Releases: BookStackApp/BookStack
Releases · BookStackApp/BookStack
BookStack v21.08.6
v21.08.6
This tag was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
68d437d
This commit was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
Links
Full List of Changes
This release contains the following fixes and changes:
- Added custom whoops-based debug view which fixes issue where debug view would not show content due to CSP rules. (#2977, #2976)
- Added throttling to password reset requests. (ca764ca)
- Updated translations with latest changes from Crowdin. (#2980)
- Updated DOMPDF chroot directory to prevent potential unintended file access. (#2965)
- Fixed issue where TOTP setup would provide guest email address upon QR code scan when MFA setup was enforced at login. (#2971)
BookStack v21.08.5
v21.08.5
This tag was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
dab170a
This commit was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
Security Release
This security release covers a vulnerability which would allow malicious users, who have permission to update or create pages, to load content from files stored within the storage/ or public/ directories (Such as application logs) via the page HTML export system.
If you allow untrusted users to edit page content you should update as soon as possible.
This release also changes the way browser response caching is performed, while logged in, to help prevent navigating back to confidential content after logout.
Additional Changes
- Added concurrent page editing warnings upon draft save events. Thanks to @MatthieuParis (#2877)
- Updated translations with the latest changes from Crowdin. (#2953)
BookStack v21.08.4
v21.08.4
This tag was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
78fe95b
This commit was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
Links
Full List of Changes
This release contains the following fixes and changes:
- Added IP address to tracked activities and displayed in audit log. Thanks to @johnroyer. (#2936, #2747)
- Added the option to use database table prefixes. Thanks to @floviolleau. (#2935)
- Allowed the use of content includes when using a custom homepage.
- Updated translations with latest content from Crowdin. (#2926)
- Converted old test cases to remove reliance on BrowserKit. (#2928)
- Fixed incorrect audit log detail on social account sign-in. (#2930)
- Fixed issue where QR codes were not readable when using dark mode. (#2925)
BookStack v21.08.3
v21.08.3
This tag was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
fa85538
This commit was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
Links
Full List of Changes
This release contains the following fixes and changes:
BookStack v21.08.2
v21.08.2
This tag was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
88bcb68
This commit was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
Security Release
This security release is intended to cover a couple of XSS vulnerabilities, where a malicious user with page edit access could enter script that would execute upon page view. You should update as soon as possible if you allow untrusted users to edit content in your instance.
In addition, this releases expands the CSP headers set by BookStack to help avoid any similar vulnerabilities from being effective going forward. If you've performed some more advanced customizations on your instance, they may need to be altered to work with the built-in CSP system.
BookStack v21.08.1
v21.08.1
This tag was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
391fa35
This commit was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
Links
Full List of Changes
This release contains the following fixes and changes:
BookStack v21.08
v21.08
This tag was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
9b226e7
This commit was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
Links
Upgrade Notices
- Config & Administration - The introduction of multi-factor authentication brings the first use of encryption in the platform.
This uses theAPP_KEYvalue in your.envfile. Ensure you have this stored safely since it would be required if you ever
restore/migrate your instance to another system. - Security/Exports - During this release cycle it was highlighted that server-side request forgery could be achieved via the
PDF export system. External fetching in the default PDF renderer has been disabled by default. The WKHTMLtoPDF renderer will now
not be used if active. Either of these changes can be overridden by settingALLOW_UNTRUSTED_SERVER_FETCHING=truein your.envfile.
This should only be used were only trusted users can create and export content. To support this we've added permissions that allow disabling of exports per role. - Security/Authentication - A slight change was made in relation to how email addresses are confirmed. Email confirmations are now primarily checked at point-of-login rather
than being checked on every request. Enabling email confirmation, or email domain restrictions, may no longer take action on unconfirmed users right away in the future.
Full List of Changes
- Added multi-factor authentication system. (#2827, #1118)
- Added the ability to export content as Markdown. Thanks to @nikhiljha. (#2115, #1717)
- Added role permissions for exporting content. (#2899, #1251)
- Added an advisory notice on the shelf permissions page regarding the lack of cascade. (#2876)
- Added Lithuanian language translations. Thanks to @ffranchina. (#2868)
- Added item parent link in recycle bin restore to make parent item restore easier. Thanks to @arjvand. (#2682, #2594)
- Added some core opengraph tags to content. Thanks to @james-geiger. (#2393, #2348)
- Updated blade views to be more consistent and follow a documented convention. (#2805)
- Fixed markdown blockquotes not rendering correctly in preview. (#2858, #2837)
- Fixed issue on API where page updates can remove HTML. (#2856)
- Fixed inconsistency in list display and nesting. (#2854)
- Standardised styling of the codebase. (#2820)
BookStack v21.05.4
v21.05.4
This tag was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
926abbe
This commit was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
Links
Full List of Changes
This release contains the following fixes and changes:
BookStack v21.05.3
v21.05.3
This tag was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
5ef4cd8
This commit was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
Links
Full List of Changes
This release contains the following fixes and changes:
- Added a "Skip to content" link as first page focus item for accessibility use. (#2810)
- Updated social account detachment to have CSRF protection. (#2808)
- Updated PHP dependency versions.
- Fixed issue where translations system may attempt to load from the root directory when a theme was not in use. (#2836)
BookStack v21.05.2
v21.05.2
This tag was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
7792cb3
This commit was signed with the committer’s verified signature.
ssddanbrown
Dan Brown
Links
Full List of Changes
This release contains the following fixes and changes: