v21.12-ls174

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Links

• Update instructions
• Update details on blog

Full List of Changes

• Added webhooks. (#147, #3099)
• Added ability to copy books, chapters & roles. (#3118, #1123)
• Added audit log IP address search. Thanks to @johnroyer. (#3081)
• Updated translations with latest Crowdin changes. (#3117)
• Fixed issue where non-ascii content could break search result previews. Thanks to @Kristian-Krastev. (#3113)
• Fixed mismatched password validation rules across the application. (#2237)

v21.12-ls173

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Links

• Update instructions
• Update details on blog

Full List of Changes

• Added webhooks. (#147, #3099)
• Added ability to copy books, chapters & roles. (#3118, #1123)
• Added audit log IP address search. Thanks to @johnroyer. (#3081)
• Updated translations with latest Crowdin changes. (#3117)
• Fixed issue where non-ascii content could break search result previews. Thanks to @Kristian-Krastev. (#3113)
• Fixed mismatched password validation rules across the application. (#2237)

v21.11.3-ls172

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Security Release

• Update Instructions
• Update details on blog

BookStack v21.11.3 has been released.
This is a security release that helps prevent potential discovery and harvesting of user details including name and email address.

It's advised to upgrade as soon as possible if your BookStack instance is public or is used by untrusted members.

Thanks to @Haxatron for discovering and reporting this vulnerability via huntr.dev.

Full List of Changes

• Helped prevent discovery and harvesting of user information. Thanks @Haxatron for reporting. (#3108)
• Updated search API results to include the highlighted preview content. (#3096)
• Updated search API results to include item URL. (#3080)
• Updated translations with latest Crowdin changes. (#3093)

v21.11.2-ls172

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Security Release

• Update Instructions
• Update details on blog

BookStack v21.11.2 has been released.
This is a security release that address a couple of vulnerabilities relating to API access and page draft related content visibility:

• If the "Public" role was provided API access then the API could be accessed, in certain scenarios by non-authenticated users even if the "Allow public access" setting was disabled.
• In some specific scenarios, content related to page drafts (Such as attachments) could be visible to non-owners (Whom would have permission to view the page if saved as a non-draft at that point).

It's advised to upgrade as soon as possible if the API has been enabled for roles within your instance or if draft page content visibility could be a security concern for you.

Full List of Changes

• Fixed issue with greater-than-expected visibility on page-draft-related items. Thanks @Haxatron for reporting. (#3086)
• Fixed issue where public API access was not limited by system public control in certain conditions. (#3091)
• Updated translations from latest Crowdin changes. (#3076)

v21.11.1-ls172

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added custom command support to the logical theme system. (#3072)
• Added support for prefers-contrast media setting to increase contrast in faded areas when active. (#2634)
• Updated TOTP confirmation view to autofocus on code input. Thanks to @raccettura. (#3068)
• Updated translations with latest changes from Crowdin. (#3057)
• Updated any links on homepage lists to be more obvious & accessible. (#3046)
• Fixed faulty page navigation links when headers are nested within other content. Thanks to @Julesdevops. (#3069, #3058)

v21.11.1-ls171

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added custom command support to the logical theme system. (#3072)
• Added support for prefers-contrast media setting to increase contrast in faded areas when active. (#2634)
• Updated TOTP confirmation view to autofocus on code input. Thanks to @raccettura. (#3068)
• Updated translations with latest changes from Crowdin. (#3057)
• Updated any links on homepage lists to be more obvious & accessible. (#3046)
• Fixed faulty page navigation links when headers are nested within other content. Thanks to @Julesdevops. (#3069, #3058)

v21.11-ls170

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Links

• Update instructions
• Update details on blog

Upgrade Notices

• Security Releases - There were some security vulnerabilities found during the life of v21.10. See the v21.10.1, v21.10.2 and v21.10.3 posts for more details.
• API Changes - As of v21.11 any dates in API responses will be formatted as per ISO-8601, with 2019-12-02T20:01:00.283041Z reflecting an example of this format. You may need to review any of your scripts that utilise dates from API responses.
• Upload Limit - System file upload limits are now configured using a FILE_UPLOAD_SIZE_LIMIT option in your
  .env file. This value is specified as an integer and represents the max upload size in MegaBytes. This defaults to 50MB. This replaces the old window.uploadLimit HTML head option that could be set.
• Search Index Changes - There have been search indexing and scoring changes in v21.11.
  It's recommended to run php artisan bookstack:regenerate-search to ensure a consistent search experience and take
  advantage of these changes.
• Logout Endpoints - Logout endpoints have now changed to be CSRF protected POST endpoints instead of GET endpoints. If you were using these for any external purposes you may now need to implement an alternative workflow.

