v3.7.0 ~ Epikur (pro)
Release date: July 27th, 2022.
This release is a minor maintenance release focused on security, performance and compatibility optimization.
It includes some security fixes related to a security audit that was performed by Cure53 on the new account recovery feature. Long story short, while the security researchers found some weaknesses, no exploitable vulnerability was found. As usual the full report is available for you to peruse: PBL-07 Cure53 report.
The performances have also been improved in this release, since the team worked a lot on the group management dialog. You should notice a 10x improvement in the front-end, while removing users from a group, and a 2x improvement while adding a user to a group. While we are already working on further performance gains which will be part of an upcoming release, we already wanted to ship these ready-to-go improvements to everyone, as this was reported as being one of the main performance bottlenecks in larger organizations. Overall the application should feel more tidy and snappy on the frontend.
V3.7 ships with compatibility support for PHP 8 including support for Ubuntu 22.04 LTS with RHEL 9 and RockyLinux 9 coming shortly. We also upgraded the front-end to React v17. It also includes some site-specific fixes for the autofill such as ovh or dzb-bank (feel free to report more of these on the community forum or github).
Two new languages have been added: Spanish and Lithuanian! Additionally, the translation system has been improved and is now able to support more complex translations for languages that need multiple plurals (such as Polish).
We would like to thank everyone who participated in the translation on the Crowdin platform, the security team of Cure53, as well Ashley Primo for helping to make passbolt even more accessible and secure for everyone.
Release 3.7.0
Browser extension
Added
- PB-15305 As LU I can access the mobile configuration page from the profile dropdown
- PB-16925 As AN I can access the sign in form of my organization from passbolt.com
- PB-17094 Mark account recovery feature as stable
- PB-17095 As a user I can use passbolt in Spanish
- PB-17095 As a user I can use passbolt in Lituanian
Improved
- PB-14103 As a user I want to be able to use the autofill on dzb-bank.de
- PB-14865 As LU I should see the warning messages on all dialogs with the same design
- PB-16560 As LU I should be able to read textarea content of dialog without zooming it
- PB-16641 As AD I want to have a clear error message when I import an account recovery organization key having an expiry date
- PB-16665 As a user I should see proper error message when an unexpected error happened in the quickaccess
- PB-16695 As a translator I can provide translation for languages that have multiple plurals
- PB-16937 As group manager I want to see a dialog skeleton when I’m editing a group having a large number of members
- PB-16942 Improve UI performance while adding a user to an existing group
- PB-16944 Improve UI performance while sharing multiple passwords in bulk
- PB-16991 Improve UI performance of the create group dialog
- PB-16995 Improve UI performance while adding a user or group to the list of people to share a password with
- PB-16998 As GM selecting a user to add to a group, I should see the latest member added
- PB-16703 As a user I can autofill my username on ovh.com
- PB-16757 As a user on a screen with low dpi I do not want to have a blur effect on the text
- PB-16759 As a user I want to see a coherent UI on a screen with a large resolution
Fixed
- PB-15049 As a user I should be able to complete the setup even if my machine and the server do not have a synchronized time
- PB-15247 As a user I should not see passbolt setup/recover starting on pages having similar urls
- PB-16169 As LU I want to see the feedback card call to actions aligned to the left
- PB-16640 As AD I should be able to subscribe to the account recovery program right after configuring it for the organization
- PB-16663 Misc style fixes on account recovery download generated key dialog
- PB-16763 As LU I should be able to change my passphrase and download the new recovery kit
- PB-16769 As LU I should be able to save passwords with an uri greater than 1024 from the in-form integration
- PB-16793 Misc style fixes on account recovery administration page
