Releases: linuxserver/docker-bookstack
v0.30.7-ls118
LinuxServer Changes:
Make APP_URL var required (upstream changes).
bookstack Changes:
Security Release
This release addresses an issue where page content could be visible to those without permission via the export options. The content of pages made non-viewable to a user via permissions, within a visible parent, could be seen via the plaintext export option. Before v0.30.6 this would have applied only to scenarios where all pages within the chapter were made non-visible. In v0.30.6 this would make all pages within the chapter visible.
Further details can be found in the vulnerability report.
v0.30.7-ls117
LinuxServer Changes:
Make APP_URL var required (upstream changes).
bookstack Changes:
Security Release
This release addresses an issue where page content could be visible to those without permission via the export options. The content of pages made non-viewable to a user via permissions, within a visible parent, could be seen via the plaintext export option. Before v0.30.6 this would have applied only to scenarios where all pages within the chapter were made non-visible. In v0.30.6 this would make all pages within the chapter visible.
Further details can be found in the vulnerability report.
v0.30.7-ls116
LinuxServer Changes:
Rebase to alpine 3.12. Fix APP_URL setting. Bump php post max and upload max filesizes to 100MB by default.
bookstack Changes:
Security Release
This release addresses an issue where page content could be visible to those without permission via the export options. The content of pages made non-viewable to a user via permissions, within a visible parent, could be seen via the plaintext export option. Before v0.30.6 this would have applied only to scenarios where all pages within the chapter were made non-visible. In v0.30.6 this would make all pages within the chapter visible.
Further details can be found in the vulnerability report.
v0.30.6-ls116
LinuxServer Changes:
Rebase to alpine 3.12. Fix APP_URL setting. Bump php post max and upload max filesizes to 100MB by default.
bookstack Changes:
Security Release
This release addresses an issue where page content could be visible to those without permission. If a chapter was visible to a user, but all of it's pages were made not visible, then the details of these pages could be visible. Within the BookStack interface, the names of the pages and preview content could be seen. If the parent book was exported then this would include the content of the pages that had been restricted.
Further details can be found in the vulnerability report.
v0.30.5-ls116
LinuxServer Changes:
Rebase to alpine 3.12. Fix APP_URL setting. Bump php post max and upload max filesizes to 100MB by default.
bookstack Changes:
Security Release
- Update Instructions
- Vulnerability Report: Server Side Request Forgery Through Content Exports
- Update details on blog
Phishing and and server-side request forgery vulnerabilities have been found within BookStack. Release v0.30.5 will remove this server-side request forgery issue while bringing updated wording and advisories to prevent the potential phishing vulnerability. You should ensure you've set the APP_URL option in your .env file to prevent likelihood of the phishing attack. Please view the above report or blogpost links for more detail.
v0.30.5-ls115
LinuxServer Changes:
Rebase to alpine 3.12. Fix APP_URL setting. Bump php post max and upload max filesizes to 100MB by default.
bookstack Changes:
Security Release
- Update Instructions
- Vulnerability Report: Server Side Request Forgery Through Content Exports
- Update details on blog
Phishing and and server-side request forgery vulnerabilities have been found within BookStack. Release v0.30.5 will remove this server-side request forgery issue while bringing updated wording and advisories to prevent the potential phishing vulnerability. You should ensure you've set the APP_URL option in your .env file to prevent likelihood of the phishing attack. Please view the above report or blogpost links for more detail.
v0.30.5-ls114
LinuxServer Changes:
Rebase to alpine 3.12. Fix APP_URL setting. Bump php post max and upload max filesizes to 100MB by default.
bookstack Changes:
Security Release
- Update Instructions
- Vulnerability Report: Server Side Request Forgery Through Content Exports
- Update details on blog
Phishing and and server-side request forgery vulnerabilities have been found within BookStack. Release v0.30.5 will remove this server-side request forgery issue while bringing updated wording and advisories to prevent the potential phishing vulnerability. You should ensure you've set the APP_URL option in your .env file to prevent likelihood of the phishing attack. Please view the above report or blogpost links for more detail.
v0.30.5-ls113
LinuxServer Changes:
Rebase to alpine 3.12. Fix APP_URL setting. Bump php post max and upload max filesizes to 100MB by default.
bookstack Changes:
Security Release
- Update Instructions
- Vulnerability Report: Server Side Request Forgery Through Content Exports
- Update details on blog
Phishing and and server-side request forgery vulnerabilities have been found within BookStack. Release v0.30.5 will remove this server-side request forgery issue while bringing updated wording and advisories to prevent the potential phishing vulnerability. You should ensure you've set the APP_URL option in your .env file to prevent likelihood of the phishing attack. Please view the above report or blogpost links for more detail.
v0.30.4-ls112
LinuxServer Changes:
Rebase to alpine 3.12. Fix APP_URL setting. Bump php post max and upload max filesizes to 100MB by default.
bookstack Changes:
Security Release
- Update Instructions
- Vulnerability Reports:
- Update details on blog
This release addresses XSS and user-injected auto-redirect vulnerabilities within the page content & attachment components of BookStack. These are primarily a concern if untrusted users can edit content on your BookStack instance. Please view the above report or blogpost links for more detail.
v0.30.4-ls111
LinuxServer Changes:
Rebase to alpine 3.12. Fix APP_URL setting. Bump php post max and upload max filesizes to 100MB by default.
bookstack Changes:
Security Release
- Update Instructions
- Vulnerability Reports:
- Update details on blog
This release addresses XSS and user-injected auto-redirect vulnerabilities within the page content & attachment components of BookStack. These are primarily a concern if untrusted users can edit content on your BookStack instance. Please view the above report or blogpost links for more detail.