Releases: pglombardo/PasswordPusher
v1.48.2: Language Strings, Dependency & Security Updates
d61378d
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
- Background Jobs: Fix environment variable check (#2768) @pglombardo
🚀 Features
- Latest Language Strings (#2767) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump standard from 1.41.1 to 1.42.0 (#2765) @dependabot
- ⬆️ Bump aws-partitions from 1.1004.0 to 1.1005.0 (#2764) @dependabot
- ⬆️ Bump debase from 0.2.6 to 0.2.7 (#2763) @dependabot
- ⬆️ Bump rubocop from 1.66.1 to 1.68.0 (#2762) @dependabot
- ⬆️ Bump aws-partitions from 1.1003.0 to 1.1004.0 (#2760) @dependabot
- ⬆️ Bump securerandom from 0.3.1 to 0.3.2 (#2759) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.170.0 to 1.170.1 (#2758) @dependabot
- ⬆️ Bump rubocop-ast from 1.34.1 to 1.35.0 (#2756) @dependabot
- ⬆️ Bump msgpack from 1.7.3 to 1.7.5 (#2757) @dependabot
- ⬆️ Bump solid_queue from 1.0.0 to 1.0.1 (#2754) @dependabot
- ⬆️ Bump aws-partitions from 1.1002.0 to 1.1003.0 (#2752) @dependabot
- ⬆️ Bump net-imap from 0.5.0 to 0.5.1 (#2750) @dependabot
- ⬆️ Bump mission_control-jobs from 0.4.0 to 0.5.0 (#2751) @dependabot
- ⬆️ Bump benchmark from 0.3.0 to 0.4.0 (#2749) @dependabot
- ⬆️ Bump singleton from 0.2.0 to 0.3.0 (#2748) @dependabot
- ⬆️ Bump ostruct from 0.6.0 to 0.6.1 (#2746) @dependabot
- ⬆️ Bump psych from 5.1.2 to 5.2.0 (#2747) @dependabot
- ⬆️ Bump aws-partitions from 1.1001.0 to 1.1002.0 (#2745) @dependabot
- ⬆️ Bump stringio from 3.1.1 to 3.1.2 (#2744) @dependabot
- ⬆️ Bump rubocop-ast from 1.34.0 to 1.34.1 (#2743) @dependabot
- ⬆️ Bump timeout from 0.4.1 to 0.4.2 (#2740) @dependabot
- ⬆️ Bump mission_control-jobs from 0.3.3 to 0.4.0 (#2741) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.169.0 to 1.170.0 (#2739) @dependabot
- ⬆️ Bump json from 2.7.6 to 2.8.1 (#2738) @dependabot
- ⬆️ Bump aws-sdk-core from 3.211.0 to 3.212.0 (#2737) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.48.2..and go to http://localhost:5100
🔗 Useful Links
Contributors
Assets 2
v1.48.1: Security Update
b2b057c
pglombardo
Peter Giacomo Lombardo
This release fixes CVE-2024-51989 (a potential XSS vulnerability) that was introduced in v1.41.1.
All users that are self-hosting and using the login system, please update to this version to best mitigate risk. Details, description and more available in the Github Security Advisory.
Thanks to @igniter07 for reporting!
📝 What’s Changed
- Sanitize Confirmation Parameter (#2736) @pglombardo
- Allow Anonymous=false: Fix after sign up redirect path (#2735) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump parser from 3.3.5.1 to 3.3.6.0 (#2734) @dependabot
- ⬆️ Bump json from 2.7.5 to 2.7.6 (#2733) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.48.1..and go to http://localhost:5100
🔗 Useful Links
Contributors
Assets 2
v1.48.0: Login Security Improvements
7ceab94
pglombardo
Peter Giacomo Lombardo
This release improves the overall security of logins in Password Pusher. Details below.
With this release, all pre-existing login sessions will end and users will have to log in again.
The improvements are:
- "Remember me" now only remembers for 1 week
- Login password length increased to 10 to 128 characters (previously 6 to 128) (preexisting login passwords unaffected)
- Login sessions now expire after 2 hours of inactivity
- Cookie serialization is now done via JSON to fix https://github.com/pglombardo/PasswordPusher/security/code-scanning/1
Being a security product dealing with sensitive information, these changes are appropriate.
