Natalie_Manusov
Crownpeak employee
Crownpeak employee

FirstSpirit Hotfix-Builds 5.2.230817 (Non-Jakarta) and 5.2.231010 (Jakarta) contain a further security fix for CVE-2023-4863 (Heap Buffer Overflow in WebP):

  • JxBrowser update to the version 7.35.1 (is used in the integrated preview in the SiteArchitect)

The vulnerability is classified as critical. Crownpeak therefore recommends a prompt update to a secured FirstSpirit version.

A “heap buffer overflow” in WebP allowed a remote attacker to perform an out-of-bounds memory-write, and thus possibly inject malicious code. A manipulated WebP image can therefor lead to code injection.

FirstSpirit versions since 2019.11 are affected.

How can the vulnerability be exploited?

  • An editor adds a manipulated WebP image to a project.
  • An editor opens an (external) website containing a manipulated WebP in the integrated preview.

What do you have to do?

  • (Server) Update to 5.2.230817 / 5.2.231010
  • (Client) Update the local browsers

Mitigation without FS Update

New FirstSpirit versions are available for download

You need a personal login to access the download folder. Please contact our Technical Support if you do not have a personal login.

Read more
0 3 496
TimoKlattenhoff
Crownpeak employee
Crownpeak employee

Current link to the FirstSpirit User Management

Read more
0 0 611
TimoKlattenhoff
Crownpeak employee
Crownpeak employee

Upcoming webinars on AI Functionality in FirstSpirit – register here

Read more
0 0 329
Natalie_Manusov
Crownpeak employee
Crownpeak employee

FirstSpirit 2023.10 is the latest release of FirstSpirit and contains bugfixes as well as new functionality.

Important note regarding CVE-2023-4863 (Heap Buffer Overflow in WebP)

The vulnerability is classified as critical. Crownpeak therefore recommends a prompt update to a secured FirstSpirit version:

Due to CVE-2023-4863, the WebP library used by FirstSpirit has been updated. 

Important note regarding migration to Jakarta EE 6.0

In contrast to the phased rollout for cloud customers, on-premises customers are able to test and migrate the FirstSpirit servers once version 2023.9 or 2023.10 has been released.

However, we strongly recommend to wait with the update of productive servers at least until release 2023.11 since we aim to guarantee the compatibility for modules provided by Crownpeak with that release.

 

The release notes are attached to this post and available via https://docs.e-spirit.com/ .

To learn more about our release management in general please see our Release Management FAQ.

The new FirstSpirit version is available for download

You need a personal login to access the download folder. Please contact our Technical Support if you do not have a personal login.

Read more
0 2 820
Natalie_Manusov
Crownpeak employee
Crownpeak employee

The FirstSpirit Hotfix-Build 5.2.230813 contains a security fix for CVE-2023-4863 (Heap Buffer Overflow in WebP).

The vulnerability is classified as critical. Crownpeak therefore recommends a prompt update to a secured FirstSpirit version.

Due to CVE-2023-4863, the WebP library used by FirstSpirit has been updated to a version based on libwebp version 1.3.2. 

A “heap buffer overflow” in WebP allowed a remote attacker to perform an out-of-bounds memory-write, and thus possibly inject malicious code. A manipulated WebP image can therefor lead to code injection.

FirstSpirit versions since 2019.11 are affected.

How can the vulnerability be exploited?

  • An editor adds a manipulated WebP image to a project.

What do you have to do?

  • (Server) Update to 5.2.230813
  • (Client) Disable the integrated preview in SA (JxBrowser)
  • (Client) Update the local browsers

Mitigation without FS Update

  • (Server) Prevent uploading of WebP (set appropriate restrictions in the project) or
  • (Server) Configure WebP as media type file
  • (Client) Disable the integrated preview in SA (JxBrowser)
  • (Client) Update the local browsers

The new FirstSpirit version is available for download

You need a personal login to access the download folder. Please contact our Technical Support if you do not have a personal login.

Read more
0 0 481
TimoKlattenhoff
Crownpeak employee
Crownpeak employee

Access the recordings of the Product Office Hour in September 2023 here

Read more
0 0 422
Natalie_Manusov
Crownpeak employee
Crownpeak employee

FirstSpirit 2023.9 is the latest release of FirstSpirit and contains bugfixes as well as new functionality.

Important note regarding migration to Jakarta EE 6.0

In contrast to the phased rollout for cloud customers, on-premises customers are able to test and migrate the FirstSpirit servers once version 2023.9 has been released.

However, we strongly recommend to wait with the update of productive servers at least until release 2023.11 since we aim to guarantee the compatibility for modules provided by Crownpeak with that release.

  • If FirstSpirit is run in an on-premises scenario, the Tomcat version must be updated when migrating to the FirstSpirit JakartaEE edition. Since the servlet version will be updated to 6.0, a 10.1.x version of Tomcat is required.
  • The use of FirstSpirit version 2023.9 requires that Java version 17 is used.

The release notes are attached to this post and available via https://docs.e-spirit.com/ .
To learn more about our release management in general please see our Release Management FAQ.

The new FirstSpirit version is available for download

You need a personal login to access the download folder. Please contact our Technical Support if you do not have a personal login.

Read more
0 0 720
TimoKlattenhoff
Crownpeak employee
Crownpeak employee

See a list of upcoming sessions – in English and in German

Read more
0 0 542
MatthiasM
Crownpeak employee
Crownpeak employee

Hello,

there is a new Crownpeak Download Portal which replaces the well-known FTP server from which you usually downloaded your software and uploaded files for e.g., reproductions and project transfer. 

How do I get a Download Portal account?
To do this, please create a ticket with Customer Support at:
https://crownpeaksupport.zendesk.com/

The portal can be found under https://file.crownpeak.com, where you will be asked to log in with the username and password of your shared company account.
This will take you to the virtual desktop of our download portal. Here you can find the "File Station" folder, which contains two other folders.
As usual, there is the Customer Download folder for downloading general software, such as the latest versions of FirstSpirit and modules released for you.
If you need modules that are not visible here, feel free to create a support ticket.
Technical Support will then take care of your request and, if necessary, release the right modules for you.

In addition to this folder, there is also a customer-specific folder for you, which contains all data that is only available for your organization.
There, for example, data from Technical Support can be stored for you.

Read more
3 0 814
TanjaGroßmüller
Crownpeak employee
Crownpeak employee

Hello,

we have published a new CaaS release last Friday. The versions contained are CaaS platform 16.18.2, CaaS Connect 3.32.3 and CaaS module 2.22.13.
As usual the release notes are available online:

https://docs.e-spirit.com/module/caas-platform/CaaS_Platform_Releasenotes_EN.html
https://docs.e-spirit.com/module/caas-connect/CaaS_Connect_Releasenotes_EN.html
https://docs.e-spirit.com/module/caas-module/CaaS_FSM_Releasenotes_EN.html

Important information:

Please note that this is the last date-based CaaS release in which the CaaS components are bundled together.
This change was first announced in March and will now take effect.

Am I affected?

You are affected by this change if you rely on downloading new versions of CaaS components using the CaaS bundles that are available in our download portal.
For example: /customer-download/Modules/CaaS/2023-07-21

What changed?

Future releases of CaaS components will be available for download individually only.
This implies that new releases are available on new paths in our download portal https://file.crownpeak.com:

CaaS Connect & CaaS FSM
Old:   /customer-download/Modules/CaaS/2023-07-21/Module
New: /customer-download/Modules/CaaS/caas-connect  (or
         /customer-download/Modules/CaaS/caas-module)

CaaS Platform
Old:   /customer-download/Modules/CaaS/2023-07-21/Kubernetes &
          /customer-download/Modules/CaaS/2023-07-21/Docker
New: /customer-download/Modules/CaaS/caas-platform/Kubernetes or
          /customer-download/Modules/CaaS/caas-platform/Docker

Why?

