Skip to content

Releases: osquery/osquery

5.23.1

Choose a tag to compare

@zwass zwass released this 24 Jun 14:57

This is a bug and security fix release.

What's Changed

Fixes

  • Fix heap buffer overflow in Windows processes table by @seph in #8934
  • Fix heap buffer overflow in Windows authenticode table by @seph in #8923
  • Fix use-after-free in Linux process_file_events implementation by @zwass in #8950
  • Fix incorrect permissions on temporary file carve directories by @zwass in #8961
  • Fix documentation for process_open_handles table by @seph in #8853
  • Fix subject2 and issuer2 columns for Windows certificates table by @getvictor in #8963

Full Changelog: 5.23.0...5.23.1

5.23.0

Choose a tag to compare

@zwass zwass released this 25 Apr 20:33
dad00e9

What's Changed

Features

Build & Dependencies

Fixes

New Contributors

Full Changelog: 5.22.1...5.23.0

5.22.1

Choose a tag to compare

@zwass zwass released this 25 Feb 20:13
fe9e624

5.22.0 macOS binaries will not execute because the signing certificate is out of sync with the provisioning profile. 5.22.1 replaces it.

What's Changed

Features

  • Make escapeNonPrintableBytes UTF-8 aware by @nulmete in #8777
    • Note: This changes some query results that formerly were rendered as raw unicode bytes and will now be rendered as the corresponding characters.
  • Update virtual sql functions to support multiple constraints by @brian-mckinney in #8746
    • This allows SELECT * FROM vscode_extensions WHERE uid in (SELECT uid FROM users WHERE include_remote = 1) and similar queries that join or subquery to the users table to include results for remote users.
  • Add support for retries in carver by @zwass in #8740
  • Preserve file metadata in carver archives by @zwass in #8752
  • Add machine-wide provisioned MSIX packages to programs table (#8001) by @getvictor in #8772

Build & Dependencies

  • Update osquery-toolchain to 1.2.0 (LLVM 11.0.0, zlib 1.2.13) by @zwass in #8773
  • Update Apple provisioning profile for new developer certificates by @zwass in #8780
  • build: suppress enum-constexpr-conversion error for boost mpl on macos by @sharvilshah in #8742
  • lib: Update openssl to 3.6.1 by @sharvilshah in #8766

Fixes

New Contributors

Full Changelog: 5.21.0...5.22.1

5.21.0

Choose a tag to compare

@zwass zwass released this 18 Dec 00:24
538587f

What's Changed

  • Improvements to password_policy table by @zwass in #8705
  • Improve file traversal performance and correctness by @Krechals in #8704
  • Add support for Login Items and Background Services on modern macOS by @zwass in #8726
  • Add last_connected_automatic and last_connected_manual to wifi_networks table by @zwass in #8728
  • Refresh resolver state on interval to pick up DNS changes by @zwass in #8716
  • Add new darwin certificate trust settings table by @Micah-Kolide in #8715
  • Fix crash when querying carves table with carves larger than 2GB by @ksykulev in #8732
  • Add support for gzip content-encoding in HTTP client by @zwass in #8731

New Contributors

Full Changelog: 5.20.0...5.21.0

5.20.0

Choose a tag to compare

@zwass zwass released this 23 Oct 16:12
f4fd92f

What's Changed

Features/Bugs

Dependencies

  • Fix build against libaudit >=4.1.1 by removing set_aumessage_mode call by @Blarse in #8676
  • libs: libarchive: 3.7.9 -> 3.8.1 by @LeSuisse in #8642

Documentation

  • Fix SQL examples for system_profiler table by @zwass in #8699
  • Add more informative descriptions for mounts.blocks_free and mounts.blocks_available by @jacobshandling in #8701
  • Update dns_resolvers documentation to point to interface_details on Windows by @zwass in #8682

New Contributors

Full Changelog: 5.19.0...5.20.0

5.19.0

Choose a tag to compare

@zwass zwass released this 13 Aug 19:35
09d02a6

What's Changed

Features

  • Add table deb_package_files by @zwass in #8657
  • Add system_profiler table for macOS by @zwass in #8645
  • Add version collate to os_version table's version column by @Micah-Kolide in #8659
  • Add entitlements column to macOS signature table by @zwass in #8666
  • Add support for VSCode forks in vscode_extensions by @zwass in #8664