Full List of Changes

• Added a new tag view. (#3042, #738)
• Added a wide series of improvements to the search system, including: (#3043, #2840)
  • Added highlighting of search terms in search results. (#1891, #997)
  • Added matching of tag names and values through normal search terms. (#1577)
• Added search API endpoints. (#909)
• Added new .env option to limit file uploads. (#3033)
• Updated the used Laravel framework from version 6 to version 8. Thanks to @laravel-shift for accelerating this. (#3012, #3011)
• Implemented initial use of static analysis for PHP code. (#3039)
• Updated Slack and Facebook logos to be current. Thanks to @na3shkw. (#3032)
• Updated user invite/email-confirmation journeys to help prevent potential malicious user manipulation. Thanks again to @Haxatron for reporting. (#3050)
• Updated logout endpoints to be POST to prevent potential CSRF concerns. Thanks to @HDVinnie for reporting. (#3047)
• Updated page include system to retain the pre tags when including a code block. (#2406)
• Updated translations with latest changes from Crowdin. (#3040)
• Fixed issue where using the back button in the page editor could lead you to the same page. (#2834)
• Fixed issue where setting new search filters could remove existing created_by & updated_by filters. (#2736)
• Fixed issue where markdown draft pages could convert to HTML. (#3054)
• Fixed issue where "Skip to content" link could be visible on print views. (#3051)

v21.10.3-ls169

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Security Release

• Update Instructions
• Update details on blog

BookStack v21.10.3 has been released. This is a security release that address a couple of vulnerabilities within the attachment and image
serving mechanisms. The attachment vulnerability could result in users uploading content to be served in a way that can be utilized for phishing. The image serving vulnerability could result in unintended file access within your BookStack storage folder.

If you allow untrusted users to login or upload attachments you should update as soon as possible.

Full List of Changes

• Updated AzureAD login library to work with the new Microsoft Graph API. (#3028)
• Fixed path image file path traversal vulnerability. Thanks @theWorstComrade for reporting. (#3030)
• Prevented HTML attachments being served inline. Thanks @theWorstComrade for reporting. (#3027)
• Updated translations from latest Crowdin changes. (#3023)

v21.11-ls169

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Links

• Update instructions
• Update details on blog

Upgrade Notices

• Security Releases - There were some security vulnerabilities found during the life of v21.10. See the v21.10.1, v21.10.2 and v21.10.3 posts for more details.
• API Changes - As of v21.11 any dates in API responses will be formatted as per ISO-8601, with 2019-12-02T20:01:00.283041Z reflecting an example of this format. You may need to review any of your scripts that utilise dates from API responses.
• Upload Limit - System file upload limits are now configured using a FILE_UPLOAD_SIZE_LIMIT option in your
  .env file. This value is specified as an integer and represents the max upload size in MegaBytes. This defaults to 50MB. This replaces the old window.uploadLimit HTML head option that could be set.
• Search Index Changes - There have been search indexing and scoring changes in v21.11.
  It's recommended to run php artisan bookstack:regenerate-search to ensure a consistent search experience and take
  advantage of these changes.
• Logout Endpoints - Logout endpoints have now changed to be CSRF protected POST endpoints instead of GET endpoints. If you were using these for any external purposes you may now need to implement an alternative workflow.

Full List of Changes

• Added a new tag view. (#3042, #738)
• Added a wide series of improvements to the search system, including: (#3043, #2840)
  • Added highlighting of search terms in search results. (#1891, #997)
  • Added matching of tag names and values through normal search terms. (#1577)
• Added search API endpoints. (#909)
• Added new .env option to limit file uploads. (#3033)
• Updated the used Laravel framework from version 6 to version 8. Thanks to @laravel-shift for accelerating this. (#3012, #3011)
• Implemented initial use of static analysis for PHP code. (#3039)
• Updated Slack and Facebook logos to be current. Thanks to @na3shkw. (#3032)
• Updated user invite/email-confirmation journeys to help prevent potential malicious user manipulation. Thanks again to @Haxatron for reporting. (#3050)
• Updated logout endpoints to be POST to prevent potential CSRF concerns. Thanks to @HDVinnie for reporting. (#3047)
• Updated page include system to retain the pre tags when including a code block. (#2406)
• Updated translations with latest changes from Crowdin. (#3040)
• Fixed issue where using the back button in the page editor could lead you to the same page. (#2834)
• Fixed issue where setting new search filters could remove existing created_by & updated_by filters. (#2736)
• Fixed issue where markdown draft pages could convert to HTML. (#3054)
• Fixed issue where "Skip to content" link could be visible on print views. (#3051)

v21.10.3-ls168

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Security Release

• Update Instructions
• Update details on blog

BookStack v21.10.3 has been released. This is a security release that address a couple of vulnerabilities within the attachment and image
serving mechanisms. The attachment vulnerability could result in users uploading content to be served in a way that can be utilized for phishing. The image serving vulnerability could result in unintended file access within your BookStack storage folder.

If you allow untrusted users to login or upload attachments you should update as soon as possible.

Full List of Changes

• Updated AzureAD login library to work with the new Microsoft Graph API. (#3028)
• Fixed path image file path traversal vulnerability. Thanks @theWorstComrade for reporting. (#3030)
• Prevented HTML attachments being served inline. Thanks @theWorstComrade for reporting. (#3027)
• Updated translations from latest Crowdin changes. (#3023)