP] Changed default value for
upgrade_only_if_not_process_running
;[IMP] Changed naming of organizational unit packages to remove ambiguity with comma in package name and comma to describe the list of WAPT packages
depends
/conflicts
:Replace “,” with “_” when editing package (Enterprise only);
[ADD] Added to the WAPT Exit utility: priorities and
only_if_not_process_running
command line switches;[IMP] Improved waptupgrade: changed
windows_version
and Version;[ADD] Added SetupHelpers
setuphelpers.windows_version
: addedsetuphelpers.members_count
;[IMP] Improved waptutils.Version: strip members to
members_count
if not None;[ADD] Added control attributes editor keywords license homepage
package_uuid
to the local WAPT service database;[ADD] Added short fingerprint to repr of SSLCertificate;
[IMP] Be sure password gui is visible even if parent window is not;
[ADD] Added gui for private key password dialog if
--use-gui
;[ADD] Added
--use-gui
to wapt-get.exe command line argument to force the use of waptguihelper for the WAPT Server credentials when registering;
WAPT-1.6.2.7 (2018-10-02)¶
This is a bugfix release for 1.6.2.5:
[FIX] Fixed the WAPT Exit utility: changed the default value of
upgrade_only_if_not_process_running
parameter to False instead of True:
if upgrade_only_if_not_process_running
is True, the install tasks for packages with running processes (impacted_process) are skipped;
if upgrade_only_if_not_process_running
is False, the install tasks for packages with running processes may impact the user if the installer kills the running processes;
[FIX] waptwua: take in account Windows Updates RevisionNumber attribute to identify uniquely an Update in addition to UpdateID field (Enterprise only). This fixes the 404 error when downloading missing windows updates on a client.
WAPT-1.6.2.6 (2018-09-26)¶
This is a bugfix release for 1.6.2.5:
[FIX] Fixed the WAPT Server Enterprise on Windows: added proper upgrade path from PostgreSQL 9.4 (used in WAPT 1.5) to PostgreSQL 9.6 which is required for WAPT-Windows Update:
new database binary and data directory path are suffixed with -9.6;
old data is suffixed with -old after migration;
[FIX] upgrade script for MongoDB upgrade (WAPT 1.3) to PostgreSQL used since WAPT 1.5;
[FIX] regression on WMI / DMI inventory which may be not properly sent back to the WAPT Server;
WAPT-1.6.2.5 (2018-09-14)¶
[NEW] Main new features if you are coming from 1.5:
per package Audit feature (Enterprise only);
WAPT managed Windows Updates tech preview (Enterprise only);
wizards to guide post configuration of Windows server and first use of waptconsole;
waptconsole/ private repo page: added a grid which shows the computers where the selected package is installed;
It includes numerous changes over the 1.5.1.26 version.
New¶
[NEW] per package audit feature:
def audit() hook function to add into package’s
setup.py
. By default, check uninstall key presence in registry:wapt-get audit;
wapt-get -S audit;
wapt-get audit <packagename>;
right click in the WAPT Console on hosts or installed packages/ Audit package;
synthetic audit status for each host;
for each installed package: last_audit_status, last_audit_on, last_audit_output, next_audit_on;
scheduled globally with
wapt-get.ini
parameter[global]
:
waptaudit_task_period = 4h or in package’s control
file:
audit_schedule = 1d
audit log displayed in waptconsole below installed package grid if Audit Status column is focused;
[UPD] updated python modules
[IMP] build with Lazarus 1.8.2 instead of CodeTyphon 2.8 for the Windows executables:
better strings encoding handling and easier to setup for the development;
Known issues¶
PostgreSQL 9.6 is required for WAPT WUA tech preview (Debian Jessie not supported);
WAPT 1.6 includes one more security layer in the WAPT Agent to WAPT Server connection. After the WAPT Server upgrade, the client desktops will not be able to connect to the WAPT Server as long as they have not been upgraded themselves. If you require to be able to remotely manage the WAPT agent while the agent has not yet been upgraded, it is necessary to set
allow_unauthenticated_connect
to True inwaptserver.ini
;
Fixes¶
[FIX] add AD Groups as Hosts dependencies in waptconsole;
[FIX] remove image on reachable column if no status has been sent yet;
[FIX] Organizational Units WAPT packages not being installed when there are spaces in DN;
[FIX] Operational error when host are trying to reconnect but are not registered;
[FIX] fill in created_on database fields on win updates data;
[IMP] debian server postinst: remove old
pyc
files;
Changes¶
[IMP] Improved WAPT Console setup Wizard;
[ADD] allow_unauthenticated_connect defaults to allow_unauthenticated_registration if it is not explicitly set in
waptserver.ini
file (This will ease migration from 1.5 to 1.6);[IMP] Escape key on password edit of login moves focus to configuration combo;
[IMP] PackageEntry.asrequirement(): removed space between package name and version specification;
[IMP] missing install_date in insert_many for some updates;
[ADD] add force argument for WAPTUpdateServerStatus action;
[IMP] Do not includes
setup.py
in initial host’s packages inventory, and full inventory;[IMP] allow to use installed waptdeploy.exe without retry/ignore dialog;
[IMP] be sure error is reported properly in socketio;
[IMP] added package_uuid and homepage package attributes;
[IMP] added installed on columns for host wsus updates;
[FIX] WUA grid layout saving;
WAPT-1.6.2.2 (2018-07-16)¶
Known issues¶
PostgreSQL 9.6 is required for WAPT WUA tech preview (Debian Jessie not supported);
the authentication of client connections to the WAPT websockets server is not compatible with pre-1.6.2 wapt clients. During migration, if you want to keep the connection with clients, you have to disable the authentication with the parameter:
allow_unauthenticated_connect
=False
in the WAPT Server’s configuration filewaptserver.ini
. When all clients have migrated, this can be removed;
New¶
[NEW] wizard for the initial configuration of waptserver on Windows;
[ADD] wizard for the initial configuration of waptconsole connection parameters;
[ADD] Enterprise only: waptconsole/ private repo page: added a grid which shows the computers where the selected package is installed;
[NEW] Enterprise only: WAPT WUA Windows Updates management technical preview:
activate with
waptwua_enabled
=True
inwapt-get.ini
file on the client;scan of updates on Windows clients with the IUpdateSearcher Windows API and the
wsusscan2
cab file from Microsoft;additional page in the WAPT Console host inventory for Windows updates status reported (HostWsus model);
additional page in the WAPT Console for the consolidated view of all updates reported by hosts (WsusUpdates model);
periodic task on the WAPT Server to check and download newer version of
wsusscan2
cab file from Microsoft (daemon/ service wapttasks);periodic Task on the WAPT Server to download missing windows updates files as reported by Windows client after scan:
missing files are downloaded if one of the client should install it and has not yet a copy in its local windows update cache;
downloads are logged in WsusDownloadTasks model;
Changes¶
[ADD] field in hosts table to keep the hashes of sent host data, so that clients can send only what needs to be updated;
[ADD]
db_port
WAPT Serverconfig parameter if posgresql server is not running on standard port 5432;[ADD] editor optional attribute for package control, used in register_windows_uninstall helper if supplied;
