3.2.1.0 #5290
nilsteampassnet
started this conversation in
General
3.2.1.0
#5290
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
What's Changed
This is a major feature and security release. It hardens the cryptographic core, closes eight security advisories (two of them exploitable without authentication), and adds a full set of security-posture, governance and productivity features. Upgrading is strongly recommended for all installations.
On an upgrade, all new features arrive disabled and are opt-in from the admin settings , upgrading alone changes nothing until you enable them. New installations start with the hardened encryption format already enabled.
🔐 Encryption hardening
The cryptographic core has been reworked. The migration is automatic, transparent and reversible: data upgrades itself to the new format as it is read, with no downtime and no re-typing. See the new Encryption hardening page.
aes_v2_write_enabledtoggle (Settings → Security). The previous format stays readable indefinitely.KEY_LENGTH16 → 64). Backward compatible, existing keys still decrypt.--dry-runremediation script cleans up existing data, see Security hardening.🔒 Security fixes
ga_generate_qraction is exempt from the authentication gate to allow first-time enrollment, but it trusted the client-supplieddemand_originfield. Sendingdemand_origin=users_management_listskipped the password check and the "already enrolled" guard, letting an unauthenticated caller overwrite any user's TOTP secret, enumerate logins and probe passwords with no lockout. The administrative right is now derived from the session, the password is mandatory in self-service, the answer is uniform (no enumeration or password oracle), and failures are recorded under the standard anti-bruteforce lock.show_details_itemgate granted metadata reads without checking folder access, exposing label/login/url/email/description of every unrestricted item across all folders, including other users' personal items. The folder predicate is now applied first, so the role restriction is additive and never replaces the folder boundary.typeparameter wrote thepwcolumn verbatim (unhashed, no complexity check) and theadminflag, both outside the manager/admin target-scope guard. Chaining them gave full admin takeover. Both branches removed. An adjacent escalation found during the audit is fixed in the same release:update_users_rights_sharingtargeteddestination_idsrather thanuser_id, so the upstream guard never fired and a manager could setadmin=1on any account, including their own.ItemModel::validateData()called the sanitizer but discarded its return value, so the API stored every field verbatim while the web path encodes. Payloads then rendered raw in the items list and the recycle bin. Sanitization is now applied field by field (passwords and TOTP secrets untouched, so exact bytes are preserved) and both rendering sinks escape their output.itemspage right, which every authenticated user holds, with the client-supplieduserIdas the only scoping predicate. It is now gated on theusersright with a per-target check, and a refusal answers an empty datatable rather than an enumeration oracle.namewhile authorizing an unrelatedfileid. It was dead code (its only caller was removed with GHSA-fhm7-pf6p-prgg) and has been removed rather than patched.✨ New features
Security posture
Governance and compliance (new Governance & compliance settings tab)
Productivity
Ctrl+Kto search items and pages, scoped to the user's accessible folders.PUT /api/v1/folder/updateandDELETE /api/v1/folder/delete, plus a fix tofolder/createwhich did not rebuild the tree nor populate permissions. Web and API now share oneFolderManagerengine.🛠️ Improvements
prefers-color-schemeas the first-visit default,:focus-visiblestyling and mobile media queries.🐛 Bug fixes
userPrincipalNamewas passed topreg_match(), throwing a fatal TypeError on PHP 8 and aborting the whole synchronization (blank list / HTTP 500) on Entra hybrid setups where some objects have no UPN. Such objects are now skipped and counted for diagnostics.add_foldermasked every failure as "you are not allowed to do that" (a regression from 3.1.2) while the real cause was usually a complexity below the parent folder's minimum. The real reason is now returned, the complexity message no longer renders an empty level label, and both creation forms preset the selector to the parent's minimum level.public/restructure - the bruteforce unlock link emailed to locked-out users returned HTTP 500. The handler was moved and two latent defects fixed while reviving it: the authorization query could let a user clear another account's lockout with their own code, and the endpoint ignored the configured timezone.<p><b>coucou</b></p><p&. Descriptions are now normalized into safe plain-text previews before truncation, and the expanded search detail renders as sanitized rich HTML. The preview helper is shared with the item card.corruption_severityreturned by the backend and always applied thedangerstyle, even though the stylesheet already provided a distinctwarningstyle. The renderer now uses the persisted severity, so a suspected inconsistency is distinguishable from unreadable password data at a glance. As a follow-up, the corruption tooltip no longer surfaces raw scanner exception messages to non-admin users (those stay on the admin health page).⬆️ Upgrade notes
upgrade_run_3.2.1.phpstep creates the tables for the new features (item_health,user_nudges,rotation_flags,user_notifications,access_reviews,access_review_items,data_classification,import_tracking), extends theotvtable for Secure Send, and adds theonboarding_completedcolumn on users. NoALTER TABLEis required on the sensitive data tables.aes_v2_write_enabled(Settings → Security) when you are ready; the previous format stays readable indefinitely and the toggle is reversible. New installations start with it enabled.--dry-run(the default) first.Full Changelog: 3.2.0.8...3.2.1.0
Important
PHP 8.2Languages
Please join Teampass v3 translation project on Poeditor and translate it for your language.
Installation
Follow instructions from Documentation.
Upgrade
Follow instructions from Documentation.
Ideas and comments
Are welcome ... please use Discussions.
This discussion was created from the release 3.2.1.0.
Beta Was this translation helpful? Give feedback.
All reactions