12 Feb 16:25

607b881

Jump

The main focus of this release was to improve the performances and reactivity of the application, as well as address some minor security issues.

The only feature that was added is a better support for url sharing, e.g. if you look at the sidebar when clicking on a resource you will be presented with a link. You can use it to send the url to a given resource to a colleague: if they have access to this resource they will be able to navigate directly to it. Similarly links in emails pointing to a resource will take you directly to the corresponding record.

The team also worked hard to speed up the performances of the application, most notably by starting to load OpenPGP secrets asynchronously (instead of within the resource index calls). This strategy allows to reduce the loading time of the homepage from 12 to 2 seconds, in our tests with a database containing 2000 passwords shared over 400 users. This ground work was also necessary in order to be able to trace accesses to secrets and provide a more granular audit log coming up in the next release.

This release also includes 3 fixes found during an independent security audit conducted by french security researcher Jose-Alexandre Mayan. You can learn more about these fixes on the dedicated security incident page.

Passbolt Web Extension

Improvement

PASSBOLT-3347: When the extension requires the users to enter their master password, the popup should be displayed with no delay
PASSBOLT-3313: As GM adding a user to a group I should see the loading popup when the extension is processing/requesting the API
PASSBOLT-3312: As GM adding a user to a group I should see a relevant feedback in case of network/proxy errors
PASSBOLT-3316: As LU Sharing a password I should see a loading feedback when the extension is requesting the API
PASSBOLT-3318: As LU I should retrieve a secret when I’m copying it
PASSBOLT-3319: As LU I should retrieve a secret when I’m editing it
PASSBOLT-3403: As LU I should retrieve secrets when I’m exporting the associated passwords

Passbolt API

Added

PASSBOLT-2995: As LU I should be able to copy the permalink of a password

Improved

PASSBOLT-3403: As LU I should export only selected passwords
PASSBOLT-3397: Remove the list of secrets from the API request while loading the list of passwords
PASSBOLT-3319: As LU I should retrieve a secret when I’m editing it
PASSBOLT-3318: As LU I should retrieve a secret when I’m copying it
PASSBOLT-3317: Display significant information as soon as possible while opening the application
PASSBOLT-3312: As GM adding a user to a group I should see a relevant feedback in case of network/proxy errors
PASSBOLT-3314: Improve the performance of the application by adding missing indexes
PASSBOLT-2974: As LU I should be able to follow links targeting passwords from my emails

Fixed

PASSBOLT-3363: Fix the web installer should not use the exec php primitive to create/import the gpg server key
PASSBOLT-3370: Fix auth verify error should not leak data
PASSBOLT-3368: Fix html injection in email

Assets 2

15 Nov 11:38

stripthis

v2.5.0

f9e13b6

Thunderstruck

Release song

This release greatly simplifies the passbolt installation process.
It ships with automated scripts for your favorite distributions (Debian 9, CentOS 7 and Ubuntu 18.04) that
will perform the heavy lifting of the server configuration for you. These scripts will configure a vanilla
operating system to be ready for a passbolt install.

They take care of setting up the web server (Nginx), database (MariaDb), PHP, SSL and yes, for real, also the GPG keyring configuration. In addition to the install scripts, passbolt can now be configured in a few clicks thanks to the presence of a web installer. Overall, the new installation process takes no more than 10 minutes!

Passbolt API (All)

Added

PASSBOLT-2694: As a server administrator I can install Passbolt CE in a few clicks using a web installer.
PASSBOLT-3093: As LU I can select all passwords to perform a bulk operation

Improved

PASSBOLT-3166: Add PHP 7.3 job on travis
PASSBOLT-3119: The Web Installer should control the route with a middleware
PASSBOLT-3153: The Web Installer health checks should ensure the config files can be written before continuing
PASSBOLT-3120: Improve the Web Installer code coverage
PASSBOLT-3127: The Web Installer should change the config folder permissions after the installation is completed
PASSBOLT-3152: As AN completing the registration process, if I'm following the link to download the browser extension I cannot go back easily to the registration process
PASSBOLT-3189: As AD migrating passbolt to the latest version I would like the CakePHP cache to be cleared with the same operation

Fixed

PASSBOLT-3150: I should not see duplicates rows when I filter my passwords by keywords
GITHUB-290: A user who have not completed the setup should be allowed to request a new token using recover
PASSBOLT-3188: As LU the UI shouldn't crash if the uri of a password cannot be parsed

Assets 2

12 Oct 14:01

stripthis

v2.4

36a4b41

Final Countdown

This release introduce the ability for users to select multiple passwords and perform a bulk action such as delete or share. The “remember me” feature that was available in the Pro Edition is now available to everybody.