[IMP] websocket authentication with a timestamped token obtained from the WAPT Server with client SSL certificate on the WAPT Server with client SSL certificate;
[IMP] json responses from waptserver are gzipped;
Fixes¶
[IMP] forced host uuid;
[IMP] forced computer AD Organizational unit;
[IMP] public certs dir;
[FIX] caching of negative result for certs chain validation;
[IMP] refactoring of the WAPT Server python modules (config, utils, auth, app, common, decorators, model, server) for the enterprise modularity;
[FIX] timezone file timestamp handling for http download;
Python modules updates¶
upgrade to peewee 3.4;
upgrade to eventlet==0.23.0;
upgrade to huey 1.9.1;
eventlet 0.20.1 –> eventlet 0.22.1;
0.22.1:
[IMP] event: Event.wait() timeout=None argument to be compatible with upstream CPython;
[IMP] greendns: Treat /etc/hosts entries case-insensitive. Thanks to Ralf Haferkamp;
0.22.0:
[IMP] dns: reading /etc/hosts raised DeprecationWarning for universal lines on Python 3.4+. Thanks to Chris Kerr;
[IMP] green.openssl: Drop OpenSSL.rand support. Thanks to Haikel Guemar;
[IMP] green.subprocess: keep CalledProcessError identity. Thanks to Linbing@github;
[IMP] greendns: be explicit about expecting bytes from sock.recv. Thanks to Matt Bennett;
[IMP] greendns: early socket.timeout was breaking IO retry loops;
[IMP] GreenSocket.accept does not notify_open. Thanks to orishoshan;
[IMP] patcher: set locked RLocks” owner only when patching existing locks. Thanks to Quan Tian;
[IMP] patcher: workaround for monotonic « no suitable implementation ». Thanks to Geoffrey Thomas;
[IMP] queue: empty except was catching too much;
[IMP] socket: context manager support. Thanks to Miguel Grinberg;
[IMP] support: update monotonic 1.3 (5c0322dc559bf);
[IMP] support: upgrade bundled to dnspython 1.16.0 (22e9de1d7957e) https://github.com/eventlet/eventlet/issues/427;
[FIX] websocket leak when client did not close connection properly. Thanks to Konstantin Enchant;
[IMP] websocket: support permessage-deflate extension. Thanks to Costas Christofi and Peter Kovary;
[IMP] wsgi: close idle connections (also applies to websockets);
[IMP] wsgi: deprecated options are one step closer to removal;
[IMP] wsgi: handle remote connection resets. Thanks to Stefan Nica;
0.21.0
[IMP] new timeout error API: .is_timeout=True on exception object. It’s now easy to test if network error is transient and retry is appropriate. Please spread the word and invite other libraries to support this interface;
[IMP] hubs: use monotonic clock by default (bundled package); Thanks to Roman Podoliaka and Victor Stinner
[IMP] dns: EVENTLET_NO_GREENDNS option is back, green is still default;
[IMP] dns: hosts file was consulted after nameservers;
[IMP] wsgi: log_output=False was not disabling startup and accepted messages;
[IMP] greenio: Fixed OSError: [WinError 10038] Socket operation on nonsocket;
[IMP] dns: EAI_NODATA was removed from RFC3493 and FreeBSD;
[IMP] green.select: fix mark_as_closed() wrong number of args;
[NEW] added zipkin tracing to eventlet;
[IMP] db_pool: proxy Connection.set_isolation_level();
Flask-socketio 2.9.2 –> Flask-socketio 3.0.1;
python-engineio 2.0.1 –> python-engineio 2.0.4;
python-socketio 1.8.3 –> python-socketio 1.9.0;
upgrade to websocket-client 0.47;
WAPT-1.6.2.1 (2018-07-04)¶
New features¶
[ADD] def audit() optional hook in package is called periodically to check compliance. Log and status is reported in the WAPT Server database and displayed in the WAPT Console (Enterprise).
[ADD] WSUS tech preview: based on local Windows update engine and
WSUSSCAN2
cab Microsoft file. WAPT Server act as a caching proxy for updates. Scanning for, downloading and applying Windows updates can be triggered from the WAPT Console on workstations (Enterprise). A new wapttasks process is launched on the WAPT Server to download updates and wsusscan cab from Internet.
Changes / Improvements¶
[IMP] better utf8 handling;
[IMP] wapt-get make-template from a directory creates a basic installer for portable apps;
[IMP] Improved wapt-get, the WAPT Exit utility: Removed ZeroMQ message queue on the client, replaced by simple http long polling to monitor tasks status;
[IMP] Improved the WAPT Console: Replaced blocking timer based http polling for tasks status by threaded http long polling;
[IMP] Improved the WAPT Console: Filter hosts on whether current personal certificate signature is authorized for remote tasks (Enterprise). If the same WAPT Server is used for several organizations, it allows to focus on own hosts. This supposes that different CA certificates are deployed depending on the client host’s organization. In this release, the filtering is not enforced and not cryptographically authenticated;
[CHANGE] renamed waptservice.py to service.py and waptserver.py to server.py, activated absolute import for all python sourced absolute import for all python sources;
[REMOVED] use_http_proxy_for_template parameter (setting is now in
[wapt-templates]
repo);
The WAPT service
[ADD] handling of WUA tasks (Scan, download, apply updates) (Enterprise);
[ADD] handling of auditing tasks;
The WAPT Server
[ADD] tasks queue (Huey) for the WSUS background tasks (Enterprise);
[IMP] gzip compression activated on the nginx configuration;
The WAPT System Tray utility
[ADD] option in
wapt-get.ini
to hide some items:hidden_wapttray_actions
: comma separated list of:
LaunchWAPTConsole, register, serviceenable, reloadconfig, cancelrunningtask, cancelalltasks, showtasks, sessionsetup, forceregister, localinfo, configure;
[CHANGE] use long polling instead of zmq;
[IMP] stop/ start/ query the WAPT service using a thread to avoid gui freeze;
Fixes¶
[FIX] waptguihelper: be sure to load the proper python27.dll;
[FIX] core: forward force argument from the WAPT Console to
setup.py
install() hook;[FIX] overwrite
psproj
package file when editing a package to fix path to WAPT python virtualenv and add new debug actions;
Modules updates¶
[UPD] GUI Binaries are built with Lazarus 1.8.2 / fpc 3.0.4 instead of CodeTyphon 2.8;
[UPD] peewee 3.0.4;
[UPD] eventlet 0.23.0;
[UPD] huey 1.9.1;
[UPD] pywin32 rev 223;
[UPD] Flask-socketio 2.9.6;
[UPD] engineio.socket 2.0.4;
[UPD] websocket-client 0.47;
[UPD] pyOpenSSL 17.5.0;
[UPD] request 2.19.1;
Known issues¶
unit type of packages (with AD DN style names) are not well handled by local WAPT self service, because of commas in name.
WAPT-1.6.1.0 (2018-06-21)¶
Fixes¶
[FIX] Fixed av potential cause in the WAPT System Tray utility;
[IMP] Improved buffer LogOuput;
[FIX] Fixed wait task result loop in the WAPT Server;
[FIX] Fixed bad acl on the WAPT service;
[FIX] Fixed repo timeout not taken in account;
[FIX] Fixed bad parameter for
repo_url
and[wapt-host]
section;[FIX] Fixed potential cause for anti-virus flagging the WAPT Exit utility;
[FIX] Fixed make isAdmin non blocking as a workaround for false positive checks;
[FIX] Fixed use timeout parameter when importing external package;
[FIX] Fixed pass timeout parameter when importing;
[FIX] Fixed bad
repo_url
config naming;[FIX] Fixed calc hash when compiling if file does not exist;
[FIX] Fixed repo timeout is float;
[FIX] Fixed custom zip corruption when signing a package with non ascii filenames;
[FIX] Fixed check wapt_db is assigned when rollbacking;
[IMP] Improved logging in events;
[FIX] Fixed installed packages section is incorrectly reported as base instead of unit or host in the WAPT Console;
[IMP] ensure manual service wua is running when using command line;
[UPG] Python modules updates:
upgrade to peewee 3.4;
upgrade to eventlet==0.23.0;
upgrade to huey 1.9.1.
[CHANGE] Replaced eventprintinfo with LogOutput;
[ADD] Added
waptwua_enabled
config parameter;[IMP] Improved missing
ensure_list
waptwua_enabled config parameter;[IMP] default waptwua_enabled to None to avoid wuauserv service configuration change;
[ADD] Added missing columns for window updates;
[ADD] Added action in the WAPT Console to show help on KB;
[IMP] Improved the WAPT System Tray utility cosmetic: hide duplicated separators in tray popup menu when some actions are hidden;
[ADD] Added http_proxy ini setting for the WAPT Server external download operations;
[IMP] Improved the WAPT System Tray utility: Start and stop the WAPT service using a thread to avoid gui freeze;
[IMP] Switched to pure FPC PBKDF2 password hash calc for postconf;
[IMP] Refactored WAPT Server code to share app and socketio instances;
[FIX] Fixed forward the « force » argument (command line and through the websockets) to the install() setup.py hook;
[FIX] Fixed to not display all missed events at tray startup in the WAPT System Tray utility;
[FIX] Fixed no default
audit_period
;[REMOVED] zeromq, replaced by long http polling between the WAPT System Tray utility, wapt-get and the WAPT service;
WAPT 1.5.1.26 (2018-07-12)¶
Bug fixes¶
[IMP] revert monkey_patch for the WAPT Server on windows. No reason to exclude thread;
[ADD]
allow_unauthenticated_connect
config (default false) on the WAPT Server;[FIX] CRITICAL update_host failed UnboundLocalError(« local variable “result” referenced before assignment »,);
[FIX] https://forum.tranquil.it/viewtopic.php?f=13&t=1160ix;
[FIX]
init_workdir.bat
;[FIX] returns a token when updating host data for websocket authentication;
[IMP] rewrite package psproj when editing (to fix wapt basedir paths);
[FIX] %s -> %d format string for expiration warning message;
[FIX] host_certificate not found for waptstarter;
[ADD] some dev build scripts;
WAPT-1.5.1.24 (2018-07-04)¶
Bug fixes¶
[FIX] Fixed zipfile python library bug for packages which contains files with non-ascii filenames. Signed WAPT packages were corrupted in this case;
[FIX] Fixed deadlocks on the WAPT Server database when simultaneous database connections is larger than 100 (default maximum connections configured by default on postgresql);
[FIX] Fixed crash of the WAPT Console on warning message when license is about to expire (Enterprise only);
[FIX] Fixed %s –> %d format string for expiration warning message;
[FIX] Fixed
host_certificate
not found for waptstarter;[FIX] Fixed
waptserversetup.iss
to include enterprise modules (Enterprise);[FIX] Fixed download link to waptsetup and the WAPT Deployment utility on the WAPT Server index page for Windows;
Modules updates¶
requests 2.19.1;
Rocket 1.2.8 - Don’t try to resurrect connections that timeout. Increase the timeout … to decrease the likelihood:
handle PyPi only supports HTTPS/TLS downloads now;
fix the problem that when body is empty no terminating; chunk is sent for chunked encoding.
avoid sending the terminating chunk in case it is a HEAD request;
fix the problem that when body is empty no terminating chunk is sent for chunked encoding;
explicitly set the log level to warning;
fix bug « Threadpool grows by negative amount when max_threads = 0 »;
do not try to resurrect connections that timeout. Increase the timeout to decrease the likelihood;
WAPT-1.5.1.23 (2018-03-28)¶
Changes¶
[IMP] Improved the WAPT Exit utility: display a custom PNG logo if one is created in
%WAPT_HOME%\templates\waptexit-logo.png
;[IMP] nssm.exe is signed with Tranquil IT code signing key;
[ADD] Added in the WAPT Console: locale and maturity columns in packages status grid;
[IMP] Improved in the WAPT Console the WAPT Agent wizard; be sure to get a relative path when checking certificate validity;
[ADD] Added to waptsetup
/CopyPackagesTrustedCA
and /CopyServersTrustedCA
command line parameters to allow deployment of wapt with specific certificates with GPO for wapt without recompiling waptsetup;
Example:
C:tmpwaptdeploy --hash=e17c4eddd45d34000df0cfe64af594438b0c3e1ee9791812516f116d4f4b9fa9 --minversion=1.5.1.23 --waptsetupurl=http://buildbot/~tisadmin/wapt/latest/waptsetup.exe --setupargs=/CopyPackagesTrustedCA=c:tmptranquilit.crt --setupargs=/CopyServersTrustedCA=c:tmpsrvwapt.mydomain.lan.crt --setupargs=/verify_cert=sslserversrvwapt.mydomain.lan.crt --setupargs=/repo_url=https://srvwapt.mydomain.lan/wapt --setupargs=/waptserver=https://srvwapt.mydomain.lan --setupargs=/DIR=c:wapt
Bug fixes¶
[FIX] Fixed the WAPT Console: regression introduced in 1.5.1.22. Unable to login if the WAPT Server does not have a FQDN;
[FIX] SetupHelpers: winstartup_info fallback when
COMMON_STARTUP
folder does not exist, preventing a client to register properly;[FIX] version/ revision in the WAPT System Tray utility dispkay the git hash instead of old svn revision number;
[FIX] Fixed the WAPT Console: update French translation for certs bundle hint;
[FIX] Fixed the WAPT Console: compare properly packages when number of version members differs 1.3 -<> 1.3.1 for example;
WAPT-1.5.1.22 (2018-03-27)¶
Bug fixes¶
[FIX] add Active Directory groups;
[FIX] newest only with
locale
,architecture
andmaturity
;[FIX] Import from external repository with mixed
locale
,architecture
andmaturity
;[ADD]
--setupargs
to waptdeploy;[FIX] RPM;
[FIX] Enterprise build (Enterprise only);
[IMP] different icons for WAPT Community and Enterprise editions;
[IMP] switch to Community features when no licence instead of aborting (Enterprise);
some up to date Installed Packages marked as upgradable because of bad comparison
maturity
None/ maturity;[IMP]
depends
andconflicts
fields of HostsPackagesStatus table limited to 800 chars –> type changed to ArrayField to handle unlimited number of dependencies;[NEW] git python module added as part of WAPT libraries;
[IMP] list organizational unit packages in group package table (Enterprise);
[FIX] MongoDB to PostgreSQL database upgrade script;
[FIX] licence/ hosts count/ expiry check (Enterprise);
[FIX] relative path for verify_cert;
Known issues¶
When the WAPT Server is searched with DNS SRV query (dnsdomain param), kerberos register authentication is not working.
WAPT-1.5.1.21 (2018-03-13)¶
Global architecture¶
[IMP] multiple languages for description of packages. English, French, German, Spanish, Polish are handled as a start point. More to be added in the future;
[IMP] the description columns in the WAPT Console displays either languages depending on
language
setting inwaptconsole.ini
. In packages,description_fr
,description_en
, etc… have been added;[IMP] when renaming hosts, old host package (matching previous host uuid) is now « removed » instead of forgotten;
[NEW] Handle AD organizational unit packages (Enterprise only;)
[NEW] package attributes:
locale
attribute: A computer can be configured to accept only packages with a specific locale;maturity
attribute: stores status like DEV, PREPROD, PROD to describe the level of completion of the package. Computers can be configured to accept packages with specified maturities. Default packages maturity of computer is both the empty one and PROD;impacted_process
attribute: csv list of process names which would be killed before install (install_msi_if_needed, install_exe_if_needed) and uninstall (by the mean of uninstallkey list). Could be used too in the future for « soft » upgrade remote action which upgrade softwares while they are not running;
Setup/ WAPT upgrades¶
WAPTupgrade package
[IMP] increased lifetime for upgrade task windows scheduler trigger for computers which are down for many days when upgrading;
[ADD] trigger at start of the computer;
The WAPT Console
[IMP] display of the list of embedded trusted packages certificates when building the custom WAPT Agent installer;
Bug fixes
[FIX] handle unicode filepaths for Packages Wizard;
[IMP] work in progress improvement of unicode handling globally in the WAPT Console;
[FIX] use proxy if needed for « download and edit » from external repo;
SetupHelpers
[FIX] Fixed bug in create_programs_menu_shortcut and create_user_programs_menu_shortcut. Shortcuts were created in
startup
and notstartup/programs
.
WAPT-1.5.1.19 rc1 (2018-03-08)¶
Global architecture¶
There is now some additional support for packages localization.
In Package control
file, the description_fr, description_en, description_de, description_pl, description_es can be used to give description in respective french, english, german, polish languages.
If not set, the base description is used.
WAPT Console¶
WAPT-1.5.1.18 rc1 (2018-02-27)¶
Global architecture¶
There is a significant internal change on how python libraries are managed inside WAPT. This has implications on the way python scripts are launched. This change is only relevant for peoples launching WAPT processes manually.
