Releases: BookStackApp/BookStack
BookStack v21.10.3
ssddanbrown
Dan Brown
01cdbdb
ssddanbrown
Dan Brown
Security Release
BookStack v21.10.3 has been released. This is a security release that address a couple of vulnerabilities within the attachment and image
serving mechanisms. The attachment vulnerability could result in users uploading content to be served in a way that can be utilized for phishing. The image serving vulnerability could result in unintended file access within your BookStack storage folder.
If you allow untrusted users to login or upload attachments you should update as soon as possible.
Full List of Changes
- Updated AzureAD login library to work with the new Microsoft Graph API. (#3028)
- Fixed path image file path traversal vulnerability. Thanks @theWorstComrade for reporting. (#3030)
- Prevented HTML attachments being served inline. Thanks @theWorstComrade for reporting. (#3027)
- Updated translations from latest Crowdin changes. (#3023)
Contributors
Assets 2
BookStack v21.10.2
ssddanbrown
Dan Brown
3cdab19
ssddanbrown
Dan Brown
Security Release
BookStack v21.10.2 has been released. This is a security release that builds upon changes in v21.10.1 which covers a vulnerability which would allow malicious users, who have permission to update or create pages, to upload content that could then be utilized for phishing or other general malicious intent.
If you allow untrusted users to edit page content you should update as soon as possible.
Full List of Changes
Contributors
Assets 2
BookStack v21.10.1
ssddanbrown
Dan Brown
91f8012
ssddanbrown
Dan Brown
Security Release
BookStack v21.10.1 has been released. This is a security release that covers a vulnerability
which would allow malicious users, who have permission to update or create pages, to upload
content that could then be utilized for phishing or other general malicious intent.
If you allow untrusted users to edit page content you should update as soon as possible.
Full List of Changes
Contributors
Assets 2
BookStack v21.10
ssddanbrown
Dan Brown
0fe5bdf
ssddanbrown
Dan Brown
Links
Full List of Changes
- Added OpenID Connect authentication option. Thanks to @jasperweyne. (#2960, #2169, #1390, #1157)
- Added Attachment API endpoints. (#2986, #2942)
- Added Estonian language to BookStack via Crowdin. (#2979)
- Added support for SAML2 SLS signing to help address issues with ADFS. Thanks to @theodor-franke. (#2902)
- Added support for base64 image content within markdown text via page POST/PUT. (#2898)
- Updated translations from Crowdin contributors. (#2983)
- Updated SAML ACS post flow to retain user session and therefore redirect to the correct location upon login. (#2996, #2552)
- Fixed padding within book-tree sidebar items. Thanks to @ffranchina. (#3000)
BookStack v21.08.6
ssddanbrown
Dan Brown
68d437d
ssddanbrown
Dan Brown
Links
Full List of Changes
This release contains the following fixes and changes:
- Added custom whoops-based debug view which fixes issue where debug view would not show content due to CSP rules. (#2977, #2976)
- Added throttling to password reset requests. (ca764ca)
- Updated translations with latest changes from Crowdin. (#2980)
- Updated DOMPDF chroot directory to prevent potential unintended file access. (#2965)
- Fixed issue where TOTP setup would provide guest email address upon QR code scan when MFA setup was enforced at login. (#2971)
BookStack v21.08.5
ssddanbrown
Dan Brown
dab170a
ssddanbrown
Dan Brown
Security Release
This security release covers a vulnerability which would allow malicious users, who have permission to update or create pages, to load content from files stored within the storage/ or public/ directories (Such as application logs) via the page HTML export system.
If you allow untrusted users to edit page content you should update as soon as possible.
This release also changes the way browser response caching is performed, while logged in, to help prevent navigating back to confidential content after logout.
Additional Changes
- Added concurrent page editing warnings upon draft save events. Thanks to @MatthieuParis (#2877)
- Updated translations with the latest changes from Crowdin. (#2953)
BookStack v21.08.4
ssddanbrown
Dan Brown
78fe95b
ssddanbrown
Dan Brown
Links
Full List of Changes
This release contains the following fixes and changes:
- Added IP address to tracked activities and displayed in audit log. Thanks to @johnroyer. (#2936, #2747)
- Added the option to use database table prefixes. Thanks to @floviolleau. (#2935)
- Allowed the use of content includes when using a custom homepage.
- Updated translations with latest content from Crowdin. (#2926)
- Converted old test cases to remove reliance on BrowserKit. (#2928)
- Fixed incorrect audit log detail on social account sign-in. (#2930)
- Fixed issue where QR codes were not readable when using dark mode. (#2925)
BookStack v21.08.3
ssddanbrown
Dan Brown
fa85538
ssddanbrown
Dan Brown
Links
Full List of Changes
This release contains the following fixes and changes:
BookStack v21.08.2
ssddanbrown
Dan Brown
88bcb68
ssddanbrown
Dan Brown
Security Release
This security release is intended to cover a couple of XSS vulnerabilities, where a malicious user with page edit access could enter script that would execute upon page view. You should update as soon as possible if you allow untrusted users to edit content in your instance.
In addition, this releases expands the CSP headers set by BookStack to help avoid any similar vulnerabilities from being effective going forward. If you've performed some more advanced customizations on your instance, they may need to be altered to work with the built-in CSP system.
BookStack v21.08.1
ssddanbrown
Dan Brown
391fa35
ssddanbrown
Dan Brown
Links
Full List of Changes
This release contains the following fixes and changes: