Release 3.3.3

conversejs · Feb 14, 2018 · db85cb7 · db85cb7
1 parent d8f2a1e
commit db85cb7
Show file tree

Hide file tree

Showing 49 changed files with 11,380 additions and 9,926 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,16 +1,24 @@
 # Changelog
 
-## 3.3.3 (Unreleased)
+## 3.3.3 (2018-02-14)
 
 ### Bugfixes
 - Attribute error when empty IQ stanza is returned for vCard query
-- Don't allow PEP bookmarks if `pubsub#publish-options` is not advertised by the server.
 - In fullscreen view, sometimes a background MUC would come into the foreground
   when a new message appears inside it.
 
-_Note: previously this meant that bookmarks sent to servers that don't
-support `pubsub#publish-options` were visible to all your contacts, even
-though they should be private._
+### Security fixes
+
+- CVE-2018-6591: Don't allow PEP bookmarks if `pubsub#publish-options` is not advertised by the server.
+
+    In previous versions of converse.js, bookmarks sent to servers that don't
+    support `pubsub#publish-options` were visible to all your contacts, even
+    though they should be kept private. This is due to those servers simply
+    ignoring the `pubsub#publish-options` directive and converse.js not checking
+    first whether `pubsub#publish-options` is supported before setting bookmarks
+    via PEP.
+
+    More info here: https://gultsch.de/converse_bookmarks.html
 
 ### New features
 - XEP-0382 Spoiler Messages (currently only for private chats)
@@ -19,6 +27,7 @@ though they should be private._
     - No need to manually blacklist or whitelist any plugins.
     - Relies on the [view_mode](https://conversejs.org/docs/html/configurations.html#view-mode) being set to `'embedded'`.
     - The main `converse.js` build can be used for the embedded usecase.
+    - Maintain MUC session upon page reload
 
 ### API changes
 - New API method `_converse.disco.getIdentity` to check whether a JID has a given identity.

diff --git a/COPYRIGHT b/COPYRIGHT
@@ -2,7 +2,7 @@
  *
  *  An XMPP chat client that runs in the browser.
  *
- *  Version: 3.3.2
+ *  Version: 3.3.3
  *
  *  Copyright: JC Brand 2012-2017
  *  Except for 3rd party dependencies.

diff --git a/Makefile b/Makefile
@@ -71,7 +71,7 @@ serve_bg: dev
 ########################################################################
 ## Translation machinery
 
-GETTEXT = xgettext --language="JavaScript" --keyword=__ --keyword=___ --from-code=UTF-8 --output=locale/converse.pot dist/converse-no-dependencies.js --package-name=Converse.js --copyright-holder="Jan-Carel Brand" --package-version=3.3.2 -c
+GETTEXT = xgettext --language="JavaScript" --keyword=__ --keyword=___ --from-code=UTF-8 --output=locale/converse.pot dist/converse-no-dependencies.js --package-name=Converse.js --copyright-holder="Jan-Carel Brand" --package-version=3.3.3 -c
 
 .PHONY: pot
 pot: dist/converse-no-dependencies.js

diff --git a/README.md b/README.md
@@ -116,6 +116,7 @@ The following people are making recurring donations:
 * [Rafael](https://www.patreon.com/user/creators?u=4340078)
 * [mt7479](https://www.patreon.com/user/creators?u=3892290)
 * [roelra](https://www.patreon.com/user/creators?u=5958918)
+* [Guus der Kinderen](https://www.patreon.com/user/creators?u=8302585)
 * An anonymous backer on Liberapay
 
 Additionally this project is supported by