We have removed the (not clean) sys.path manipulations inside wapt python scripts sources. The consequence is that all python scripts MUST be run with prior setting PYTHONHOME
and PYTHONPATH
pointing to WAPT home directory (/opt/wapt
on Linux).
Failing to do so results in scripts claiming that libraries are missing.
On the WAPT Server running on Linux, libs are now in the default /opt/wapt/lib/python2.7
location instead of using non standard former one.
[IMP] WAPT has its own full python environment for libraries, even when debugging. Before, system wide python27 installation was needed for PyScripter to run.
Now, PyScripter can be started with a special batch file waptpyscripter.bat
which sets the environment variables for python (PYTHONHOME
and PYTHONPATH
) and run PyScripter with python dll path set to wapt own copy.
[NEW] Command line scripts with proper environment:
wapt-serverpostconf on Linux server to start the WAPT Server postconf.py
wapt-scanpackages
wapt-signpackages
[NEW] debugging commandline tools which setup python environment properly before running the python script.py before running the python script:
to debug the WAPT service, launch in cmd as admin: runwaptservice.bat;
to debug the WAPT Server, launch in cmd: runwaptservice.bat or under linux: runwaptserver.sh;
to launch PyScripter without the need for local system wide python27 install, run waptpyscripter.bat;
WAPT client¶
[IMP] Add local wapt-get.ini settings packages_whitelist and packages_blacklist to restrict accepted packages from repository based on their package’s name;
[IMP] More detailed reporting off host’s repositories configuration (now includes dnsdomain, proxy, and list of trusted certificates);
[FIX] fixed display in the Windows task bar of the login window (to allow in particular the autofill of the password by password managers); the WAPT Agent failing to compile if keys/ certificates already exist but the certificate had been removed from
C:\wapt\ssl
;[NEW] Handle AD organizational unit packages (Enterprise edition)
[IMP] Fallback to basic authentication when a host is registering on the WAPT Server if kerberos is enabled but authentication fails.
[IMP] Improved wapt-get.exe, allow to designate configuration
wapt-get.ini
file with –config option with base name of userwaptconsole.ini
file (without ini extension) instead of full path. Handy when switching between several configurations. Same behavior as for the WAPT Console. Example:
wapt-get -c site3 build-upload c:\waptdev\test-7zip-wapt
;
[FIX] Be sure to not loop for ever in websockets retry loop if something is wrong in the WAPT Server or websocket configuration.
[FIX] Update PyScripter project template to use project directory as parameter for debug actions, and use relative paths for filenames.
[FIX] incorrect package version comparison. Return True when comparing 1.2-1 to 1.2.1-3 (note: this is not homogeneous with the Version() class behavior. todo: merge both);
[FIX] waptsetup: register and update MUST be launched with elevated privileges. So remove runasoriginaluser option.
[NEW] Introduced attributes target_os and impacted_process for package’s
control
file. They are not yet taken in account.[NEW] Introduced method to handle X509 client certificates authentication for repositories and the WAPT Server (specially for public WAPT Servers);
[NEW] Introduced classes to generate X509 CRL;
Setuphelpers
[UPD]
setuphelpers.removetree
: Try to remove readonly flag whenremove_tree
reaches an Access Denied error;[FIX] Fixed unicode handling in shell startup shortcuts;
[IMP]
waptutils.wget
can check sha1 or sh256 hashes in addition to md5, and can cache and resume partial downloads;
WAPT Console¶
[NEW] action in the WAPT Console to plan in near future a restart of the WAPT service on selected hosts;
[IMP] mass host update/upgrade in the WAPT Console actions are now launched in single shot instead of one host at a time;
[NEW] allow to force a host_dn in
wapt-get.ini
when host is not in a domain (Enterprise only);[NEW] SetupHelpers: added timeout parameter for
setuphelpers.service_start
,setuphelpers.service_stop
andsetuphelpers.service_restart
;[IMP] group filter list box is now editable, and one can type a partial group match and press enter to filter on all matching groups. Separator is comma (,). Handle * at the end of search to find all occurrences even if one group matches exactly;
WAPT Server¶
[ADD] bat script migrate-hosts.bat to set environment for
migrate-hosts.py
;[ADD] trigger_action.py script to trigger action on pre 1.5 hosts with reachable 8088 port from 1.5 WAPT Server;
[FIX]
registration_auth_user
reset to None when reusing host certificate for re-register;[IMP] removed unnecessary dependencies krb5-user, msktutil, python-psutil for the WAPT Server package;
[IMP] increase client_max_body_size for http post on nginx for large update/ upgrade trigger:
fix
signature_clockskew
parameter not taken in account in the WAPT Server configuration;unified loggers for the WAPT Server;
have the WAPT Server ask WAPT clients to update status using websockets if websocket connection is up but database is not aware of given SID (case where the WAPT Server is restarted but nginx is kept up, and restart of the WAPT Server service is fast enough to not trigger a reconnection of the clients);
[FIX] disable proxy for migrate-hosts;
Known issues¶
WAPT service: if a system account level http proxy is defined in registry on the windows host, websocket client library tries to use it and fails to connect to the WAPT Server. Workaround: make an exception for the WAPT Server;
In the WAPT Console: if a http proxy is defined in
waptconsole.ini
, section[global]
, key http_proxy, it is used by the WAPT Console even if settinguse_proxy_for_xxx
is False Workround: sethttp_proxy
to an empty string inwaptconsole.ini
;when using a not self-signed personal certificate, depending of th issuer, the certificate file
<private_dir>mine_cert.crt
can contain the full chain (own certificate, intermediate CA, and root CA). When the WAPT Console asks if the certificate should be put in authorized client certificate directory (<wapt-dir>ssl
), the fullcrt
file is copied as this. This means that all certificates incrt
file are authorized, and not only the personal one. This is perhaps not desired;Workaround: check if the personal pem encoded
crt
file contains the full certificates chain. If this is the case, copy in<wapt-dir>ssl
only the parts of the PEM file matching the certificates you want to trust;SNI is not properly handled by the WAPT Console code, leading to incorrect error about certificate validation on WAPT https Server with virtual hosts;
Certificates CSR updates (periodical signature, …) must be managed manually using tools like easy-rsa. Only CSR accessible by a URL are supported;
proxies are not supported on the WAPT Server, so CRL can not be updated properly (as far as Distribution Point is defined in certificates) if the WAPT Server has no direct http access to the distribution points;
https certificates are verified on the clients using the bundle defined by the
verify_cert
ini settings. If this setting is simply True, the bundle supplied with python libraries is used to check issuers. This bundle is not updated unless WAPT is upgraded, so new issuers or no more trusted issuers are taken in account only at this point. So it is better to deploy your own CA bundle along with wapt and define theverify_cert
path.for 1.5.1.18 rc1, on the linux server, there are broken symbolic links in
lib/python2.7
folder. Next RC does not exhibit this problem;
WAPT-1.5.1.14 (2018-01-09)¶
[NEW] Historize in wapt_localstatus PostgreSQL table the dependencies and conflicts of installed packages (to provide an easy way to warn when conflicting package will be installed or should be removed);
[FIX] load fill certificate chain from host packages to check
control
(as it is the case for other types of packages);[SEC] regression: check host package control signature right after downloading (it is checked too when starting install);
[FIX] regression: do not install host package if version is lower than installed one;
[FIX] Do not raise an exception during session-setup if package has no
setup.py
;
The WAPT Agent
[FIX] intermediate CA pinning: Allow to deploy intermediate CA as authorized package CA without root CA (segragation of rules between entities);
[FIX] old style print statement (without parentheses) raising an error in setup-session or uninstall setup.py functions;
SetupHelpers
[IMP] Added
setuphelpers.cache_dir
parameter to wget function;[IMP] renamed cabundle parameter to trusted_bundle;
[NEW] Add python methods to create certificate from CSR;
The WAPT Console
[ADD] Added a checkbox in the WAPT Agent builder to sign with sha1 in addition to sha256 for old wapt client upgrades;
[IMP] force host package version to be at least equal to already installed host package (when host package is deleted, version was starting again at 0);
[FIX] regression: check existing host package signature before editing it;
The WAPT Server
[FIX] Force the WAPT Server database structure upgrade at each WAPT Server startup;
[ADD]
db_connect_timeout
parameter for pool of the WAPT Server database connections;[NEW] Store
depends
andconflicts
attributes in the WAPT Server HostPackagesStatus PotsgreSQL table;
Known issues¶
SNI is not properly handled by the WAPT Console code, leading to incorrect error about certificate validation on the WAPT https Server with virtual hosts;
certificates CSR updates (periodical signature, …) must be managed manually using tools like easy-rsa. Only CSR accessible by a URL are supported;
WAPT-1.5.1.13 (2018-01-03)¶
Quelques fallback pour permettre l’utilisation de la Console WAPT sous Wine.
