The first maintenance release of the 5.13 series of NAV is now out, and contains a security patch for a serious privilege escalation vulnerability in the web GUI. We recommend that all users upgrade as soon as possible.
The source code is available for download at GitHub [1].
New packages for Debian 12 (Bookworm) and 11 (Bullseye) are available in our APT repository.
Security ========
- Lock down API access for unprivileged users
By default, NAV granted full API access to logged-in users, regardless of their configured privilege level. This would give unprivileged users access to manipulate NAV configuration and even elevate their own user privileges to administrator level. Read the full security advisory at https://github.com/Uninett/nav/security/advisories/GHSA-gprr-5vvf-582g
Changed =======
- Update NAPALM dependency to 5.0 to keep NAV web GUI working (#2358)
Fixed =====
- Fix filtering of 'Last seen' and sorting by 'Last active' in netbox interfaces view in room info (#3329)
Release notes =============
We always advise you to have a look at NAV’s accompanying release notes before upgrading.
Happy NAVing everyone!
Links =====
[1] https://github.com/Uninett/nav/releases [2] https://nav.uninett.no/install-instructions/#debian [3] https://nav.readthedocs.io/en/latest/release-notes.html#nav-5-13