Ta-da! And then Kibana 5.0.2 appeared from a cloud of bits. We’re happy to announce this latest release. It has a security fix and a handful of useful bug fixes as well.
Advanced Settings and Short URLs now run as the current user
With X-Pack installed, operations in the Advanced Settings panel of the Management tab and operations from the short URL service were performed as the “Kibana Server” user regardless of the user that is currently authenticated. As a result, a user that was defined as read-only could make changes to the global settings of Kibana. This does not allow access to protected data, but it could allow a rogue user to change Kibana configuration to alter Kibana’s appearance or Kibana’s default index. 5.0.2 ensures these operations are run as the currently authenticated user. This is described as ESA-2016-10 on our security page.
Bug fixes in 5.0.2
There are several good bug fixes in 5.0.2, including:
- Kibana now issues an appropriate warning/error message when its version does not match that of Elasticsearch and there are one or more nodes in the Elasticsearch cluster that do not have HTTP enabled. See #9181.
- Visualizations that do not have a Spy Panel (for viewing data in a tabular form) will no longer cause error messages in Visualize or Dashboard. See #9115.
- The kibana-plugin tool now correctly handles arguments with spaces in them. For example, file paths where a directory has a space in its name. See #8945.
The release notes have a few more details on the fixes. Of course, our downloads page has been updated with 5.0.2 as well. Depending on your current version, you can find the correct upgrade procedure in our documentation.