Ebauche architecture plugins dans la Console WAPT.
Interface GUI pour entrer les mots de passe dans PyScripter.
Action wapt-get make-template dans installeur crée un paquet vide.
Inclusion de la chaine de certificats du signataire dans le paquet au lieu du seul certificat final.
IMPROVE: gestion des certificats signés par une autorité intermédiaire pour les actions de la Console WAPT.
Ajout option pour spécifier fichier de configuration pour la Console WAPT.
[FIX] SNI pour la récupération de la chaine de certificats dans la Console WAPT.
[ADD] added actions to launch mass updates/ upgrades, offer updates to the users (WAPT Enterprise).
F5 rafraîchit la liste des paquets.
Changement à distance de la description de l’ordinateur.
Possibilité de configurer plusieurs instances de serveurs Wapt sur un serveur/ VM.
chunked http upload pour pouvoir uploader des gros paquets sans passer par un scp.
Ajout installation forcée d’un paquet sur un poste dans la la Console WAPT.
Ajout option pour masquer les actions avancées (simplication affichage de la Console WAPT).
CN du Certificat / clé host sont nommés comme l’UUID.
Si une ou plusieurs dépendances d’un paquet ne peuvent pas être installées, le paquet parent n’est pas installé et est marqué en erreur.
Memory leak sur le serveur?
Gestion timezone pour validité de certificats.
[SECURITY] prend tous les fichiers en compte dans la vérification des hashes, pas seulement ceux dans le répertoire racine (régression apparue en 1.5 mais non présente en 1.3).
WAPT-1.5.1.5 (2017-11-16)¶
Architecture globale¶
[NEW] the host packages are now named with the BIOS UUID of the host instead of the FQDN (it is possible to use the FQDN as the UUID with the parameter use_fqdn_as_uuid but it may create duplicates in the WAPT Console);
le service the WAPT service écoute sur l’adresse de loopback, port 8088 et non plus sur toutes les interfaces. Cela réduit la surface d’attaque potentielle si un attaquant spoofe l’adresse IP du serveur WAPT;
le service the WAPT service crée au démarrage une connexion Websockets (Socket.IO) vers le serveur pour permettre à la Console WAPT de déclencher les Update/ Upgrade / Install/ Remove ; On ne pass plus par le port 8088 du service;
[NEW] the Websocket requests from the WAPT Console to the WAPT agents are now signed with the key of the Administrator. Before, security relied on source IP restriction and the validation of the Administrator’s login/ password;
la base de données d’inventaire est maintenant une base PostgreSQL en remplacement de MongoDB. Cela facilite le requêtage pour un reporting personnalisé, le langage SQL étant mieux connu des administrateurs système;
l’affichage dans la Console WAPT d’un grand nombre de machines a été amélioré. L’affichage de plusieurs milliers de machines n’est plus un problème;
modifier la configuration d’un grand nombre de machines a été rendu largement plus performant;
la reprise d’un téléchargement partiel de paquet est maintenant possible (interruption lors de l’arrêt …);
les clés privées doivent maintenant obligatoirement être protégées avec un mot de passe;
Console WAPT¶
passage en Websockets;
gestion des écrans de haute résolution (ex: écrans 4k);
modernisation des jeux d’icônes dans la Console WAPT;
changement à la volée de la description du poste;
option pour changer le mot de passe d’une clé;
Format des paquets¶
la présence du fichier
setup.py
est optionnelle (plus particulièrement, il n’est pas nécessaire pour les paquets groupes et machines qui ne contiennent que des dépendances);[NEW] if the package contains a
setup.py
file, it MUST be signed with a Code Signing certificate, otherwise the package WILL NOT be installed. The roles are now differenciated between the role of the Package Deployer (allowed to sign group and host packages) and the role of Package Developer (allowed to sign group, host AND base packages);lors de la signature du paquet, le certificat du signataire est ajouté dans le paquet (
WAPT/certificate.crt
);le fichier
manifest
est renommémanifest.sha256
au lieu demanifest.sha1
etsignature.sha256
au lieu designature
;ajout des attributs suivants au fichier
control
:signed_attributes
: pour la fiabilité de la vérification;min_wapt_version
: le paquet est ignoré (et ne s’installe pas) si wapt n’est pas au moins à cette version;installed_size
: le paquet ne s’installe pas s’il n’y a pas au moins cet espace disponible sur le disque système;max_os_version
: le paquet est ignoré si Windows a une version supérieure à cet attribut;min_os_version
: le paquet est ignoré si Windows a une version inférieure à cet attribut;maturity
:PROD
,PREPROD
,TEST
;locale
:fr
,en
, etc ;
Configuration générale des agents¶
section explicite
[wapt-host]
pour le dépôt des paquets machines sinon l’url est déduite de <repo_url>+”-host”;section explicite
[wapt]
pour le dépôt principal, sinon <repo_url> est pris en compte;vérification des certificats activée par défaut pour toutes les connexions https;
signature avec du sha256 au lieu de sha1;
prise en compte de paquets signés avec des certificats délivrés par une autorité, déploiement uniquement du certificat de l’autorité;
utilisation de l’UUID du client pour le nom des paquets host au lieu du FQDN;
possibilité d’utiliser le FQDN comme UUID au lieu de l’UUID du Bios. (paramètre
use_fqdn_as_uuid
) (ou uuid forcé: paramètreforced_uuid
);lorsqu’on signe, on désigne le signataire par son certificat et non sa clé privée. La clé privée est recherchée par wapt dans le même répertoire que le certificat personnel. On incite à avoir un certificat par personne agissant sur WAPT;
possibilité de prendre en compte la révocation de certificats (la CSR est fournie aux poste lors de l’update, dans le fichier Packages);
re-signature possible sous Linux avec la commande wapt-signpackage.py;
installation dans
Program Files(x86)
par défaut;
SetupHelpers
setuphelpers.running_as_admin
,setuphelpers.running_as_system
;correctif sur
add_shutdown_script
;ajout paramètre remove_old_version pour
setuphelpers.install_msi_if_needed
etsetuphelpers.install_exe_if_needed
;
wapt-get¶
ajout fonction update-package-sources qui lance la fonction optionnelle update_package() du paquet;
remplacement de l’option –private-key par l’option –certificate pour désigner le certificat à utiliser pour signer le paquet. La clé privée est recherchée dans le même répertoire que le certificat;
remplacement du fichier
WAPT/wapt.psproj
à chaque édition d’un paquet (pour mettre à jour le chemin vers les modules WAPT suivant l’installation dansC:\wapt
ouC:\Program Files (x86)\wapt
);vérification du certificat serveur lors du enable-check-certificate pour éviter de mauvaises configurations;
wapt-signpackages¶
ajout options
--if-needed
--message-digest
--scan-packages
--message-digest
Usage: wapt-signpackages -c crtfile package1 package2
Re-sign a list of packages
Options:
-h, --help show this help message and exit
-c PUBLIC_KEY, --certificate=PUBLIC_KEY
Path to the PEM RSA certificate to embed identitiy in
control. (default: )
-k PRIVATE_KEY, --private-key=PRIVATE_KEY
Path to the PEM RSA private key to sign packages.