📝 What’s Changed
- Improved Login Security (#2731) @pglombardo
- Security: Use json for cookie serialization (#2720) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump rubocop-ast from 1.33.0 to 1.34.0 (#2730) @dependabot
- ⬆️ Bump date from 3.3.4 to 3.4.0 (#2729) @dependabot
- ⬆️ Bump aws-partitions from 1.1000.0 to 1.1001.0 (#2728) @dependabot
- ⬆️ Bump rackup from 2.1.0 to 2.2.0 (#2725) @dependabot
- ⬆️ Bump debase from 0.2.5.beta2 to 0.2.6 (#2724) @dependabot
- ⬆️ Bump oj from 3.16.6 to 3.16.7 (#2722) @dependabot
- ⬆️ Bump google-apis-iamcredentials_v1 from 0.21.0 to 0.22.0 (#2723) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.5..and go to http://localhost:5100
🔗 Useful Links
Contributors
Assets 2
v1.47.4: Framework, Dependency & Security Updates
d4dec75
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
⬆️ Dependencies updates
- ⬆️ Bump rubocop-ast from 1.32.3 to 1.33.0 (#2698) @dependabot
- ⬆️ Bump aws-partitions from 1.999.0 to 1.1000.0 (#2716) @dependabot
- ⬆️ Bump parser from 3.3.5.0 to 3.3.5.1 (#2718) @dependabot
- ⬆️ Bump overcommit from 0.64.0 to 0.64.1 (#2717) @dependabot
- ⬆️ Bump actionview from 7.2.1.2 to 7.2.2 (#2715) @dependabot
- ⬆️ Bump actioncable from 7.2.1.2 to 7.2.2 (#2714) @dependabot
- ⬆️ Bump activestorage from 7.2.1.2 to 7.2.2 (#2713) @dependabot
- ⬆️ Bump actiontext from 7.2.1.2 to 7.2.2 (#2712) @dependabot
- ⬆️ Bump activemodel from 7.2.1.2 to 7.2.2 (#2711) @dependabot
- ⬆️ Bump actionmailer from 7.2.1.2 to 7.2.2 (#2710) @dependabot
- ⬆️ Bump sqlite3 from 2.1.1 to 2.2.0 (#2705) @dependabot
- ⬆️ Bump actionpack from 7.2.1.2 to 7.2.2 (#2709) @dependabot
- ⬆️ Bump activesupport from 7.2.1.2 to 7.2.2 (#2707) @dependabot
- ⬆️ Bump aws-partitions from 1.998.0 to 1.999.0 (#2704) @dependabot
- ⬆️ Bump json from 2.7.4 to 2.7.5 (#2703) @dependabot
- ⬆️ Bump activerecord from 7.2.1.2 to 7.2.2 (#2700) @dependabot
- ⬆️ Bump aws-partitions from 1.997.0 to 1.998.0 (#2697) @dependabot
- ⬆️ Bump nio4r from 2.7.3 to 2.7.4 (#2696) @dependabot
- ⬆️ Bump rails-i18n from 7.0.9 to 7.0.10 (#2695) @dependabot
- ⬆️ Bump aws-partitions from 1.996.0 to 1.997.0 (#2694) @dependabot
- ⬆️ Bump aws-partitions from 1.995.0 to 1.996.0 (#2690) @dependabot
- ⬆️ Bump loofah from 2.23.0 to 2.23.1 (#2691) @dependabot
- ⬆️ Bump json from 2.7.3 to 2.7.4 (#2689) @dependabot
- ⬆️ Bump rubocop-rails from 2.26.2 to 2.27.0 (#2688) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.4..and go to http://localhost:5100
🔗 Useful Links
Contributors
Assets 2
v1.47.3: Throttling Fix & Brute Force Protections
e4e0bcf
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
This PR fixes a bug with throttling where if throttling values in settings.yml were commented out, it could cause a stack traces. Now, commenting out throttling values will disable throttling entirely.
Additionally, protections are now in place to rate limit login attempts to make brute force attacks more difficult.
