Releases: osquery/osquery
Releases · osquery/osquery
Release list
5.23.1
This is a bug and security fix release.
What's Changed
Fixes
- Fix heap buffer overflow in Windows
processestable by @seph in #8934 - Fix heap buffer overflow in Windows
authenticodetable by @seph in #8923 - Fix use-after-free in Linux
process_file_events implementationby @zwass in #8950 - Fix incorrect permissions on temporary file carve directories by @zwass in #8961
- Fix documentation for
process_open_handlestable by @seph in #8853 - Fix
subject2andissuer2columns for Windowscertificatestable by @getvictor in #8963
Full Changelog: 5.23.0...5.23.1
5.23.0
What's Changed
Features
- Add process memory scanning capability to
yaratable by @brian-mckinney in #8782 - Split yara tables into
yara_processandyara_fileby @brian-mckinney in #8835 - Add Windows
process_open_handlestable by @brian-mckinney in #8795 - Add
secureboot_certificatestable for Linux by @zwass in #8844 - Extend
python_packagesandnpm_packagesto cover modern package managers by @ariary in #8801 - Add level filtering to the
unified_logtable by @directionless in #8788 - Disallow newlines in
curlcustom headers by @directionless in #8787 - Supplement LaunchServices with directory scanning in
appstable (#8789) by @getvictor in #8790 - Command line flags for query input and output by @directionless in #8786
- New header-based authentication mechanism for remote APIs by @juan-fdz-hawa in #8805
- Add recursion to
npm_packagesby @directionless in #8809 - Make profile.py performance thresholds configurable via CLI flags by @stefanamaerz in #8841
- Add
ROOT\defaultto WMI tables by @directionless in #8810
Build & Dependencies
- Update expat to 2.7.4 to fix CVE-2026-25210 by @Sampriti2803 in #8794
- Fix GCC 15 compatibility by @carlsmedstad in #8837
Fixes
- Fix macOS keychain corruption when accessing non-SSV keychain files by copying to temporary files first by @lucasmrod in #8840
- Fix incorrect example queries in table specs by @edwardsb in #8791
- Improve
network_namedetection on macOSwifi_statustable by @lucasmrod in #8781 - Fix a bug in
apt_sourcesparsing by @directionless in #8785 - Add
NOCASEandVERSIONcollation to various columns by @directionless in #8813 - Increase the limit on systemd unit iteration by @directionless in #8802
- Fix format string vulnerability in shell.cpp disconnect_socket() by @directionless in #8824
- Fix saving file times in file carves by @zwass in #8819
- Fix empty results from
office_mrutable by @thierryfranzetti in #8838 - Fix multiple security vulnerabilities in smc_keys.cpp by @directionless in #8820
- Fix
gatekeepertable on macOS 15+ by @thierryfranzetti in #8831 - Fix container bounds checking vulnerabilities by @directionless in #8825
- Reduce noisy logs from
chrome_extensionsby @lucasmrod in #8792
New Contributors
- @edwardsb made their first contribution in #8791
- @Sampriti2803 made their first contribution in #8794
- @ariary made their first contribution in #8801
- @juan-fdz-hawa made their first contribution in #8805
- @thierryfranzetti made their first contribution in #8838
- @stefanamaerz made their first contribution in #8841
Full Changelog: 5.22.1...5.23.0
5.22.1
5.22.0 macOS binaries will not execute because the signing certificate is out of sync with the provisioning profile. 5.22.1 replaces it.
What's Changed
Features
- Make escapeNonPrintableBytes UTF-8 aware by @nulmete in #8777
- Note: This changes some query results that formerly were rendered as raw unicode bytes and will now be rendered as the corresponding characters.
- Update virtual sql functions to support multiple constraints by @brian-mckinney in #8746
- This allows
SELECT * FROM vscode_extensions WHERE uid in (SELECT uid FROM users WHERE include_remote = 1)and similar queries that join or subquery to theuserstable to include results for remote users.
