I Want To Break Free

Release song: https://youtu.be/f4Mc-NYPHaQ

Please note that Passbolt API V1.x will be officially unmaintained from 1st of September 2018. If you haven’t upgraded to V2.x yet, it is strongly advised to do it now since the next versions of the browser extension will not be compatible anymore with V1.x branch.

This release is mainly a maintenance release that also prepares the groundwork for the incoming ldap feature.

This release also includes a long awaited fix regarding performance issues. You can now manage thousands of passwords inside passbolt pretty smoothly.

The security has been improved even more with the implementation of CSRF protection. Now each request made by the client contains a token that is verified server side, hence protecting against CSRF attack types.

We have also upgraded canjs to version 4: It is the framework behind our javascript UI. This upgrade was long due and took quite a bit of efforts. After CakePHP 3.x, the upgrade of canjs is part of these invisible and painful but necessary upgrades that contribute to keep passbolt secure and maintainable.

Added

PASSBOLT-2906: Enable CSRF protection
PASSBOLT-2940: Implement app-js primary routes

Fixed

PASSBOLT-2805: Fix sort by date and sort by user first_name by default
PASSBOLT-2896: Fix filter by tag from the password details sidebar
PASSBOLT-2903: Fix logout link. It should target a full based url link
PASSBOLT-2926: Fix session timeout check
PASSBOLT-2927: Fix appjs ajax error handler
PASSBOLT-2941: Fix grid performance issues

Improved

PASSBOLT-2933: Upgrade to canjs 4

Loungin

This release includes a major rewrite of the javascript front-end code with an upgrade to CanJS version 3. We are very pleased by this upgrade as it will also us to ship features faster in the future.

Another simple but notable improvement is the ability to copy the username to the clipboard with one click on the username in the table view cells or the right sidebar.

Another new feature: during setup, the key passphrase will now be checked against a dictionary of recent password leaks using the Pwned Passwords range API. This secure and anonymous check is only performed if the passphrase is longer than 8 character, as any passphrase shorter is not secure anyway.

Added

PASSBOLT-2861: Add copy username to clipboard on click

Fixed

GITHUB-101: Fix the readme should point to the documentation for how to upgrade passbolt
PASSBOLT-2682: Fix healthcheck entry point when logged in as admin and debug is false
PASSBOLT-2869: Fix GPG wrapper should recognize the correct type and bit length
PASSBOLT-1917: Migrate to canjs 3.x
PASSBOLT-2883: Fix logout link should not prevent event propagation
PASSBOLT-2886: Fix fingerprint tooltips in user group management dialog
PASSBOLT-2894: Fix missing div breaking elipsis on long url in password workspace
PASSBOLT-2891: Fix group edit users tooltips
PASSBOLT-2884: Update header left menu. Remove home and add help.
PASSBOLT-2885: Update user settings menus
PASSBOLT-2895: Fix notifications homogeneity
PASSBOLT-1337: Fix a logged in user should not be allowed to login or recover
PASSBOLT-1337: Remove gpg json sign middleware
PASSBOLT-1337: Wordsmithing healthcheck GPG feedback

Struggle

Release song: https://www.youtube.com/watch?v=7BrcfBUlVu8

Security notice: Nginx user, please review your configuration file to make sure you are using the correct application root. It should be: /var/www/passbolt/webroot
Read more

This is a maintenance release for both Passbolt Pro and Community edition. It fixes issues introduced by the v2.0.5 both in the webextension and in the API. As you can see version v2.0.6 is skipped in the history because it was used as quickfix to revert the breaking changes with login when running API version < 1.6.10.

Please note that the version 1 will reach end of life by the end of the month. Make sure you update your instance before the end of the month. This will allow us to drop the support for the legacy v1 API in passbolt version 2 and makes the rollout of new features easier.

Passbolt API

Fixed

• Fix missing css on error pages
• Add version numbers to CSS and JS files calls to prevent caching
• Fix do not enable debugKit when debug is set to true

Passbolt Web Extension

Fixed

• Fix backward compatibility issue with legacy API.

Docker container

Fixed

• Nginx configuration file root directive for passbolt

Everyday Struggle

[2.0.5] - 2018-05-08

Fixed

• PASSBOLT-2764: Fix Groups autocomplete doesn't work with less than 3 characters
• PASSBOLT-2826: Upgrade styleguide to v2.1.0
• PASSBOLT-2812: Rebuild fixtures with updated public keys

One thing we all adore

[2.0.4] - 2018-04-25

Fixed

• COMMUNITY-599: Make email MX validation optional and not enabled by default
• GITHUB-247: Fix secrets are not deleted when deleting a group or a user

v2.0.3

This is a maintenance release that improves compatibility with centos 7.

