BigBlueButton 2.4.8
This 2.4 release fixes two security issues - the highest security rating for a CVE fixed in this iteration is 7.2/10. All issues fixed in this release are subject to public disclosure on June 15, 2022 or slightly later. Please make sure to update your systems in time.
In addition there are several other fixes related to chat, breakouts, and echo test.
We thank mgm security partners GmbH, who examined the BigBlueButton code base and responsibly disclosed one of the vulnerabilities resolved.
We thank Rick Verdoes and Danny de Weille from Hackify - https://pentests.nl/, who examined the BigBlueButton code base and responsibly disclosed one of the vulnerabilities resolved.
Thanks to the community members who provided feedback to the earlier 2.4 releases!
HTML5 client
- fix: Remove use of innerHTML, dangerouslySetInnerHTML etc #15090 improves security - expect CVE
- fix: wrong modal transition after backing out of echo test then joining listen-only #14947
- fix: clear fake annotations on multi-user whiteboard off #14964
- fix: fixes deployment of modified bigbluebutton-html5 code #14838
- test: node version compatibility fix #15144
Core
- refactor: Remove group chat unused info: name #14723 (Backport from 2.5)
- fix: Make sure that user is in a chat participant when send a message #15094 (Backport from 2.5) improves permissions
- fix: Fixed user not removed from the breakout when userID set #15135 (Backport from 2.5)
Release name
In case an administrator does not want to update to the latest bionic-240 version. Use as substitute to the -v argument in bbb-install.sh command bionic-240-2.4.8
We still recommend using -v bionic-240.