- This allows
- Add support for retries in carver by @zwass in #8740
- Preserve file metadata in carver archives by @zwass in #8752
- Add machine-wide provisioned MSIX packages to programs table (#8001) by @getvictor in #8772
Build & Dependencies
- Update osquery-toolchain to 1.2.0 (LLVM 11.0.0, zlib 1.2.13) by @zwass in #8773
- Update Apple provisioning profile for new developer certificates by @zwass in #8780
- build: suppress
enum-constexpr-conversionerror for boost mpl on macos by @sharvilshah in #8742 - lib: Update openssl to 3.6.1 by @sharvilshah in #8766
Fixes
- Quit carving when sending a block fails by @zwass in #8733
- Fix SMBIOS CPU count by @agiacomolli in #8737
- Fix systemd unit: use .target instead of .service by @ideologysec in #8771
- Fix typo in winbaseobj.table description by @SquidCooki2 in #8768
- Fix JSON handling copy vs. ref semantics by @zwass in #8738
- Fix memory leak in
logon_sessionsby @directionless in #8779
New Contributors
- @ideologysec made their first contribution in #8771
- @SquidCooki2 made their first contribution in #8768
- @nulmete made their first contribution in #8777
- @brian-mckinney made their first contribution in #8746
Full Changelog: 5.21.0...5.22.1
5.21.0
What's Changed
- Improvements to password_policy table by @zwass in #8705
- Improve file traversal performance and correctness by @Krechals in #8704
- Add support for Login Items and Background Services on modern macOS by @zwass in #8726
- Add last_connected_automatic and last_connected_manual to wifi_networks table by @zwass in #8728
- Refresh resolver state on interval to pick up DNS changes by @zwass in #8716
- Add new darwin certificate trust settings table by @Micah-Kolide in #8715
- Fix crash when querying carves table with carves larger than 2GB by @ksykulev in #8732
- Add support for gzip content-encoding in HTTP client by @zwass in #8731
New Contributors
Full Changelog: 5.20.0...5.21.0
5.20.0
What's Changed
Features/Bugs
- Add default path for CA certificate bundle on openSUSE by @iko1 in #8687
- Exclude config views from db migration by @Micah-Kolide in #8678
- Make
vscode_extensionsmore consistently report UUID by @zwass in #8693 - Don't overwrite
hardware_versionif it has a value by @sbrito85 in #8690 - Support
nvmonnpm_packagestable by @dantecatalfamo in #8694 - Add scoped npm package support in
npm_packagestable by @lichao127 in #8686
Dependencies
- Fix build against libaudit >=4.1.1 by removing set_aumessage_mode call by @Blarse in #8676
- libs: libarchive: 3.7.9 -> 3.8.1 by @LeSuisse in #8642
Documentation
- Fix SQL examples for system_profiler table by @zwass in #8699
- Add more informative descriptions for
mounts.blocks_freeandmounts.blocks_availableby @jacobshandling in #8701 - Update
dns_resolversdocumentation to point tointerface_detailson Windows by @zwass in #8682
New Contributors
- @frankgraziano made their first contribution in #8681
- @Blarse made their first contribution in #8676
- @jacobshandling made their first contribution in #8701
Full Changelog: 5.19.0...5.20.0
5.19.0
What's Changed
Features
- Add table
deb_package_filesby @zwass in #8657 - Add
system_profilertable for macOS by @zwass in #8645 - Add version collate to
os_versiontable'sversioncolumn by @Micah-Kolide in #8659 - Add
entitlementscolumn to macOSsignaturetable by @zwass in #8666 - Add support for VSCode forks in
vscode_extensionsby @zwass in #8664
Bugfixes
- Fix
NSInvalidArgumentExceptionwhen queryingconnected_displaysby @Synse in #8628 - Fix inconsistent counter resets due to
Config::purge()by @skurpad7 in #8635 - Update linux
block_deviceanddisk_encryptionsource data to simple sysfs implementation by @Micah-Kolide in #8182 - Fix ATC for open Firefox databases by @zwass in #8631
Other
- libs: yara: 4.2.3 -> 4.5.4 by @LeSuisse in #8643
- Upgrading zlib to 1.3.1 by @ksykulev in #8625
- Fix build for XCode SDK 16.4 by @lucasmrod in #8640
- Update build instructions for workaround for XCode SDK > 16.3 by @lucasmrod in #8650
- Add Cursor AI editor configurations by @zwass in #8656
- Further improvement to Cursor rules by @zwass in #8662
- Update Windows build instructions by @zwass in #8661
New Contributors
Full Changelog: 5.18.0...5.19.0
5.18.1
What's Changed
- [Performance Analysis] print stderr if exists by @lichao127 in #8600
- libs: Update googletest by @Smjert in #8604
- Fix parsing of Windows shortcut (.lnk) files in file table by @zwass in #8601
- Fix Prefetch table for Windows 11 by @zwass in #8615
- libs: libarchive: 3.6.2 -> 3.7.9 by @LeSuisse in #8605
- Fix hardware UUID caching by @sgress454 in #8616
- Add detection for ARM CPUs when running in x86 emulation by @dantecatalfamo in #8572
- Reduce log noise for
hashtable by @lucasmrod in #8626 - Fix SQL example syntax in SQL introduction docs by @piotrgiedziun in #8620
- Added jetbrains_plugins table by @ksykulev in #8623
- Add recent_files table on Windows by @zwass in #8603
New Contributors
- @piotrgiedziun made their first contribution in #8620
Full Changelog: 5.17.0...5.18.1
5.17.0
5.17.0
What's Changed
- Add
CHANGELOG.mdentry for 5.16.0 by @lucasmrod in #8548 - Add
symlink_target_pathtofilestables by @DocEmmetBrown in #8502 - cve: Ignore libarchive CVE-2024-26256 by @Smjert in #8546
- Fixes in windows helpers by @zwass in #8549
- Align ES functions with documented macOS versions by @SilverPlate3 in #8338
- Fix include path in logger-plugins.md by @zwass in #8550
- Fix integration test name in Windows build instructions by @zwass in #8552
- Fix event expiration to prevent losing events by @zwass in #8535
- Update
shell_historytable to include ash by @jbeley in #8568 - Fix dicker container table disk/write metrics, compares "op" values with ignore case by @Kislaci90 in #8566
- Escape service binary path in manage-osqueryd.ps1 by @smithclay in #8569
- Update
docker_container_statstable to include memory_inactive_file and memory_total_inactive_file by @kfnorbi in #8577 - Add
auto_updateandapp_namecolumn tohomebrew_packagestable by @DocEmmetBrown in #8520 - Add support for scheduled queries to run at startup by @Micah-Kolide in #8554
- Boost 1.87 compatibility by @carlsmedstad in #8533
- Pin macos python versions in CI to fix mismatch between builder and test runner by @scottvanta in #8559
- cve: Ignore util-linux CVE-2024-28085 by @Smjert in #8579
- build(deps): bump jinja2 from 3.1.5 to 3.1.6 by @dependabot in #8563
- Fix SMC reading values by @sgress454 in #8583
- Fixes network metrics by @Kislaci90 in #8567
- Implement yara_events table for Windows by @zwass in #8580
- Fix flaky mdfind test in CI by @zwass in #8589
- libs: openssl: 3.2.1 -> 3.4.1 by @LeSuisse in #8586
- Add support for DEB822-style apt sources by @dantecatalfamo in #8556
- Add support for msix packages by @ksykulev in #8585
- Implement dns_lookup_events table on Windows by @zwass in #8553
- Added UpgradeCode to programs table by @ksykulev in #8587
- libs: expat bump from 2.6.0 to 2.7.1 by @LeSuisse in #8595
- Update ubuntu runners to 22.04 by @zwass in #8592
- Refactor ETW helpers for unicode support by @zwass in #8596
- Fix/startup items parsing by @AndreaMarangoni in #8536
- Filter the Win32_Processor query to only required fields by @jaymzjulian in #8598
New Contributors
- @DocEmmetBrown made their first contribution in #8502
- @jbeley made their first contribution in #8568
- @Kislaci90 made their first contribution in #8566
- @smithclay made their first contribution in #8569
- @kfnorbi made their first contribution in #8577
- @scottvanta made their first contribution in #8559
- @LeSuisse made their first contribution in #8586
- @dantecatalfamo made their first contribution in #8556
- @jaymzjulian made their first contribution in #8598
Full Changelog: 5.16.0...5.17.0
5.16.0
5.16.0
Representing commits from 7 contributors! Thank you all.
Table Changes
- Fix the
python_pathstable to skip unnecessary code paths when filtering bydirectory(#8544) - Added python packages in user directories on
python_packages(#8504) - Added RHEL paths for
python_packagestable (#8529) - Buffer error logs in
deb_packagestable (#8540) - Fix
wifi_statusto correctly gathernetwork_nameon MacOS 14+ (#8530) - Fix hardware model and version on Lenovo on
system_info(#8534) - Optimize
rpm_packagesandrpm_package_filesuse of query context (#8537)
Bug Fixes
5.15.0
5.15.0
Representing commits from 17 contributors! Thank you all.
Table Changes
- Add arc path to
chrome_extensionson macOS (#8473) - Use empty columns instead of zeroes when undefined in
socket_events(#8510) - Add support for accept to macOS table
socket_events(#8508) - Add all-platform user-based optimized columns (#8496)
- Add columns to
es_process_events(#8506) - Add Darwin platform optimized miscellaneous columns (#8484)
- Add all-platform path-based optimized columns (#8497)
- Add Windows platform optimized columns (#8495)
- Add
hash_executablecolumn tosignaturetable (#8471) - Include VSCode Insiders extensions in
vscode_extensionstable (#8396) - Add POSIX platforms optimized columns (#8494)
- Add Linux platform optimized columns (#8493)
- Add all platform process based and curl optimized columns (#8498)
- Add Darwin platform optimized system-related columns (#8483)
- Add Darwin platform optimized path columns (#8482)
- Fix incorrect SID in
logged_in_userstable on windows when username and domain/device name are the same (#8486) - Update the
browser_firefoxtable to exclude "Crash Reports" and "Pending Pings" folders (#8478) - Move status column to
extended_schemafor linuxsocket_events(#8503)
Under the Hood improvements
- Utils: Optimize default status message constructor (#8489)
Bug Fixes
- Fix a leak in
genAarch64PlatformInfo(#8462) - Fix a leak in
DiskArbitrationEventPublisher::getProperty(#8463) - Catching generic exception in order to avoid crashing when parsing windows events logs (#8513)
- Fix leak in
windows_eventsby usingscope_guard(#8511) - Fixed eBPF's parsing of parent pid (#8501)
- Fix IO objects refcounting (#8481)
Documentation
- Add documentation for testing macOS EndpointSecurity (#8509)
- Add double quotes in Windows installation documentation (#8492)
- Update expired Slack invite (#8488)
- Update docs to correctly define
conditional_to_base64(#8460)
Build
- build(deps): bump jinja2 from 3.1.4 to 3.1.5 (#8507)
- Remove yara schema subdirectory (#8461)
- Added chrono header file (#8512)
- Replace usage of libaudit function removed in v3.0.7 (#8401)
- Update xcode version for macos-14 from 14.3.1 to 15.4 (#8467)
- Restrict python versions differently (#8453)
- Update macOS test runner from 12 to 13 (#8459)
- Add CVEs to the ignored lists (#8458)
- Add a specific package build folder on Windows jobs (#8446)
- Update all Github actions to a version using NodeJs 20 (#8449)
- Reduce scheduled builds amount (#8457)