Help Search

v2.11.0 ~ Don't You (Forget about me) (pro)

Release date: August 7th, 2019.

Passbolt v2.11 is maintenance release containing security fixes. Extension update will be rolled out automatically to your users like usual, but as an administrator you will need to update your server.

This release introduces some security fixes. Make sure you follow the minor update documentation to roll out this new version as soon as possible.

Update documentation

The security issues were discovered by security researcher René Kroka as part of the Bug Bounty program organized in collaboration with YesWeHack. You can find more information about the vulnerabilities found during this audit, on the dedicated incident page. You can also learn more about passbolt security in our recently published Security White Paper.

This release also includes some requested fixes by the community. The autofill functionality is now a bit more robust and will work on more websites, including for example when the login form is located in an iframe (on the same domain than the current page). Feel free to report any issues you encounter with the autofill on websites you use via github issues. Another long awaited fix relates to the passphrase remember me and the auto logout functionalities.

The Multi-factor authentication behavior was also adjusted. Passbolt will now ask users to be verified at every login using one of the provider you selected, instead of such verification being valid for 72h by default. For Yubikey and TOTP you can additional request to be remembered for 30 days on the selected device.

The installation script now also supports the new Debian 10 (stable). Because of this we will soon deprecate support for 7.0 (which was still the default on Debian 9). Make sure you upgrade your web server to use at least 7.2 in the coming weeks.

Next stop: Folders! We know you are all waiting patiently for the release of folders. We encountered some delay with the private launch of Passbolt Cloud, but we are still aiming to release a first version before the end of the summer. In that regards we will soon share some specifications and a survey with the community to gather feedback and help us finalize the specifications and design.

If you want to receive an invitation for Passbolt Cloud, feel free to complete this form or send us an email at sales@passbolt.com. Or you can wait for the public launch in September!

The team wish you happy holidays, if you are lucky enough to take some!

API

Security fixes

  • PB-661: Fix XSS on tag autocomplete
  • PB-661: Fix tab nabbing when clicking on “open in a new tab” in password grid
  • PB-607: Fix XSS on first name or last name during setup

Improvements

  • PB-587: Add baseline support for multiple openpgp backends
  • PB-391: Display the name and email of the user an admin is going to delete in the delete dialog
  • PB-396: Display the label of the password a user is going to delete in the delete dialog
  • PB-397: Display a relevant feedback in the user details group section if the user is not member of any group
  • PB-533: Add a new session check endpoint that does not extend the session expiry
  • PB-607: Add option for an administrator to configure CSP using environment variable
  • PB-242: Improve the passwords grid (passwords fetch peformance, search reactivity, selectbox area enlarged)

Fixes

  • PB-572: Fix MFA verification should happen after every login
  • PB-572: Fix MFA when running in subdirectory
  • PB-349: Fix health check fails if using custom GNUPGHOME env set by application
  • PB-330: Fix migration issue from CE to PRO in v2.10
  • PB-567: Fix appjs auto logout
  • PB-601: Fix some incomplete unit tests
  • PB-427: Fix email sender shell task and organization settings table unnecessary coupling
  • PB-349: Fix OpenPGP results health checks

Maintenance

  • PB-505: Upgrade cake 3.8
  • PB-504: Upgrade Javascript dependencies
  • PB-472: Cleanup test dependencies

Web extension

Improved

  • PB-242: Add local storage resources capabilities to manipulate the resources (add, delete, update)
  • GITHUB-79: Improve autofill compatibility, trigger an input event instead a change event while filling forms
  • PB-278: #GITHUB-61: Improve autofill compatibility, support Docker and AWS forms
  • PB-432: Improve autofill compatibility, support reddit.com
  • PB-433: Improve autofill compatibility, support Zoho CRM
  • GITHUB-78: Improve autofill compatibility, fill only username if no password fill present
  • PB-494: Improve autofill compatibility, ignore hidden fields
  • PB-514: Improve autofill compatibility, fill iframe forms
  • PB-609: Update library used for CSV export

Fixed

  • PB-544: Fix login passphrase remember me and quickaccess
  • PB-533: Fix session expired management
  • PB-515: Autofill should not fill if the url in the tab have changed between the time the user clicked on the button to fill and the data is sent to the page.
  • PB-503: Fix math.random() when generating first security token/color

"Think of the tender things that we were working on."

Listen to the release song!