Bugfixes

  • Fix NSInvalidArgumentException when querying connected_displays by @Synse in #8628
  • Fix inconsistent counter resets due to Config::purge() by @skurpad7 in #8635
  • Update linux block_device and disk_encryption source data to simple sysfs implementation by @Micah-Kolide in #8182
  • Fix ATC for open Firefox databases by @zwass in #8631

Other

New Contributors

Full Changelog: 5.18.0...5.19.0

5.18.1

Choose a tag to compare

@zwass zwass released this 24 Jun 17:07

What's Changed

New Contributors

Full Changelog: 5.17.0...5.18.1

5.17.0

Choose a tag to compare

@zwass zwass released this 16 Apr 05:04
1ab05a6

5.17.0

Git Commits

What's Changed

New Contributors

Full Changelog: 5.16.0...5.17.0

5.16.0

Choose a tag to compare

@directionless directionless released this 09 Feb 02:46
16bb015

5.16.0

Git Commits

Representing commits from 7 contributors! Thank you all.

Table Changes

  • Fix the python_paths table to skip unnecessary code paths when filtering by directory (#8544)
  • Added python packages in user directories on python_packages (#8504)
  • Added RHEL paths for python_packages table (#8529)
  • Buffer error logs in deb_packages table (#8540)
  • Fix wifi_status to correctly gather network_name on MacOS 14+ (#8530)
  • Fix hardware model and version on Lenovo on system_info (#8534)
  • Optimize rpm_packages and rpm_package_files use of query context (#8537)

Bug Fixes

  • Fix to only deny-list scheduled queries when watchdog is enabled (#8541)
  • Switched to wmain to accept non-ascii characters from command line (#8519)

5.15.0

Choose a tag to compare

@directionless directionless released this 30 Dec 15:55
6a8a7f7

5.15.0

Git Commits

Representing commits from 17 contributors! Thank you all.

Table Changes

  • Add arc path to chrome_extensions on macOS (#8473)
  • Use empty columns instead of zeroes when undefined in socket_events (#8510)
  • Add support for accept to macOS table socket_events (#8508)
  • Add all-platform user-based optimized columns (#8496)
  • Add columns to es_process_events (#8506)
  • Add Darwin platform optimized miscellaneous columns (#8484)
  • Add all-platform path-based optimized columns (#8497)
  • Add Windows platform optimized columns (#8495)
  • Add hash_executable column to signature table (#8471)
  • Include VSCode Insiders extensions in vscode_extensions table (#8396)
  • Add POSIX platforms optimized columns (#8494)
  • Add Linux platform optimized columns (#8493)
  • Add all platform process based and curl optimized columns (#8498)
  • Add Darwin platform optimized system-related columns (#8483)
  • Add Darwin platform optimized path columns (#8482)
  • Fix incorrect SID in logged_in_users table on windows when username and domain/device name are the same (#8486)
  • Update the browser_firefox table to exclude "Crash Reports" and "Pending Pings" folders (#8478)
  • Move status column to extended_schema for linux socket_events (#8503)

Under the Hood improvements

  • Utils: Optimize default status message constructor (#8489)

Bug Fixes

  • Fix a leak in genAarch64PlatformInfo (#8462)
  • Fix a leak in DiskArbitrationEventPublisher::getProperty (#8463)
  • Catching generic exception in order to avoid crashing when parsing windows events logs (#8513)
  • Fix leak in windows_events by using scope_guard (#8511)
  • Fixed eBPF's parsing of parent pid (#8501)
  • Fix IO objects refcounting (#8481)

Documentation

  • Add documentation for testing macOS EndpointSecurity (#8509)
  • Add double quotes in Windows installation documentation (#8492)
  • Update expired Slack invite (#8488)
  • Update docs to correctly define conditional_to_base64 (#8460)

Build

  • build(deps): bump jinja2 from 3.1.4 to 3.1.5 (#8507)
  • Remove yara schema subdirectory (#8461)
  • Added chrono header file (#8512)
  • Replace usage of libaudit function removed in v3.0.7 (#8401)
  • Update xcode version for macos-14 from 14.3.1 to 15.4 (#8467)
  • Restrict python versions differently (#8453)
  • Update macOS test runner from 12 to 13 (#8459)
  • Add CVEs to the ignored lists (#8458)
  • Add a specific package build folder on Windows jobs (#8446)
  • Update all Github actions to a version using NodeJs 20 (#8449)
  • Reduce scheduled builds amount (#8457)