20 Feb 12:36

ec25318

Planète mars Pre-release

Pre-release

Release song: https://www.youtube.com/watch?v=kgxKuRO21AU

Kindly note that this is a release candidate. While it has been audited and tested in depth, there are likely still bugs or glitches. Please wait for the official v2.0.0 release if you prefer a fully stable version.

This releases fixes a few issues reported by the passbolt users that have switched to the v2.0.0-RC1. It also ships with a few cosmetic improvements as well as new healthchecks and debug tools to ease the installation process. For example you can now call the following command to send a test email and get some information to debug your setup: "./bin/cake passbolt send_test_email"

[2.0.0-rc2] - 2018-02-20

Added

PASSBOLT-2638: Added command to test email configuration and SMTP communication
PASSBOLT-2608: Implement Sidebar v2 in the Appjs
PASSBOLT-2660: Add codacy badge
PASSBOLT-1741: Add more GPG healthchecks
PASSBOLT-1741: Add PHP extension checks to the healthcheck
PASSBOLT-2597: Add check before upgrade to ensure passbolt is already in latest 1.x
PASSBOLT-2631: Add an env var to control which email transport to use and defaults to Smtp
PASSBOLT-2601: Add Travis v2: phpunit, coverage, phpcs

Fixed

PASSBOLT-2618: Fixes for PHP 7.2 compatibility
PASSBOLT-2624: PR#219 Fixed use CONFIG instead of "ROOT . DS . 'config'"
PASSBOLT-2631: Fixed default class for EmailTransport to Smtp in configuration
PASSBOLT-2640: Fixed incomplete urls in email templates
PASSBOLT-2640: Fixed escaping of non safe characters in emails
PASSBOLT-2667: Fixed regression: create a user that has been deleted previously returns an error
PASSBOLT-2673: Fixed regression: as AD I cannot create a group with the name of previously deleted group
PASSBOLT-2545: Fixed regression: As AD deleting a group I should be notified that all members of the group gonna lose access to the passwords shared with the group
PASSBOLT-2139: Fixed check sessions calls are logged as error
PASSBOLT-2139: Fixed not found image on password workspace
PASSBOLT-1741: Fixed set license to AGPL-3.0-or-later for composer compatibility
PASSBOLT-2589: Fixed App-js should check request response code from the http response header and not from the body header
PASSBOLT-2533: Fixed resource name, username, uri, description min length should be 1 char not 3
PASSBOLT-2660: Fixed remove flash message from login layout

Assets 2

17 Jan 06:23

kevinmuller

v2.0.0-rc1

8a7e8d4

The Message Pre-release

Pre-release

Release song: https://youtu.be/KXqKswtX_KU

The main aspect of this release is the upgrade of the passbolt api code base to CakePHP v3. It also ships with improvements such as a simplified configuration system, a better XSS protection and more tolerant validation rules. See the full list below.

This release is a complete rewrite of passbolt server component. We now have a code that is better organised, easier to read and simpler to maintain. Don’t just take our word for it: this new code base has been audited by CakeDC, the experts behind CakePHP. Check out the result of this independent 3rd party code review.

To report any bug / feedback / improvement suggestion regarding passbolt v2.0.0-rc1, you can do it through the traditional channels (github and community forum). Please add [v2.0.0-rc1] in the title so we can identify it more easily. This release candidate is a major version upgrade, so it requires more steps compared to a usual update. You will need to follow the migration instructions available here.

What next? We’ll spend the next few weeks fixing the remaining bugs reported by you and release the final v2.0.0. Then, after this long maintenance cycle, we all deserve some new features. That’s right, we will be working on the most requested ones such as Tags (we need your feedback), Import / Export, and a web-based installer. Some of these features will be shipped directly with v2.0.0.

Passbolt API

Security

XSS protection improvements, with a new test suite dedicated for XSS.
HTTP security headers are enabled by default and can be disabled using configuration options.
Json responses server signature (experimental).

Improved

An expired setup link can be re-sent through the recovery procedure.
Dropped SQL views (will allow supporting additional database backends).
Simplified configuration system. The entire configuration will be done in one dedicated file with safer defaults.
Most configuration items are now available as environment variables.
Install commands perform additional health checks prior to running.
CakePHP and other dependencies have been removed from the repository and are now installed with composer.
More flexible validation rules for inputs in most fields.
Emojis support where it make sense (comments, descriptions, etc).
Some notifications will not be sent if the user is the one doing the action (ex. delete password).
The App-JS code is now available on a dedicated repository.
Misc javascript foundation code refactoring.
Added missing tables index to speed up some database queries.
“Owner” has been replaced by “Created by” in the password sidebar to be more relevant.
API supports a more standard response format (documentation coming soon).
Additional settings for controlling what is displayed in email notifications.
Added created date information in password sidebar.

Changed

Passbolt api migration to CakePHP 3.
PHP 7.0 is now the minimum supported version.
Dropped table “controller_logs”. It will be soon replaced by the Audit Logs feature.
Dropped table “schema_migrations”.
Dropped table “cake_sessions”.
Dropped “anonymous statistics” feature (nobody opted in…).

Fixed

“Passwords I own” filter displays all the passwords for which I have “is owner” permission.
An admin can delete a user if the user is the sole group member of a group owning passwords that are not shared.
An admin can delete a user if the user is the sole owner of a password that is not shared.

