bookstack: 24.05.2 -> 24.05.4

[HritwikSinghal]

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[HritwikSinghal]

bookstack 24.05.4 is a security update as mentioned here

[HritwikSinghal]

changelog since 24.05.2: BookStackApp/BookStack@v24.05.2...v24.05.4
changelog for 24.05.4: https://github.com/BookStackApp/BookStack/releases/tag/v24.05.4

Security Release

    [Update Instructions](https://www.bookstackapp.com/docs/admin/updates)
    [Update details on blog](https://www.bookstackapp.com/blog/bookstack-release-v24-05-4/)

BookStack v24.05.4 has been released.

This is a security release to address issues found in LDAP group syncing, where in certain scenarios a user could be matched to extra roles incorrectly, and an issue with content visibility in "book-show" API responses which would not have permissions applied properly.

Upgrade is strongly advised for instances where LDAP authentication is used with group syncing, or where the REST API is used to fetch contents of books ("books-read" endpoint).

Thanks to Linus Nagel and their team at WorkSimple GmbH for reporting this API vulnerability.
Full List of Changes

    Updated API docs with consistent parameter types. (https://github.com/BookStackApp/BookStack/issues/5183)
    Updated default content iframe embed max-width to align with other content types. (https://github.com/BookStackApp/BookStack/issues/5130)
    Updated LDAP group sync to query via full DN.
    Updated translations with latest Crowdin changes. (https://github.com/BookStackApp/BookStack/pull/5118)
    Fixed books read API response not applying visibility control to chapter contents.
    Fixed API docs users response showing extra property. (https://github.com/BookStackApp/BookStack/issues/5178)
    Fixed database error thrown when using out dev docker setup. (https://github.com/BookStackApp/BookStack/issues/5124)
    Fixed RTL display issues with tasklist checkboxes. (https://github.com/BookStackApp/BookStack/issues/5134)

[HritwikSinghal]

last PR #322136

[HritwikSinghal]

can we also backport this?

[SuperSandro2000]

Suggested change

	sha256 = "1aa4im2khxycv5i2ff23ss91p4kr7d2a4yhjm0k0n6av64zhz2x3";
	hash = "sha256-o4sPPzFbGQsmqBJ6okQ7eZIbktZDOCdi2cx3OEWNRKk=";

[SuperSandro2000]

can we also backport this?

sure, just add the label for it if you think it should be

[github-actions]

Backport failed for release-24.05, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release-24.05
git worktree add -d .worktree/backport-338990-to-release-24.05 origin/release-24.05
cd .worktree/backport-338990-to-release-24.05
git switch --create backport-338990-to-release-24.05
git cherry-pick -x a8f5ef66e5d6e7f03a2c7af026d096372f651c74

[HritwikSinghal]

can we also backport this?

sure, just add the label for it if you think it should be

Thanks for quickly reviewing and merging it. will add label for backport. What should i do after cherry-pick? should i open another PR?

[phanirithvij]

Since the bot failed, yes you should send a pr targeting release-24.05 branch. See for eg. #336734

https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#manually-backporting-changes

[HritwikSinghal]

Since the bot failed, yes you should send a pr targeting release-24.05 branch. See for eg. #336734

https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#manually-backporting-changes

#339492

can you merge this.