- PB-16807 As a user I should see the spinner Icon in the Autocomplete component
- PB-16840 As a user I should not get an error if a gpg key is stored in the local storage with a gpg key expiry set to null
- PB-16841 As AD I should not be able to import a public organization key having an expiration date
- PB-16883 As AD I want to be able to select Groups parent group and Users parent group fields in the User Directory interface
- PB-16926 As LU I should be able to see the right ‘Modified’ date property in the user sidebar
- PB-16928 As a translator I should not have strings with unpredictable variables to translate
- PB-17012 As a user if my domain changed, I should still see the login form after completing a setup, recover or an account recovery
- PB-17013 As LU I should see the pre-loading / skeleton style properly
- PB-17090 As a contributor I want to be able to switch theme in storybook
- PB-17155 As a user I want to see my security token with the chosen colors on the account recovery complete screen
Maintenance
- PB-13559 CI to report on code coverage
- PB-13887 Prepare theme colors file to welcome the theme customization feature
- PB-14271 Follow-up add className disabled for input text div
- PB-14876 Add test for browser integration scroll parent on iframe
- PB-16770 Update React to version 17
- PB-16994 Remove check extension configured for browser integration bootstrap
- PB-17029 As contributor I want to see a storybook home page
- PB-17032 Remove translatable strings that are duplicated
- PB-17071 Log verify gpg key error on authentication screen
Security
- PB-15259 As LU sharing a resource/folder I want to see a unified tooltip that informs me about a user fingerprint
- PB-16141 As AN importing a key during the setup, I should be warned when my passphrase is part of a data breach
- PB-16152 As AD I can not generate an account recovery key with a password which is part of a data breach
- PB-16154 As AN I cannot bypass the data breach assertion while completing the setup
- PB-16595 As AD reviewing an account recovery request I should get an error if the domain stored in the encrypted password data is not similar to mine
API
Added
- PB-17098 Add rockylinux 9 support
- PB-16751 Add Redhat 9 support
- PB-16749 Add Ubuntu 22.04 support
- PB-16950 Add Spanish and Lithuanian support
- PB-14514 Add PHP8.0 support
- PB-14514 Fix PHP8.1 compatibility issues
- PB-16161 Create action log endpoint for user CRUD
- PB-16844 Common part of the user recovery and setup audit log
Security
- PB-17068 PBL-07-003 Remove non necessary user id enumeration possibility
- PB-17068 Fix PBL-07-005 unusable organization key must be rejected
- PB-17068 PBL-07-002 Fix key algorithm validation should be set to strict in public key validation service
- PB-17068 Add test account recovery organization policy set should reject keys with weak algorithm
- PB-17068 PBL-07-002 Fix key algorithm validation should be set to strict on setup
- PB-17068 Fix OpenPGP unarmor should use base64_decode in strict mode
- PB-17068 SEC-1292 Fix unsafe default recipient email address (Credit: Ashley Primo)
Fixed
- PB-16705 As group manager updating group memberships I should not get a timeout
- PB-16949 As group manager deleting a group user the operation should not be slowed down by the folders plugin
- PB-16705 As a group manager updating group memberships I should not get a timeout due to a plugin integration
- PB-17068 Fix GroupsUsersValidatorTest psr-4 autoloading warning
- PB-17007 As AD performing a cleanup of the missing folders relations I should not get a timeout
- PB-16749 Fix jobs to reuse last job artifact instead of rebuilding it everytime
- PB-16877 Fixes ClearMfaCookieOnSetupAndRecover for controllers without User component
- PB-16666 GITHUB-432 Fix healthcheck style
Maintenance
- PB-17009 Replace createrepo by createrepo_c
- PB-16956 Misc Fixture Factories refactoring
- PB-16956 Modernize folders plugin bootstrap, add src/Plugin.php file
- PB-16806 UacAwareMiddleware trait now return UAC exclusively. More typing in UAC object.
- PB-16161 Renames ambiguous testing traits
- PB-16161Add and enhance log related factories
- PB-16791 Upgrade webinstaller openpgpjs to v5
- PB-14514 Update to composer v2.2 + Fix CI jobs
- PB-16657 Remove mariadb dependency
- PB-16161 Refactor to split folder, resource and user related logic in respective classes
"Muting the noise"
Listen to the release song!