v21.11-ls169

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Links

• Update instructions
• Update details on blog

Upgrade Notices

• Security Releases - There were some security vulnerabilities found during the life of v21.10. See the v21.10.1, v21.10.2 and v21.10.3 posts for more details.
• API Changes - As of v21.11 any dates in API responses will be formatted as per ISO-8601, with 2019-12-02T20:01:00.283041Z reflecting an example of this format. You may need to review any of your scripts that utilise dates from API responses.
• Upload Limit - System file upload limits are now configured using a FILE_UPLOAD_SIZE_LIMIT option in your
  .env file. This value is specified as an integer and represents the max upload size in MegaBytes. This defaults to 50MB. This replaces the old window.uploadLimit HTML head option that could be set.
• Search Index Changes - There have been search indexing and scoring changes in v21.11.
  It's recommended to run php artisan bookstack:regenerate-search to ensure a consistent search experience and take
  advantage of these changes.
• Logout Endpoints - Logout endpoints have now changed to be CSRF protected POST endpoints instead of GET endpoints. If you were using these for any external purposes you may now need to implement an alternative workflow.

Full List of Changes

• Added a new tag view. (#3042, #738)
• Added a wide series of improvements to the search system, including: (#3043, #2840)
  • Added highlighting of search terms in search results. (#1891, #997)
  • Added matching of tag names and values through normal search terms. (#1577)
• Added search API endpoints. (#909)
• Added new .env option to limit file uploads. (#3033)
• Updated the used Laravel framework from version 6 to version 8. Thanks to @laravel-shift for accelerating this. (#3012, #3011)
• Implemented initial use of static analysis for PHP code. (#3039)
• Updated Slack and Facebook logos to be current. Thanks to @na3shkw. (#3032)
• Updated user invite/email-confirmation journeys to help prevent potential malicious user manipulation. Thanks again to @Haxatron for reporting. (#3050)
• Updated logout endpoints to be POST to prevent potential CSRF concerns. Thanks to @HDVinnie for reporting. (#3047)
• Updated page include system to retain the pre tags when including a code block. (#2406)
• Updated translations with latest changes from Crowdin. (#3040)
• Fixed issue where using the back button in the page editor could lead you to the same page. (#2834)
• Fixed issue where setting new search filters could remove existing created_by & updated_by filters. (#2736)
• Fixed issue where markdown draft pages could convert to HTML. (#3054)
• Fixed issue where "Skip to content" link could be visible on print views. (#3051)

v21.10.3-ls168

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Security Release

• Update Instructions
• Update details on blog

BookStack v21.10.3 has been released. This is a security release that address a couple of vulnerabilities within the attachment and image
serving mechanisms. The attachment vulnerability could result in users uploading content to be served in a way that can be utilized for phishing. The image serving vulnerability could result in unintended file access within your BookStack storage folder.

If you allow untrusted users to login or upload attachments you should update as soon as possible.

Full List of Changes

• Updated AzureAD login library to work with the new Microsoft Graph API. (#3028)
• Fixed path image file path traversal vulnerability. Thanks @theWorstComrade for reporting. (#3030)
• Prevented HTML attachments being served inline. Thanks @theWorstComrade for reporting. (#3027)
• Updated translations from latest Crowdin changes. (#3023)

v21.10.2-ls168

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Security Release

• Update Instructions
• Update details on blog

BookStack v21.10.2 has been released. This is a security release that builds upon changes in v21.10.1 which covers a vulnerability which would allow malicious users, who have permission to update or create pages, to upload content that could then be utilized for phishing or other general malicious intent.

If you allow untrusted users to edit page content you should update as soon as possible.

Full List of Changes

• Made further fixes to address image upload vulnerability. Thanks again to @Haxatron (#3019)
• Updated translations with latest changes from Crowdin. (#3014)

v21.10.1-ls167

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Security Release

• Update Instructions
• Update details on blog

BookStack v21.10.1 has been released. This is a security release that covers a vulnerability
which would allow malicious users, who have permission to update or create pages, to upload
content that could then be utilized for phishing or other general malicious intent.

