v2.11.0 ~ Don't You (Forget about me) (ce)
Release date: August 7th, 2019.
Passbolt1 v2.11 is maintenance release containing security fixes. Extension update will be rolled out automatically to your users like usual, but as an administrator you will need to update your server.
The security issues were discovered by security researcher René Kroka as part of the Bug Bounty program organized in collaboration with YesWeHack. You can find more information about the vulnerabilities found during this audit, on the dedicated incident page. You can also learn more about passbolt security in our recently published Security White Paper.
This release also includes some requested fixes by the community. The autofill functionality is now a bit more robust and will work on more websites, including for example when the login form is located in an iframe (on the same domain than the current page). Feel free to report any issues you encounter with the autofill on websites you use via github issues. Another long awaited fix relates to the passphrase remember me and the auto logout functionalities.
The installation script now also supports the new Debian 10 (stable). Because of this we will soon deprecate support for 7.0 (which was still the default on Debian 9). Make sure you upgrade your web server to use at least 7.2 in the coming weeks.
The team wish you happy holidays, if you are lucky enough to take some!
- PB-661: Fix tab nabbing when clicking on “open in a new tab” in password grid
- PB-607: Fix XSS on first name or last name during setup
- PB-587: Add baseline support for multiple openpgp backends
- PB-391: Display the name and email of the user an admin is going to delete in the delete dialog
- PB-396: Display the label of the password a user is going to delete in the delete dialog
- PB-397: Display a relevant feedback in the user details group section if the user is not member of any group
- PB-533: Add a new session check endpoint that does not extend the session expiry
- PB-607: Add option for an administrator to configure CSP using environment variable
- PB-242: Improve the passwords grid (passwords fetch peformance, search reactivity, selectbox area enlarged)
- PB-349: Fix health check fails if using custom GNUPGHOME env set by application
- PB-330: Fix migration issue from CE to PRO in v2.10
- PB-567: Fix appjs auto logout
- PB-601: Fix some incomplete unit tests
- PB-427: Fix email sender shell task and organization settings table unnecessary coupling
- PB-349: Fix OpenPGP results health checks
- PB-505: Upgrade cake 3.8
- PB-472: Cleanup test dependencies
- PB-242: Add local storage resources capabilities to manipulate the resources (add, delete, update)
- GITHUB-79: Improve autofill compatibility, trigger an input event instead of a change event while filling forms
- GITHUB-61: Improve autofill compatibility, support Docker and AWS forms
- PB-432: Improve autofill compatibility, support reddit.com
- PB-433: Improve autofill compatibility, support Zoho CRM
- GITHUB-78: Improve autofill compatibility, fill only username if no password field present
- PB-494: Improve autofill compatibility, ignore hidden fields
- PB-514: Improve autofill compatibility, fill iframe forms fields
- PB-609: Update library used for CSV export
- PB-544: Fix login passphrase remember me and quickaccess
- PB-533: Fix session expired management
- PB-515: Autofill should not fill if the url in the tab have changed between the time the user clicked on the button to fill and the data is sent to the page.
- PB-503: Fix math.random() when generating first security token/color
"Think of the tender things that we were working on."Listen to the release song!