Numerous changes have been made in Tableau Server to address Payment Card Industry (PCI) compliance issues.
The tabadmin set option vizqlserver.protect_sessions is now set to true by default. This change prevents VizQL sessions from being reused after the original user logs off.
Default SSL cipher in Tableau Server now uses SSL 3 and the latest Apache OpenSSL default cipher.
The tabadmin set option wgserver.password_autocomplete.enabled is now set to false by default. This setting controls whether web browsers are allowed to automatically complete password fields.
Every other horizontal header along the bottom of a view was omitted when loading the view as a .png image in a web browser.
Viewing a workbook that connects to a Tableau Server data source that is set up to prompt user for authentication, would sometimes succeed with an incorrect username if it was paired with the exact same password that was used when publishing the original data source.
A 404 error was returned by Internet Explorer when opening a view with authentication set to prompt user.
Very large vizqlserver logs were being generated with multidimensional data sources.
Embedded views in dashboards were not always displaying correctly in Internet Explorer 9.
Quick filter parameters in a url for a workbook using a Microsoft Analysis Services data source were not being passed to the workbook.
Tableau Server was failing to account for daylight savings time for some scheduled tasks.
Tabadmin restore was checking the available free space on the drive where the backup was located, rather than on the drive where the temp directory used for the restore, service.temp.dir, was located.
The Administrative view Space Usage was updated to include data about data sources as well as workbooks.
Editing multiple data connections to the same data source with Security Support Provider Interface (SSPI) authentication caused Failed to edit keychain of Workbook error.
The document mode for Internet Explorer (IE) was changed to take advantage of newer CSS features. Previously, all pages rendered using IE 8 standards even when using IE 9. Now loading a view in IE 9 uses the IE 9 standards.
Some subgroups were not being synchronized when a tabadmin syncgroup was executed. The issue was when synchronized nested Active Directory groups with members of sub-groups having the same name but on different levels on the tree.
The version of Apache HTTP Server in Tableau Server has been upgraded to version 2.2.22 to incorporate security fixes. This upgrade also resolved potential SSL trusted-ticket scenarios, where SSL cookies could be set without the secure flag, which could allow cookies to be consumed over non-SSL channels.
A Ruby on Rails patch to address Denial of Service and Unsafe Object Creation Vulnerability in JSON has been applied. For details on this patch, see this discussion in the Ruby on Rails Google Group.
The server was not displaying 'out of memory' errors, which gave the impression that it was still processing after it had stopped responding.
When accessing the Tableau Server PostgreSQL database directly from the primary server machine, it was possible to connect using a blank password. Blank passwords are no longer accepted. Refer to Connecting to the Tableau Server Database to learn more about connecting to this database.
Tableau app for iPad would fail when the url contained more than just the protocol and the host name. For example, http://SERVERNAME/ would cause the application to fail, but http://SERVERNAME (without the trailing forward slash) would not.