- Throttling fix & Add protection against login brute forcing (#2685) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump aws-partitions from 1.994.0 to 1.995.0 (#2683) @dependabot
- ⬆️ Bump pg from 1.5.8 to 1.5.9 (#2682) @dependabot
- ⬆️ Bump loofah from 2.22.0 to 2.23.0 (#2681) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.3..and go to http://localhost:5100
🔗 Useful Links
Contributors
Assets 2
v1.47.2: New Admin Menu Item, Dependency & Security Updates
2a99e73
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
🚀 Features
- Framework Update in 9b9f4e6
- Admin: Add admin dashboard to account menu (#2661) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump aws-partitions from 1.993.0 to 1.994.0 (#2676) @dependabot
- ⬆️ Bump googleauth from 1.11.1 to 1.11.2 (#2677) @dependabot
- ⬆️ Bump execjs from 2.9.1 to 2.10.0 (#2668) @dependabot
- ⬆️ Bump sqlite3 from 2.1.0 to 2.1.1 (#2663) @dependabot
- ⬆️ Bump aws-partitions from 1.992.0 to 1.993.0 (#2662) @dependabot
- ⬆️ Bump aws-sdk-core from 3.210.0 to 3.211.0 (#2660) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.168.0 to 1.169.0 (#2653) @dependabot
- ⬆️ Bump aws-sdk-kms from 1.94.0 to 1.95.0 (#2655) @dependabot
- ⬆️ Bump brakeman from 6.2.1 to 6.2.2 (#2657) @dependabot
- ⬆️ Bump zeitwerk from 2.7.0 to 2.7.1 (#2654) @dependabot
- ⬆️ Bump aws-partitions from 1.991.0 to 1.992.0 (#2652) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.2..and go to http://localhost:5100
🔗 Useful Links
Contributors
Assets 2
v1.47.1: Disable Secret URL Prefetch & Increased Security Logins
2513a0f
pglombardo
Peter Giacomo Lombardo
This release improves the security of logins. Details in #2651.
Thanks the security firm who pointed out these potential issues.
If I get permission, I'll post their details once all the fixes out. (There are more on the way)
📝 What’s Changed
- Disable prefetch on secret URLs (#2650) @pglombardo
🚀 Features
- Enable increased login security (#2651) @pglombardo
👥 List of contributors
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.1..and go to http://localhost:5100
🔗 Useful Links
Contributors
Assets 2
v1.47.0: New Background Worker Dashboard (Admin)
2504e53
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
This release bundles a new dashboard for background job monitoring for those running the pglombardo/pwpush-worker container. (Still in Beta).
Available from /admin and directly at /admin/jobs
- New Background worker Dashboard (Admin) (#2638) @pglombardo
- Add missing translation keys (#2649) @pglombardo
🚀 Features
- Latest Language Strings (#2648) @pglombardo
- Remove the Feedback Form (#2640) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump standard from 1.41.0 to 1.41.1 (#2645) @dependabot
- ⬆️ Bump erb_lint from 0.6.0 to 0.7.0 (#2641) @dependabot
- ⬆️ Bump net-imap from 0.4.17 to 0.5.0 (#2643) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.167.0 to 1.168.0 (#2642) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.46.4..and go to http://localhost:5100
🔗 Useful Links
Contributors
Assets 2
v1.46.3: Framework Security Patch
e0efeeb
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
- Framework Security Patch (#2639) @pglombardo
👥 List of contributors
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.46.3..and go to http://localhost:5100
🔗 Useful Links
Contributors
Assets 2
v1.46.2: Translations Updates & Fixes
be61968
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
- Fix Missing Translations (#2637) Thanks @ecoutinho!
🚀 Features
- CI: Update tests to use Ruby 3.3 (#2619) @pglombardo
- Latest Language String (#2618) @pglombardo
- Tests: Add test to validate file upload limits (#2612) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump aws-partitions from 1.990.0 to 1.991.0 (#2636) @dependabot
- ⬆️ Bump turbo-rails from 2.0.10 to 2.0.11 (#2624) @dependabot
- ⬆️ Bump aws-partitions from 1.989.0 to 1.990.0 (#2620) @dependabot
- ⬆️ Bump rack from 3.1.7 to 3.1.8 (#2615) @dependabot
- ⬆️ Bump zeitwerk from 2.6.18 to 2.7.0 (#2616) @dependabot
- ⬆️ Bump google-apis-storage_v1 from 0.46.0 to 0.47.0 (#2614) @dependabot
- ⬆️ Bump net-imap from 0.4.16 to 0.4.17 (#2613) @dependabot
- ⬆️ Bump debase-ruby_core_source from 3.3.5 to 3.3.6 (#2610) @dependabot
- ⬆️ Bump aws-partitions from 1.988.0 to 1.989.0 (#2609) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.46.2..and go to http://localhost:5100