Assets 2

15 Jan 06:51

kevinmuller

v1.6.9

978c348

I Will Survive

Release song: https://youtu.be/gYkACVDFmeg

This release ships with small maintenance fixes and some pull requests from the community. Version 1.6.9 will mark the end of the 1.x serie. The next release (happening shortly) will be v2.0.0. You can find the v2.0.0-rc1 on the development branch and is already available for testing. You can use the following instructions to install and test it.

Kindly note that from now on, we will not accept pull requests on the v1.x branch. All pull requests have to be done directly from the development branch until the release of v2.x on master.

A big thank you to our contributors: @DanielRuf, @threesquared, @bjozet and @colinfrei. Your contributions help us make passbolt better, one pull request at a time.

Finally, as you know each release of passbolt comes with a release song. So, to mark the end of the v1 branch, we have made a compilation of all the release songs published since the first public version of passbolt: v1.0.5. The v1 release songs theme was “funky and popular songs from the 70’s”, if this fits your tastes, you will probably like it: https://www.youtube.com/playlist?list=PLzjv2928Zl0UHuKjSTnBGYFFh5mIjHDXH

Improvements

PR-159 Updated and renamed license file (by @DanielRuf)
PASSBOLT-2474 New contributing guidelines for community forum
PR-214 Remove html purifier submodule (was about time, thanks @threesquared)
PR-209 Expose the ‘client’ variable in default conf (by @bjozet)

Fixed

PASSBOLT-1453 Add optional predictable UUID for auth token in selenium testing mode
PR-207 Stray apostrophe on title element for Group names (by @colinfrei)
PR-208 Fixed typos in email templates (by @colinfrei)
PASSBOLT-2599 Fixed Travis

Assets 2

14 Sep 13:46

stripthis

v1.6.5

9430d51

September

Security

PASSBOLT-2409: Noopener on resource url in password workspace
PASSBOLT-2402: XSS on resource url in password workspace

Fixed

PASSBOLT-2383: Add + and \ to the list of allowed characters for the Resource fields: name, username and description
PASSBOLT-2371: Force the charset of the cake_sessions table in utf8
PASSBOLT-2325: As system administrator I shouldn't be able to execute passbolt CLI commands as root
PASSBOLT-2397: As system administrator I should see in the healthcheck if app/tmp content and app/webroot/img/public content are writable
PASSBOLT-1991: As system administrator I should see in the healthcheck if the server key can be used for encrypting/decrypting

Assets 2

29 Dec 05:18

stripthis

v1.6.4

f76fcd1

Give me the night

Added

PASSBOLT-2358: As a user registering on the demo instance I must click on a checkbox to confirm I understand the disclaimer

Assets 2

21 Aug 21:12

cedricalfonsi

v1.6.3

9547694

Feeling Good

Release song: https://youtu.be/KXqKswtX_KU

This maintenance release fixes the github issue #124 that affected organizations with large user base. With this fix it is now possible to share a password with more than 200 users.

This version also contains a small but valuable user experience improvement for administrators: users that have not completed the setup will be shown in the users workspace as 'Activation pending'. It becomes easier for administrators to organize a follow up when on-boarding new users.

As suggested by the Mozilla addon reviewers we also removed the need for 'unsafe-eval' content security policy, in order to tighten security even further in the web extension. This does not mean that the previous versions had known security issues, since we used eval to render the EJS template in a safe fashion already (e.g. EJS escape the variables by default to prevent XSS attack).
Thank you to @erosman from Mozilla addon review team, @tomofumi0003, and Helder Martin for their suggestions and contributions to this release.

Disclaimer for Firefox users: Version 1.6.3 is still pending approval from volunteers at Mozilla reviewing addons. Therefore the automatic rollout has not started yet. If you want to use passbolt v1.6.3, please switch to the development channel. Your profile will be kept and you can switch back later. Switch to v1.6.3-RC1 or browse on addons.mozilla.org.

Fixed

PASSBOLT-2316: Merge the selenium & phpunit dummy data sets
PASSBOLT-2317: Speed up dummy secret creation task
PASSBOLT-2327: Add a large set of dummy data for performance testing
PASSBOLT-2282: As admin on the user workspace, I should be able to distinguish visually the users who haven't activated their account yet

Assets 2

14 Aug 17:22

cedricalfonsi

v1.6.2

fbde917

Boom Boom

Release song: https://youtu.be/X70VMrH3yBg

This release is a maintenance release, with a few bug fixes and some additional settings to manage emails notifications.

The bulk of the work for this release was the migration for firefox, from the soon deprecated SDK plugin format to the new webextension format. Quite a bit of work went into upgrading the selenium testsuite and providing a fully transparent data migration from the old to the new format. This is why this version is still running as a “legacy” plugin, with all the code embedded as a webextension, to make sure users have nothing to do to migrate. However please make sure your users upgrade to this version this month, otherwise they may need to perform an account recovery with the next version. Fret not, because unless they have disabled automatic update, the only thing firefox users need to do to update is to have the browser running.

As a passbolt instance administrator I can find new settings manage email notifications in config/default.php under EmailNotification. If you want to override the default you can copy/paste them to your own app.php configuration. With these settings you can for example disable notifications when a user is added to a group, or when a password is deleted. It also allows to change the content of the notification and hide the username and/or the encrypted secret.

Thank you to @bluenetinc, @PoetiCode and @technogenus for their suggestions and contributions to this release.

Unless there is a major issue with the 1.6.2, our next release will be version v2.0, with an upgrade to Cakephp v3.

Read the full release notes : http://www.passbolt.com/release/notes#BoomBoom