[2.0.3] - 2018-04-20

Fixed

• PASSBOLT-2849: Fix issue with the permissions query and MariaDB 5.5
• PASSBOLT-2848: Fix unsafe mode and ssl offloading

v2.0.2

This is a maintenance release that fixes a bug related to the v1 database migration.

Thanks to @shochdoerfer for his contribution.

[2.0.2] - 2018-04-17

Improved

• GITHUB-242: Add Auto-Submitted header to the email notifications

Fixed

• PASSBOLT-2806: Force database columns charset and collation
• PASSBOLT-2781: Increase length of resource uri field in model validation
• PASSBOLT-2696: Fix regression: placeholders in registration form are missing
• PASSBOLT-2791: Fix providing a string instead of an array in Email. From configuration generates a warning in SendTestEmailTask.php

v2.0.1

This is a maintenance release that fixes a breaking change introduced in v2.0.0.

Many thanks to @OdyX for his blazing fast reaction at reporting the bug and submitting a fix.

[2.0.1] - 2018-04-09

Fixed

• GITHUB-239: Fix unsafe mode logic
• GITHUB-240: Make sure unconfigured 'passbolt.plugins' doesn't break the extension
• PASSBOLT-2511: Improve healthcheck tables list so that tables are listed per major version number

Insomnia

This is not an April fool! Passbolt v2.0.0 is ready and available for download.

Kindly note that this is a major version release. If you are still running on the v1.x branch, you will need to follow a specific upgrade procedure.

The main aspect of this release is the upgrade of the passbolt api code base to CakePHP v3. It also ships with improvements such as a simplified configuration system, a better XSS protection and more tolerant validation rules. See the full list below.

This release is a complete rewrite of passbolt server component. We now have a code that is better organised, easier to read and simpler to maintain. Don’t just take our word for it: this new code base has been audited by CakeDC, the experts behind CakePHP. Check out the result of this independent 3rd party code review.

Release song: https://youtu.be/P8JEm4d6Wu4

Below is the list of the changes since passbolt v2.0.0-rc2.

[2.0.0] - 2018-04-09

Added

• PASSBOLT-2725: Implement start page when passbolt is not configured
• PASSBOLT-2740: Update <3 link and add unsafe mode warning
• PASSBOLT-2697: Add passbolt migrate shell with backup option prior migration
• PASSBOLT-2803: Make the privacy policy footer link configurable in the settings
• PASSBOLT-2720 Move dev dependencies out of the passbolt_api repo
• PASSBOLT-2511: passbolt pro bootstrap is moved in a separate folder

Fixed

• GITHUB-229: Fix passbolt can not run in a subdirectory
• COMMUNITY-533: Fix plaintext should be initialized prior verification
• PASSBOLT-2776: Fix: As AN, settings entry point should be able to have plugins settings whitelisted
• PASSBOLT-2762: Fix unexpected error on resource share
• PASSBOLT-2754: Change the way to define if passbolt is installed while running the unit tests
• PASSBOLT-2571: Delete secrets when a password is soft deleted
• PASSBOLT-2688: Fix healtcheck warning if the development plugin passbolt_test_data is not loaded
• PASSBOLT-2711: Delete orphans secrets
• PASSBOLT-2678: Edit Appjs API calls to use version number
• PASSBOLT-2694: Improve GPG lib to handle private keys validation
• PASSBOLT-2744: Favorites delete on group user delete
• PASSBOLT-2743: Favorites delete on permissions update
• PASSBOLT-2705: Increase coverage, ensure all users who lost access to a resource have no a secret in db for this resource
• PASSBOLT-2735: Display a specific message if a sidebar section has not content to display
• PASSBOLT-2664: Change cakephpConfig into settings entry point and adjusted app-js to work with it

Get Up

This release is a maintenance release to preflight the custom GPG headers in the API and implement the changes requested by Mozilla in the web extension.

The web extension also ships with the integration of some premium features which will be available shortly with the release of passbolt pro edition.

Release song: https://youtu.be/JOD-M7WZkZQ

[1.6.10] - 2018-03-28

Fixed

• PASSBOLT-2777: Fix preflight issue with chrome and custom GPG headers