This will give customers immediate access to the latest versions of the components and allow them to benefit immediately from new features or bug fixes.
Documentation and release notes are available at https://docs.e-spirit.com/.

Dependencies between module and platform versions will continue to be documented in the release notes of the components.
To ensure that the versions used are compatible with each other, it is essential to check the release notes.

Read more
0 0 351
Natalie_Manusov
Crownpeak employee
Crownpeak employee

FirstSpirit 2023.8 is the latest release of FirstSpirit and contains bugfixes as well as new functionality.

The release notes are attached to this post and available via https://docs.e-spirit.com/ .
To learn more about our release management in general please see our Release Management FAQ.

The new FirstSpirit version is available for download

You need a personal login to access the download folder. Please contact our Technical Support if you do not have a personal login.

Read more
0 3 1,239
Peter_Jodeleit
Crownpeak employee
Crownpeak employee

With the last patch day performed on the 5th of July a bug in the FirstSpirit CaaS Connect Module (Module Version 3.29.4) has been accidently introduced on our production environment.

Read more
0 0 399
TanjaGroßmüller
Crownpeak employee
Crownpeak employee

Hi everybody,

we have published a new CaaS release today. The versions contained are CaaS platform 16.18.1, CaaS Connect 3.32.1 and CaaS module 2.22.12.

As usual the release notes are available online:

https://docs.e-spirit.com/module/caas-platform/CaaS_Platform_Releasenotes_EN.html
https://docs.e-spirit.com/module/caas-connect/CaaS_Connect_Releasenotes_EN.html
https://docs.e-spirit.com/module/caas-module/CaaS_FSM_Releasenotes_EN.html

Important information:

Please note that this is one of the last date-based CaaS releases in which the CaaS components are bundled together.
As announced in March, we will instead make each CaaS component available for download individually as soon as a new version is published.
More information will follow soon.

If you have any questions or feedback, please don't hesitate to contact us.

Read more
0 0 396
TimoKlattenhoff
Crownpeak employee
Crownpeak employee

Access the recording of the Product Office Hours in July here

Read more
0 0 509
TimoKlattenhoff
Crownpeak employee
Crownpeak employee

The next FirstSpirit Product Office Hours are coming up – read here for more details

Read more
0 0 405
Natalie_Manusov
Crownpeak employee
Crownpeak employee

FirstSpirit 2023.7 is the latest release of FirstSpirit and contains bugfixes as well as new functionality.

The release notes are attached to this post and available via https://docs.e-spirit.com/ .
To learn more about our release management in general please see our Release Management FAQ.

The new FirstSpirit version is available for download

You need a personal login to access the download folder. Please contact our Technical Support if you do not have a personal login.

Read more
0 0 742
TimoKlattenhoff
Crownpeak employee
Crownpeak employee

First session in english – watch the recording

Read more
0 0 434
Schulz
Crownpeak employee
Crownpeak employee

The release notes for this build are available online at

Releasenotes EN

and

Releasenotes DE

Read more
0 0 324
marro
Crownpeak employee
Crownpeak employee

The release notes for this build are available online at

Releasenotes EN

and

Releasenotes DE

 

Read more
0 0 322
Schulz
Crownpeak employee
Crownpeak employee

The release notes for this build are available online at

Releasenotes EN

and

Releasenotes DE

 

Read more
0 0 379
Natalie_Manusov
Crownpeak employee
Crownpeak employee

FirstSpirit 2023.6 is the latest release of FirstSpirit and contains bugfixes as well as new functionality.

The release notes are attached to this post and available via https://docs.e-spirit.com/ .
To learn more about our release management in general please see our Release Management FAQ.

The new FirstSpirit version is available for download

You need a personal login to access the download folder. Please contact our Technical Support if you do not have a personal login.

Read more
0 0 871