If you allow untrusted users to edit page content you should update as soon as possible.

Full List of Changes

• Fixed image upload vulnerability. Thanks to @Haxatron (#3010)
• Fixed capitalization for Estonian language option. Thanks to @IndrekHaav. (#3008)
• Updated PHP packages to prevent abandoned warning. (#3007)
• Updated translations with latest changes from Crowdin. (#3006)

v21.10-ls167

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Links

• Update instructions
• Update details on blog

Full List of Changes

• Added OpenID Connect authentication option. Thanks to @jasperweyne. (#2960, #2169, #1390, #1157)
• Added Attachment API endpoints. (#2986, #2942)
• Added Estonian language to BookStack via Crowdin. (#2979)
• Added support for SAML2 SLS signing to help address issues with ADFS. Thanks to @theodor-franke. (#2902)
• Added support for base64 image content within markdown text via page POST/PUT. (#2898)
• Updated translations from Crowdin contributors. (#2983)
• Updated SAML ACS post flow to retain user session and therefore redirect to the correct location upon login. (#2996, #2552)
• Fixed padding within book-tree sidebar items. Thanks to @ffranchina. (#3000)

v21.08.6-ls166

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added custom whoops-based debug view which fixes issue where debug view would not show content due to CSP rules. (#2977, #2976)
• Added throttling to password reset requests. (ca764ca)
• Updated translations with latest changes from Crowdin. (#2980)
• Updated DOMPDF chroot directory to prevent potential unintended file access. (#2965)
• Updated DOMPDF chroot directory to prevent potential unintended file access. (#2965)
• Fixed issue where TOTP setup would provide guest email address upon QR code scan when MFA setup was enforced at login. (#2971)

v21.08.6-ls165

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added custom whoops-based debug view which fixes issue where debug view would not show content due to CSP rules. (#2977, #2976)
• Added throttling to password reset requests. (ca764ca)
• Updated translations with latest changes from Crowdin. (#2980)
• Updated DOMPDF chroot directory to prevent potential unintended file access. (#2965)
• Updated DOMPDF chroot directory to prevent potential unintended file access. (#2965)
• Fixed issue where TOTP setup would provide guest email address upon QR code scan when MFA setup was enforced at login. (#2971)

v21.08.6-ls164

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added custom whoops-based debug view which fixes issue where debug view would not show content due to CSP rules. (#2977, #2976)
• Added throttling to password reset requests. (ca764ca)
• Updated translations with latest changes from Crowdin. (#2980)
• Updated DOMPDF chroot directory to prevent potential unintended file access. (#2965)
• Updated DOMPDF chroot directory to prevent potential unintended file access. (#2965)
• Fixed issue where TOTP setup would provide guest email address upon QR code scan when MFA setup was enforced at login. (#2971)

v21.08.5-ls164

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Security Release

• Update Instructions
• Update details on blog

This security release covers a vulnerability which would allow malicious users, who have permission to update or create pages, to load content from files stored within the storage/ or public/ directories (Such as application logs) via the page HTML export system.

If you allow untrusted users to edit page content you should update as soon as possible.

This release also changes the way browser response caching is performed, while logged in, to help prevent navigating back to confidential content after logout.

• Update instructions
• GitHub release page

Additional Changes

• Added concurrent page editing warnings upon draft save events. Thanks to @MatthieuParis (#2877)
• Updated translations with the latest changes from Crowdin. (#2953)

v21.08.5-ls163

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Security Release

• Update Instructions
• Update details on blog

This security release covers a vulnerability which would allow malicious users, who have permission to update or create pages, to load content from files stored within the storage/ or public/ directories (Such as application logs) via the page HTML export system.

If you allow untrusted users to edit page content you should update as soon as possible.

This release also changes the way browser response caching is performed, while logged in, to help prevent navigating back to confidential content after logout.

• Update instructions
• GitHub release page

Additional Changes

• Added concurrent page editing warnings upon draft save events. Thanks to @MatthieuParis (#2877)
• Updated translations with the latest changes from Crowdin. (#2953)