Releases: alfio-event/alf.io
2.0-M5
Alf.io 2.0-M5 (2024-09-06)
This is the fifth milestone on our way to Alf.io v2. See Roadmap and full Changelog
What's Changed
Starting from 2.0-M5, we are dropping the old "executable war" file format in favor of a more standard "jar". Please update your instances accordingly.
Security Fixes
- CVE-2024-45300: Bypassing promo code limitations with race conditions - reported by @isacaya
- CVE-2024-45299: preloaded data as json is not escaped correctly - reported and fixed by @syjer
Changelog
- fix package-lock by @syjer in #1318
- add more ua for link preview: this round whatsapp and slack by @syjer in #1319
- delete references for ticket field in legacy tables by @syjer in #1321
- complete fix issue #1320 by @syjer in #1322
- fix issue #1324, handle donations by @syjer in #1325
- restrict lombok annotation use, add config file by @syjer in #1331
- Migrate to springboot 3.2 by @cbellone in #1349
- Initial integration of lit for admin by @syjer in #1353
- update lit, add context and task package by @syjer in #1356
- switch from mjml to mjml4j for build by @syjer in #1358
- Lit admin project banner, wip by @syjer in #1360
- Link subscriptions with categories by @cbellone in #1361
- switch to the new friendly fork of openhtmltopdf by @syjer in #1362
- Fix user-defined donation prices being saved with zero value by @shanebrowncs in #1363
- supporting "percentage fee" additional items by @cbellone in #1357
- port project banner from angularjs to lit by @syjer in #1364
- refactor file upload manager by @syjer in #1365
- add an unified "blob" cache by @syjer in #1366
- Improve error handling on public UI by @cbellone in #1376
- use different UUIDs for reservation/UI and check-in by @cbellone in #1375
- refactor admin: remove old angular-qrcode, use shoelace component by @syjer in #1378
- Bugfix/openid spring security 6 by @cbellone in #1383
- Support Cloudflare turnstile by @cbellone in #1385
- Disable SessionRepositoryFilter when accessing static resources by @syjer in #1386
- preload auth enabled check by @syjer in #1387
- display spinner on submit + refresh category by @cbellone in #1388
- prevent empty reservations to be created in case of high resources contention by @cbellone in #1390
- Improve file handling with if-none-match by @syjer in #1395
- fix OAuth redirection when connecting payment providers by @cbellone in #1396
New Contributors
- @shanebrowncs made their first contribution in #1363
- @isacaya made their first contribution in GHSA-67jg-m6f3-473g
Full Changelog: 2.0-M4-2407...2.0-M5
2.0-M4-2407
Alf.io 2.0-M4-2407 (2024-07-12)
This is the last maintenance release before M5
Full Changelog: 2.0-M4-2402-3...2.0-M4-2407
Bugs fixed
- fix error when loading system configuration
- #1363 Fix user-defined donation prices being saved with zero value (by @shanebrowncs )
New features
- implement Reservation Detail API (sponsored by Eventplane)
- implement ticket check-in status API (sponsored by Eventplane)
2.0-M4-2402-3
Alf.io 2.0-M4-2402-3 (2024-02-26)
This is a bugfix release for regressions/bugs introduced with 2.0-M4-2402
Bugs fixed
- #1337 cannot change name of view column "tai_additional_info" to "e_version" (thanks to @daedric7 for reporting it)
Full Changelog: 2.0-M4-2402-1...2.0-M4-2402-2
2.0-M4-2402-1
Alf.io 2.0-M4-2402-1 (2024-02-24)
This is a bugfix release for regressions/bugs introduced with 2.0-M4-2402
Bugs fixed
- #1334 Can't create Organizations (thanks to @titi1125 for reporting it)
- #1335 Additional Items do not handle discount properly
- #1336 Cannot update additional item policy
Full Changelog: 2.0-M4-2402...2.0-M4-2402-1
Alf.io 2.0-M4-2402
Security Fixes
- CVE-2024-25635: IDOR Vulnerability: Allowing Organization Owner to view the other Organizations API KEY and USERS - reported by @rac-fckscty
- CVE-2024-25634: IDOR make user can read e-mail log sent by other events - reported by @lujiefsi
- CVE-2024-25628: User sessions are not properly terminated - reported by @lujiefsi
- CVE-2024-25627: Cross-Site Scripting (XSS) via File Upload - reported by @PinkDraconian
What's Changed
- Build published on Docker for arm64
- Fix spring-session <-> spring security integration + session removal on user deletion/disable by @syjer in #1214
- Google Wallet integration by @cbellone and @yanaga in #1215
- case insensitive qr code by @cbellone in #1218
- Payments list by @cbellone in #1240
- Configuration API by @cbellone in #1249
- Purchase context level config by @cbellone in #1251
- #1269 Resolved the bug to show correct {{eventName}} on compose message page by @ved-asole in #1275
- Manage additional service quantity by @cbellone in #1308
- unify access resource check in a service by @syjer in #1310
- Date of birth field + additional fields for subscriptions by @cbellone in #1312
New Contributors
- @ved-asole made their first contribution in #1275
- @yanaga made their first contribution in #1215
Full Changelog: 2.0-M4-2304...2.0-M4-2402
Alf.io 2.0-M4-2304
Alf.io 2.0-M4-2304 (2023-04-24)
Security fixes
- CVE-2023-2258 - CSV Injection (High Severity)
- CVE-2023-2259 - Admin Self-inflicted Server-side template injection (High Severity)
- CVE-2023-2260, reset password, disable users, update organization - Multiple IDOR vulnerabilities (High Severity)
please note that all security fixes are related to the Backoffice application. Some of them impact only multi-tenant deployments.
The "public" application was not impacted.
thanks to @huntr-helper contributors: @lujiefsi and @yelprofessor !
Improvements
- create Subscription reservation via API #1183 (sponsored by Eventplane)
- API to retrieve check-in log #1188 (sponsored by Eventplane)
- Refactor payment confirmation #1202 (sponsored by Eventplane)
- Resize images #1209 (sponsored by Eventplane)
- Preload Language #1192
- Custom VAT Application #1193
- Implement Reservation Export #1194
- Manage multiple sponsors scan #1205
Bug fixed
- Fix user admin check #1206
Alf.io 2.0-M4-2301
Alf.io 2.0-M4-2301 (2023-01-14)
Security fixes
- CVE-2023-0300 (low severity) - Self-inflicted XSS
- CVE-2023-0301 (low severity) - Prevent organizers to insert dangerous link within their event description
please note that both security fixes are related to the Backoffice application. The "public" application was not impacted.
thanks to @huntr-helper contributors!
Improvements
- Organization APIs at system level #1083 (sponsored by Eventplane)
- API for linking Subscriptions to an Event #1087 (sponsored by Eventplane)
Bug fixed
- Cannot search reservation by invoice number #1090
- Remove button should not be displayed for checked-in tickets #1093
- Various errors when selecting / deselecting the payment method #1100
- Error on "Confirmed" items on the Additional services page #1108
- Stripe API not working as expected #1159 (thanks to @icougil for reporting it and for helping us debugging it)
Alf.io 2.0-M4-2204
Alf.io 2.0-M4-2204 (2022-04-05)
Security fixes
This release contains a fix for CVE-2022-22965 a.k.a. "Spring Shell". Although we should not be impacted directly (we use jetty instead of tomcat as web server), we advise you to update your instance.
Improvements
- Accessibility improvements on the public reservation process
Bug fixed
- #1054 Error after trying to login to the demo instance (thanks to @PaulGoldschmidt for reporting it)
Alf.io 2.0-M4
Alf.io 2.0-M4 (2022-01-31)
This is the fourth milestone on our way to Alf.io v2. See Roadmap and full Changelog
New Features
- Support Hybrid Events #949 (@cbellone)
- Introduce Subscriptions #987 - Sponsored by Eventplane (@syjer)
- Introduce Extension Capabilities #993 - Sponsored by Eventplane
- Custom Join Links for Online tickets #1017
- OpenID support for end customers #1006
- Enable reverse charge for a specific ticket type #1026
- Define a new API for creating reservations #1035 - sponsored by Eventplane
- Generate tickets automatically for subscriptions owners #1036 - sponsored by Eventplane
- Add additional info to check-in extension #1038
BREAKING CHANGES
this release includes some breaking changes in the database schema, making it incompatible with older versions of alf.io.
It is strongly recommended to perform a full backup of your database before installing it, so that if anything goes wrong you can rollback to the latest 2.0-M3
Fixed Bugs
- Entering organisation or event stripe "Payment Webhook signing secret" may not override system value. #1019
- No way to view "additional options" or "donations" purchased so far. #1012
- Import existing attendees #998
- Transferring events between organisations breaks things #1046
- Cannot edit categories after changing event format #1024
Tech-related changes
Alf.io 2.0-M3-2112-2
Alf.io 2.0-M3-2112-2 (2021-12-18)
This release contains a security fix for the following CVEs:
- CVE-2021-45105
- CVE-2021-45046 (already fixed in 2.0-M3-2112-1)
- CVE-2021-44228 (already fixed in 2.0-M3-2112)
update is strongly recommended