v3.11.1 ~ Birdie (pro)

Release date: March 3rd, 2023.

This is a small maintenance release that addresses community reported issues related to the recently introduced Duo v4 support and SSO features.

Also shipped with this release, is a security fix to the browser extension to prevent clickjacking attacks. With the upcoming SSO feature, both the passbolt API and browser extensions underwent an independent security audit by Cure53. As always, detailed information from the audit will be made available on the dedicated incident page.

Thank you to the community for reporting and helping to resolve these issues.

API

Fixed

• PB-23283 As an administrator I can disable username validation in Duo Callback endpoints
• PB-23310 As a user I can login and recover my account with SSO Azure when passbolt is in a sub-directory setup

Browser extension

Security

• PB-23328 PBL-08-001 WP2 Credentials Leakage via Clickjacking - As a signed-in user I should not be able to open the application iframe in an untrusted parent frame
• PB-23327 PBL-08-001 WP2 Credentials Leakage via Clickjacking - As a signed-in user I should not be able to open the quickaccess in an iframe