Important: This patch contains important security updates and upgrading from earlier versions is advised.

Version 1.21.1 of the Interoperability Test Bed software, based on the GITB CWA specifications, is now released.

This is a limited maintenance release to address reported bugs, and most importantly to patch third-party libraries to resolve published vulnerabilities. Of these the most important is the HTTP/2 Rapid Reset vulnerability that could render a Test Bed instance vulnerable to a DDoS attack if used directly (i.e. without a reverse proxy) from end users.

This new version is online in the Interoperability Test Bed service hosted by DIGIT but is also available for you to set up as a standalone instance. If a standalone instance best matches your needs, the following supporting resources are available:

• The Test Bed's installation guide (for development and production use).
• The Test Bed's user guide.
• The source code of the Test Bed software.
• The EUPL-based licence attached to the direct use of the source code.

If you are updating from a previous version, please follow the Test Bed's update guide.

Release Notes - Version 1.21.1

The following list summarises the issues included in this release, classified as bugs, improvements and new features. For more details click the issue key links (requires access to the Test Bed's issue tracker).

Bug

• [ITB-1502] - The system administration screen shows the custom welcome page message as disabled even when it is set
• [ITB-1519] - Test Bed REST API documentation may become unavailable

Improvement

• [ITB-1516] - Library updates to address CVE-2023-44487 (HTTP/2 Rapid Reset)
• [ITB-1517] - Library updates to address (as a precaution) CVE-2023-22102 (MySQL connector exploit)
• [ITB-1518] - Library updates to address (as a precaution) CVE-2023-45819 (TinyMCE notifications exploit)