v3.12.0 ~ Introspective (pro)

Release date: March 15th, 2023.

Release 3.12 for passbolt includes several new features and enhancements. Starting with Microsoft Azure being enabled by default for SSO capabilities. The feature has been thoroughly audited by Cure53, and the issues identified by the community have been fixed, so the feature is officially out of Beta!

Another notable new feature is the ability to customise passbolt to output the action logs in syslog or a file, giving administrators more control and visibility on what is happening on their instance and leverage other tools for threat and unusual activity detection. Administrators can also implement their own handler for action logs to further customise their passbolt instance reporting. A blog to demonstrate this new feature will be available soon.

Version 3.12 also includes important fixes, such as a fix to ensure that only administrators can see which users have MFA enabled. This regression was spotted during the Cure53 march security audit. The full report will be available shortly. Spoiler alert: no critical vulnerability was found.

Lastly, more file formats for export are included in release 3.12. This provides more options for migrating data between applications.

Overall, this release gives users more options while also improving passbolt’s functionality and security. The team extends a warm thank you to everyone who participated in the SSO alpha and beta tests cycles, for reporting issues and assisting us in resolving them.

API

Added

• PB-20535 As a community user I want to use folders
• PB-22749 As an administrator I can customise passbolt to output the action logs in syslog
• PB-22749 As an administrator I can customise passbolt to output the action logs in a file
• PB-22749 As an administrator I can implement my own action logs handler
• PB-23813 Microsoft Azure as single sign on should be enabled by default

Fixed

• PB-23717 As a user using the json API I should get a bad request error instead of an internal error if using api-version=v1
• PB-21826 Fix emails entries should not be locked when threshold limit is exceeded
• PB-23519 As an administrator running the DUO v4 migration I should not see a warning message if DUO was not configured
• PB-23721 As an administrator I want to be sure the server key is in the keyring before decrypting users directory settings

Security

• PB-23311 As an administrator I should be the only one to know which users have enabled MFA

Improved

• PB-23333 As an administrator I should see a notice instead of a warning if I enabled the self registration plugin
• PB-23722 As a developer running the unit tests I want to be sure the version from the config matches the one from the changelog
• PB-22892 As a user recovering my account I want to see the success and error pages feedback

Maintenance

• PB-23287 Duo multi-factor authentication redirection refactoring
• PB-23702 Update phpseclib/phpseclib dependency

Browser extension

Added

• PB-22521 As a signed-in user, I want to export resources in logmeonce csv
• PB-22520 As a signed-in user, I want to export resources in nordpass csv
• PB-22519 As a signed-in user, I want to export resources in dashlane csv
• PB-22518 As a signed-in user, I want to export resources in safari csv format
• PB-22517 As a signed-in user, I want to export resources in mozilla csv
• PB-22515 As a signed-in user, I want to export resources in bitwarden csv
• PB-22516 As a signed-in user, I want to export resources in chromium based browsers csv
• PB-22838 As an administrator I can customise the application email validation

Improvements

• PB-22896 Improve DUO style

Fix

• PB-23281 Fix as a user I should see an accurate entropy when a password contain words from a dictionary
• PB-23541 As a user I can use SSO recover when Passbolt is served from a subfolder

Security

• PB-23706 As an administrator I should be the only one to know which users have enabled MFA