(default: )
-l LOGLEVEL, --loglevel=LOGLEVEL
Loglevel (default: warning)
-i, --if-needed Re-sign package only if needed (default: warning)
-m MD, --message-digest=MD
Message digest type for signatures. (default: sha256)
-s, --scan-packages Rescan packages and update local Packages index after
signing. (default: False)
Console WAPT¶
[NEW] all actions sent to the hosts are signed with the Administrator’s key;
[NEW] generation of a key / certificate pair signed by a Certificate Authority (WAPT Enterprise);
option de créer un certificat Code Signing ou non (version Enterprise);
option pour changer le mot de passe d’une clé RSA;
option de vérification des certificats lors de la création du waptagent;
lancement TISHelp (version Enterprise);
limitation du nombre de machines retournées dans la Console WAPT;
ajout filtre reachable = poste connecté au serveur WAPT;
possibilité de changer la description du poste
The WAPT Server
authentification sur une base LDAP (version Enterprise);
utilisation des Websockets pour les actions;
The WAPT service
le Webservice http de waptservice écoute uniquement sur la loopback 127.0.0.1 (donc plus de vérification si port 8088 ouvert sur firewall..);
le waptservice se connecte en websocket au serveur WAPT si le paramètre
waptserver
est présent danswapt-get.ini
;le paramètre websockets_verify_cert active la vérification SSL du certificat pour la connexion websockets;
affichage de liste des certificats / CA autorisés pour les paquets;
affichage signataire paquet;
[NEW] allow_user_service_restart parameter allows a standard user to restart the WAPT service on her computer;
lancement de tishelp en mode service par URL /tishelp;
Installeur waptagent¶
suppression installation msvcrt;
restent uniquement 2 options: installer le service et lancer wapttray;
options pour une installation silencieuse:
dnsdomain pour la recherche auto wapt et the Serveur WAPT
wapt_server
repo_url
waptupgrade fait systématiquement une installation complète (pas d’installation incrémentale);
Improvements 1.5.0.12-amo –> 1.5.0.16¶
setup.py
pas obligatoire pour uninstall;chemin unicode pour édition de paquets;
corrigé la recherche de dépots en s’appuyant sur les DNS;
corrigé \0000 pour PostgreSQL;
introduit une option pour avoir une double signature sha1 et sha256;
vérification https pour upload waptagent;
option –if-needed dans wapt-signpackages;
fix proxy dans import paquets;
gestion des révocations de certificats (CSR);
fix attributs requis dans signature actions;
max_clients;
fix option sans serveur (waptstarter);
ajout lancement tishelp;
force update à l’installation;
WAPT-1.4.0 (2017-05-05)¶
pas de release officielle;
[NEW] migration sur la base PostgreSQL à la place de MongoDB;
WAPT-1.3.13 (2017-07-25)¶
Security fix¶
régression: Package files content check was skipped if signature of
manifest
andPackages
index file checksum was ok. This regression affects all 1.3.12 releases, but not WAPT <= 1.3.9 and >= upcoming 1.5. In order to exploit this bug, one would need to tamper thePackages
files either through a MITM (if you do not have valid https certificate check) or a root access on the WAPT Server.
Other changes¶
compatibility with packages signed with upcoming WAPT 1.5. With WAPT 1.5, package are signed with sha256 hashes. An option allows to sign them with sha1 too so that they can be used with WAPT 1.3 without signing them again.
new package certificate for Tranquil IT packages. previous certificate for package on store.wapt.fr has expired. all packages on store.wapt.fr has been signed again with new key / certificate with both sha1 and sha256 hashes, and WAPT 1.5 signature style (control data is signed as well as files)
fix for local GPO add_shutdown_script() function (thanks jf-guillou!)
fix for waptsetup.exe postinstall actions (update / register) when running waptsetup.exe installer without elevated privileges: added runascurrentuser flag
remove needless python libraries to make install package slimmer
WAPT 1.3.12.13 (2017-06-26)¶
Console WAPT¶
[NEW] Assistant de création de paquets à partir d’un fichier
MSI
ou d’unExe
;[NEW] Option dans le menu Outils ou par drag drop dans l’onglet dépôt privé;
[NEW] Découverte des options silencieuses;
[NEW] Utilisation des fonctions install_exe_if_needed et install_msi_if_needed au lieu d’un simple run() pour les exes et les MSI (plusieurs templates de
setup.py
dansC:\wapt\templates
);[NEW] Amélioration significative de la vitesse de modification en masse des paquets machines;
[NEW] Vérification optionnelle de la signature des paquets que l’on importe d’un dépôt extérieur. La liste des certificats autorisés se trouve par défaut dans
%APPDATA%\waptconsole\ssl
et peut-être précisée dans les paramètres de la waptconsole. Le paramètre ini se nommeauthorized_certs_dir
. Sinon, les certificats autorisés sont ceux dansC:\wapt\ssl
;[NEW] Vérification optionnelle du certificat https pour les dépôts extérieurs dans la Console WAPT;
[NEW] Vérification de la signature des paquets machines, groupes et logiciels avant leur modification dans la Console WAPT ou dans PyScripter;
[NEW] Lors de l’import d’un dépôt extérieur, possibilité d’éditer le paquet pour inspection plutôt que de le charger directement sur le dépôt de production;
[NEW] Changement des URL relatives à la documentation. https://www.wapt.fr/en/doc/;
[NEW] Possibilité d’actualiser le certificat sans recréer la paire de clés RSA (en particulier pour préciser un Common Name correct, qui apparaît comme le signataire des paquets);
[NEW] HTTPS par défaut pour les URL de dépot.
Autres correctifs¶
[FIX] Paramètre
AppNoConsole
:1
pour NSSM (waptservice / waptserver) pour permettre le fonctionnement sur Windows 10 Creators Updates;[FIX] Problème de fichier Zip qui restent verrouillés si une erreur est déclenchée;
[FIX] Suppression répertoire temporaire lors de l’annulation d’édition d’un groupe;
[FIX] Gestion espace dans les fichiers de projet PyScripter;
[FIX] Gestion utf8 / unicode pour certaines fonctions;
[FIX] Fix gestion encoding quand run_not_fatal() renvoie une errreur;
[FIX] remplacement librairie mongo.bson par json natif de python ,
[FIX] bug dans la synchro des groupes AD avec les paquets WAPT;
[FIX] bug « La clé privée n’existe pas » la première fois qu’elle est renseignée si on ne redémarre pas la Console WAPT;
[FIX] bug « redémarrage service wapt » (merci à QGull);
[FIX] possibilité d’avoir des majuscules dans les noms de paquet (toutefois pas recommandé, les noms des paquets sont sensibles à la casse);
[FIX] quelques actualisation des exemples de configuration
wapt-get.ini.tmpl
[FIX] la compilation du waptagent échoue si les clés / certificats existent déjà mais que le certificat a été supprimé de
C:\wapt\ssl
;[FIX] affichage dans la barre des tâches de la fenêtre de login (pour permettre en particulier l’autofill par des gestionnaires de mot de passe);
WAPT 1.3.9.3 (2017-04-11)¶
[FIX] Argument shell = True was not explicitly passed to the underlying function as it occurred on previous versions.
WAPT 1.3.9 (2017-03-03)¶
Fixes¶
[FIX] update code to follow more PEP8 recommandations;
[FIX] upgradedb locks sqlite database issue;
[FIX] Fix broken DNS SRV record discovery;
[FIX] Fix unicode handling of signer / CN / organization in certificates;
[FIX] Unzipped netifaces module;
wapt-get¶
[NEW] Expands wildcards args for wapt-get install, wapt-get show, wapt-get build-package, wapt-get sign-package;
[FIX] Fix wapt-get show-params;
[FIX] Fix wapt-get register with description not working on some computers;
[FIX] Fix broken -c –config option;
SetupHelpers
[NEW]
setuphelpers.reg_key_exists
;[NEW]
setuphelpers.reg_value_exists
;[NEW]
setuphelpers.run_powershell
;[NEW]
setuphelpers.remove_metroapp
;[NEW]
setuphelpers.local_users_profiles
;[NEW]
setuphelpers.get_profiles_users
;[NEW]
setuphelpers.get_last_logged_on_user
;[NEW]
setuphelpers.get_user_from_sid
;[NEW]
setuphelpers.get_profile_path
;[NEW]
setuphelpers.wua_agent_version
;[NEW]
setuphelpers.local_admins
;[NEW]
setuphelpers.local_group_memberships
;[NEW]
setuphelpers.local_group_members
;[IMP] command:run: explicit default values for
setuphelpers.run
command help in PyScripter. Added return_stderr argument (overloaded str object);[FIX]
setuphelpers.run_notfatal
: fix unicode issue in use wmi module forsetuphelpers.wmi_info_basic
instead ofsetuphelpers.wmic
shell command;[IMP]
setuphelpers.make_path
: improved when first argument is a drive. Be smart if an argument is a callable;[FIX]
setuphelpers.CalledProcessError
: restored code:setuphelpers.CalledProcessError alias.[ADD]
setuphelpers.host_infos
: added profiles_users, last_logged_on_user, local_administrators, wua_agent_version attributes;[IMP]
setuphelpers.ensure_unicode
: return None if None, for bytes strings, try utf8 decoding before system locale decoding;
The WAPT Console
[FIX] restore allowed lowercase/uppercase package naming;
[ADD] 4 host popup menu actions:
Computer Mgmt;
Computer Users;
Computer Services;
RemoteAssist;
[FIX] fixed other issues in the WAPT Console:
Don’t search host while typing;
utf8 search (accents…);
utf8 compare;
try to get localized versions of special folders;
Setup¶
[ADD] waptpythonw.exe binary in distribution for the WAPT Console less python scripts (to avoid having cmd.exe windows poping up when invoking a python script);
[FIX] change default wapt templates URL to https://store.wapt.fr/wapt;
[FIX] when upgrading, (full waptagent.exe install) remove stalled waptagent.exe installs;
WAPT 1.3.8.2 (2016-11-18)¶
Security¶
[SEC] Fix inheritance of rights on wapt root folder for Windows 10 during setup when installed in
C:\wapt
. On Windows 10, cacls.exe does not work and does not remove « Authenticated Users » fromC:\wapt
. cacls.exe has been replaced by icacls.exe:on pre-wapt 1.3.7 systems, you can fix this by running the following command, or upgrade to wapt 1.3.8 (you may check
icacls.exe c:wapt /inheritance:r
)This can be achieved with a GPO, or a wapt package
[IMP] in next versions of WAPT, the default install path of wapt will be changed from root folder
C:\wapt
to a more standardC:\Program Files (x86)\wapt
.[IMP] By default, waptsetup.exe / waptsetup-tis.exe do not distribute certificates to avoid to deploy directly packages from Tranquil IT. waptagent.exe by default distributes the certificates that are installed on the mangement desktop creating the waptagent.
Core changes¶
[IMP] The database structure has changed between 1.3.8 and 1.3.8.2 to include additional attributes from packages: signer, signer_fingerprint, locale, and maturity. signer and signer_fingerprint are populated when signing the package to identify the origin. This means local WAPT database is upgraded when first starting WAPT 1.3.8.2 and this is not backward compatible;
[IMP] Installers have a limited set of options, the most common use of WAPT is privileged;
[ADD] 3 new parameters for the waptexit policy behavior: hiberboot_enabled, max_gpo_script_wait, pre_shutdown_timeout. These parameters are not set by default and should be added to
wapt-get.ini
[global] section if needed;[IMP] Use user’s
waptconsole.ini
configuration file instead ofwapt-get.ini
for the commands targeted to package development (sources, make-template, make-host-template, make-group-template, build-package, sign-package, build-upload, duplicate, edit, edit-host, upload-package, update-packages. This avoids the need to write these parameters inwapt-get.ini
on the development workstation. These parameters are not shared across multiple users on same host. One use case is to allow multiple profiles (key, upload location) depending on the maturity of package (development, test, production…);
SetupHelpers
[ADD] helper functions
setuphelpers.dir_is_empty
,setuphelpers.file_is_locked
,setuphelpers.service_restart
andsetuphelpers.WindowsVersions
class[IMP] Added referer and user_agent in
setuphelpers.wget
andsetuphelpers.wgets
[IMP] run function: define stdin as PIPE to avoid lockup process waiting for input or error like unable to duplicate handle when using for example powershell
[IMP] Version class: try to compare version using at least Version.members_count
[FIX] encoding fixes for registry functions, fix encoding for registry_setstring key name
[FIX]
setuphelpers.install_exe_if_needed
: do not check uninstall_key or min_version if not provided[FIX]
setuphelpers.install_exe_if_needed
andsetuphelpers.install_msi_if_needed
version check if –force[UPD] Check version and uninstall key after install with setuphelpers.install_exe_if_needed and
setuphelpers.install_msi_if_needed
[UPD] inventory includes informations from WMI.Win32_OperatingSystem
[ADD]
setuphelpers.get_disk_free_space
helper function[UPD] check free disk space when downloading with
setuphelpers.wget
. Check http status before.[UPD] Version class: Version(“7”)<Version(“7.1”) should return True
wapt-get¶
[ADD] Added 2 commands to get the WAPT Server SSL certificate and activate the certificate checking when using https with the WAPT Server
[FIX] Fixed get_sources to allow svn checkout of a new package project
[FIX] Fixed register problems with some BIOS with bitmaps
[UPD] Check uninstall key after package install if uninstallkey is provided
[FIX] Fixed OS compatibility in
manifest
file for wapt-get and waptconsole version windows[FIX] Fixed erroneous error messages for session-setup in the WAPT Console
[UPD] Added « pattern » parameter to all_files function
[FIX] Install Date incorrectly registered by register_uninstall
[ADD] Added the user_local_appdata function
[ADD] Added the
signer
CN andsigner_fingerprint
tocontrol
file when building a WAPT package[ADD] Added the control attribute
min_wapt_version
to trigger an exception ifPackage
requires a minimum level of libraries. The version is checked againts setuphelpers.py “s __version__ attribute.[ADD] Added the
authorized_certificates
attribute that is sent to the WAPT Server. It contains the list of host’s signer certificates distributed on the host[FIX] Fixed that when signing, check if WAPT zip file has already a
signature
file (python zipfile can not replace the file inline).
The WAPT service
[ADD] Show All Versions checkbox in Available Packages page
[UPD] Skin updated
[ADD] Added Filter searchbox for available packages
The WAPT Console
[ADD] Added NOT checkbox for keywords search in waptconsole to search for hosts NOT having a specific package or software…
[FIX] Fixed integer limit for grid display of package size, use int64 for size of packages in waptconsole.
[UPD] Do not list packages of section « restricted » in local webservice available packages list
[UPD] Updated: Common Name attribute should be populated now, so that signer identity is not None in package
control
file.[ADD] Added signer’s identity column in packages grid
[FIX] Fixed escape quotes in WAPT package’s description
[ADD] Check waptagent.exe version against waptsetup-tis version at waptconsole startup.
[UPD] try to display a progress dialog at waptconsole startup
[FIX] company not set when building customized waptagent.exe
[ADD] initialize Organization in waptagent.exe build with CN from certificate.
The WAPT Exit utility
[UPD] some text introduction changes
The WAPT Tray utility
[NEW] Limit trayicon balloon popup when Windows version is above Windows 7 or if
notify_user
=False
inwapt-get.ini
The WAPT Server
[UPD] Use broadcast address on interface for wakeonlan call
[FIX] Removed the check of the WAPT Server password which prevents the proper registration of waptserver on Windows.
[UPD] When upgrading, reuse existing
waptserver.ini
file if it already exists, do not overwrite theserver_uuid
and ask for password reset if it already exists
The WAPT Deployment utility / waptupgrade
[FIX] Fixed waptdeploy not working on WinXP removed DisableWow64FileSystemRedir on runtask.
[FIX] Fixed waptupgrade: Missing quotes for system account on Windows XP
Libraries
[ADD] Added BeautifulSoup for wapt packages auto updates tasks
[UPD] Updated winsys library update to “1.0b1”
WAPT 1.2.3.2 (2015-05-05)¶
[ADD] UUID parameter for direct requests to hosts from the WAPT Server;
[ADD] allow host to refuse request if not right target (if ip has changed since last update_status for example)
[ADD] fallback on the WAPT Server usage_statictics if mongodb lacks aggregate support
[IMP] register host on the WAPT Server in postconf using waptservice http instead of command line wapt-get
WAPT 1.2.2 (2015-04-22)¶
[ADD] reset-uuid and generate-uuid for https://roundup.tranquil.it/wapt/issue421 duplicated UUID issues
[IMP] mass hosts delete, added delete hosts package action. WAPT Server >=1.2.2 only: https://roundup.tranquil.it/wapt/issue433
[ADD] read the docs theme for sphinx SetupHelpers API documentation. WIP https://roundup.tranquil.it/wapt/issue427
[IMP] doc updates
[ADD] api/v1/hosts_delete method
[ADD] need_install, install_exe_if_needed, install_msi_if_needed functions to SetupHelpers
[ADD] parameters for waptdeploy.
WAPT 1.2.1 (2015-03-26)¶
WAPT Console
[ADD] combobox for filtering on groups in waptconsole.
[ADD] Add ADS Groups as packages action to WAPT host selection popup menu
[ADD] cleancache action to clean local packages cache in the WAPT Console
[ADD] added notify_server on network reconfiguration if waptserver is available;
[IMP] column groups shows only host’s direct dependencies with package’s section == « group » instead of all direct dependencies.
[ADD] optional anonymous statistics (nb of hosts, nb of packages, age of updates…) sent to Tranquil IT to document the communication around WAPT (sent by waptconsole at most every 24h)
[IMP] improved mass hosts delete,
[ADD] delete hosts package action. WAPT Server >=1.2.2 only: https://roundup.tranquil.it/wapt/issue433
[IMP] big packages uploads (write uploaded packages by chunk) (but still some issues on 32bits WAPT Servers due to uwsgi)
[IMP] display version of mismatch when editing package
[FIX] host’s packages not saved when some dependencies do not exist anymore
[FIX] restore working Cancel running task button
[FIX] canceling subprocesses not working in freepascal apps (when waiting for InnoSetup compile for example)
wapt-get / WAPT service
[ADD] reset-uuid and generate-uuid for https://roundup.tranquil.it/wapt/issue421 duplicated UUID issues
[IMP] find_wapt_repo_url processus to avoid waiting for all repos if one repo is ok (improved response time in buggy networks)
[IMP] windows DNS resolver in wapt client (python part) instead of pure python resolver. Should reduce issues when multiple network cards or inactive network connections.
[IMP] changed priority of WAPT Server discovery using SRV dns records. –> first priority ascending and weight descending. –> comply with standards.
[FIX] solved some issues with SQLite and threads in local waptservice
[IMP] explicit transaction handling and isolation_level = None for local waptDB (to try to avoid locks)
[IMP] teardown handler for waptservice to commit or rollback thread local connections
[FIX] for waptrepo detection in freepascal parts: same processus as python part.
[FIX] for edit_package when supplying a wapt filename instead of package request
SetupHelpers
[ADD] read the docs theme for sphinx SetupHelpers API documentation. WIP https://roundup.tranquil.it/wapt/issue427
[ADD] _all_ list to avoid importing unecessary names in setup.py modules. Now only functions defined in SetupHelpers are available when importing SetupHelpers. This can break some WAPT packages if names were indirectly imported through SetupHelpers module.
[ADD] need_install, install_exe_if_needed, install_msi_if_needed functions to SetupHelpers.
[ADD] local_desktops function
[FIX] version class instances accept to be compared to str
[REM]
setuphelpers.processnames_list
which is unused in SetupHelpers[ADD]
setuphelpers.add_ads_groups
andsetuphelpers.get_computer_groups
to waptdevutils.py[FIX]
setuphelpers.run
helper[FIX] on_write callback not working
[FIX] TimeoutExpired not formatted properly
[FIX] use closure for registry keys
The WAPT Deployment utility
[IMP] Improved the WAPT Deployment utility with more command line options (in particular tasks to merge to default innosetup selected tasks)
[FIX] waptrepo detection using dns records
Install¶
[FIX] waptagent upload error on windows
[FIX] debian packages should work for Jessie
[IMP] copytree2 for waptupgrade
[FIX] trap exception for version check on copy of .exe and .dll
[FIX] mongodb-server version should be >= 2.4
WAPT-1.1.1 (2015-02-26)¶
WAPT Console
[IMP] Improved the loading of the main grid has been optimized; only configured columns are displayed;
[IMP] Improved the WAPT Server: detects the hosts whose waptservice is listening. Their Reachable status is shown with a green / grey indicator;
[IMP] Improved the WAPT package to upgrade WAPT on hosts (???-waptupgrade.wapt) is generated by the WAPT Console at the same time as the WAPT agent installer (waptagent.exe), the two files are then uploaded on the WAPT Server;
[ADD] Added the package dependencies of each host are displayed in the grid. This allows to see what hosts have no package;
[ADD] Added possibility to trigger available package upgrades on hosts that are listening from the WAPT Console. In that case, the host sends its status to the WAPT Server after the upgrade;
[ADD] Added possibility to filter hosts in the WAPT Console according to their upgrade status or whether they are « reachable » or not,
[ADD] When packages are flagged for install but are not yet installed on a host, they appear with a blue « + » indicator. It is then possible to force the immediate install of the package with a right-click;
The WAPT service
[ADD] cleaning of the cache on the hosts after each successful upgrade;
The WAPT Server
[ADD] the versions of the WAPT agent, WAPT Server are shown in the main web page of the WAPT Server (with a red indicator if there is a problem);
SetupHelpers
[ADD] Added functions to SetupHelpers to manage shortcuts:
setuphelpers.remove_desktop_shortcut
;setuphelpers.remove_user_desktop_shortcut
;setuphelpers.remove_programs_menu_shortcut
;setuphelpers.remove_user_programs_menu_shortcut
.
Installation
[IMP] verification of used ports during the post-configuration of WAPT Server on a Windows host;
Webservices
[IMP] the waptserver no longer listen on 8080 port by default.
The Apache frontal web server listens in HTTP and HTTPS and relays action calls to the python waptservice that only listens locally.
It is therefore necessary to update wapt-get.ini
files on WAPT agents and to replace wapt_server = http://srvwapt.mydomain.lan:8080 with wapt_server = https://srvwapt.mydomain.lan
If you can not make that change to your WAPT agents, it is possible to return to the previous behavior.
On Debian, edit the file /opt/wapt/waptserver/waptserver.ini
, and in the [uwsgi]
section, put:
http-socket = 0.0.0.0:8080
On Windows, edit C:\waptwaptserver\waptserver.ini
and replace:
server = Rocket((“127.0.0.1”, port), “wsgi”, {« wsgi_app »:app})
with:
server = Rocket((“0.0.0.0”, port), “wsgi”, {« wsgi_app »:app})
The repository may stay in HTTP on port 80.
The calls to the WAPT Server are authenticated, but it is advized to restrict access to authorized sub-networks with a firewall.
[IMP] json calls to the webservice of the WAPT Server are now standardized;
[IMP] when launching update / upgrade / remove / forget / tasks_status actions from the WAPT Console, the IP address of the host is no longer sent, but instead its UUID, and it is the WAPT Server that finds the IP address and the port to use; et c’est le serveur wapt qui s’occupe de déterminer quelle IP / port utiliser;
[ADD] verification in the WAPT Console that the version of the WAPT Server is sufficient;
[ADD] the timeout to connect to WAPT agents and read the data are configurable in
waptserver.ini
;
WAPT-1.0 (2015-01-31)¶
[ADD] first public version of WAPT