Added

PASSBOLT-2972: As LU I should be able to delete multiple passwords in bulk
PASSBOLT-2951: Merge the remember me on CE
PASSBOLT-2329: As an administrator deleting a group which is sole owner of one or several passwords, I should be requested to select a new owner for these passwords
PASSBOLT-2972: As LU I should be able to select multiple passwords with standard keyboard interactions (command and shift keys)

Improved

GITHUB#275: Adding SSL configuration environment variables for cake mysql driver
PASSBOLT-2534: As LU I should not be able to copy to clipboard empty login/url
PASSBOLT-2017: As LU when I save a password (create/edit) the dialog shouldn't persist until the request is processed by the API
PASSBOLT-3073: As LU I should get a visual feedback directly after filtering the passwords or the users workspace
PASSBOLT-3009 Add types to authentication tokens

Fixed

PASSBOLT-2966: As LU I can't see passwords shared with me clicking on the "shared with me" shortcut filter
GITHUB#246: Fix healthcheck tips relative to tmp folder
PASSBOLT-3063: Fix appjs base url and subfolder
PASSBOLT-3074: As a logged in user selecting a "remember me" duration the checkbox should be selected automatically
PASSBOLT-2976: Fix API requests issues when the user is going to another workspace
PASSBOLT-3082: ezyang/htmlpurifier cache should be stored in the application cache directory
PASSBOLT-2982: Fix session expired check
PASSBOLT-3086: As LU when I have 100+ passwords I cannot see the passwords after the 100th more than once

Assets 2

05 Sep 14:05

cedricalfonsi

v2.3.0

9c2c1af

Shine On You Crazy Diamond

Release song: https://youtu.be/cWGE9Gi0bB0

This release introduces a much awaited improvement which now allows when deleting a user to transfer blocking permissions. This release brings a few small user interfaces and improvements, such as placeholder labels when something, like the resource description, is empty.

Thanks to @bjozet and @colinfrei for their contributions.

Improved

PASSBOLT-2950: Display empty feedbacks content.
PASSBOLT-2971: Reset the workspaces filters when a resource or a user is created.
PASSBOLT-2267: As an admin deleting a user I can transfer ownership of this user shared
passwords to another user or a group that have read access.

Fixed

PASSBOLT-2965: Group filter link stays active after switching to a non group filter.
Route rewriting of the appjs should take in account passbolt installed in a subdirectory.
Fix the loading bar stuck in the initialization state in some cases.
PASSBOLT-2969: Enforce steal to load the latest version of the appjs.
PR227: Fix some small date discrepancy in changelog.
PR4: Fix typo in tag text message.

Assets 2

13 Aug 16:53

kevinmuller

v2.2.0

ea8927e

I Want To Break Free

Release song: https://youtu.be/f4Mc-NYPHaQ

Please note that Passbolt API V1.x will be officially unmaintained from 1st of September 2018. If you haven’t upgraded to V2.x yet, it is strongly advised to do it now since the next versions of the browser extension will not be compatible anymore with V1.x branch.

This release is mainly a maintenance release that also prepares the groundwork for the incoming ldap feature.

This release also includes a long awaited fix regarding performance issues. You can now manage thousands of passwords inside passbolt pretty smoothly.

The security has been improved even more with the implementation of CSRF protection. Now each request made by the client contains a token that is verified server side, hence protecting against CSRF attack types.

We have also upgraded canjs to version 4: It is the framework behind our javascript UI. This upgrade was long due and took quite a bit of efforts. After CakePHP 3.x, the upgrade of canjs is part of these invisible and painful but necessary upgrades that contribute to keep passbolt secure and maintainable.

Added

PASSBOLT-2906: Enable CSRF protection
PASSBOLT-2940: Implement app-js primary routes

Fixed

PASSBOLT-2805: Fix sort by date and sort by user first_name by default
PASSBOLT-2896: Fix filter by tag from the password details sidebar
PASSBOLT-2903: Fix logout link. It should target a full based url link
PASSBOLT-2926: Fix session timeout check
PASSBOLT-2927: Fix appjs ajax error handler
PASSBOLT-2941: Fix grid performance issues

Improved

PASSBOLT-2933: Upgrade to canjs 4

Assets 2

18 Jun 08:43

stripthis

v2.1.0

867ae2b

Loungin

This release includes a major rewrite of the javascript front-end code with an upgrade to CanJS version 3. We are very pleased by this upgrade as it will also us to ship features faster in the future.

Another simple but notable improvement is the ability to copy the username to the clipboard with one click on the username in the table view cells or the right sidebar.

Another new feature: during setup, the key passphrase will now be checked against a dictionary of recent password leaks using the Pwned Passwords range API. This secure and anonymous check is only performed if the passphrase is longer than 8 character, as any passphrase shorter is not secure anyway.

Added

PASSBOLT-2861: Add copy username to clipboard on click

Fixed

GITHUB-101: Fix the readme should point to the documentation for how to upgrade passbolt
PASSBOLT-2682: Fix healthcheck entry point when logged in as admin and debug is false
PASSBOLT-2869: Fix GPG wrapper should recognize the correct type and bit length
PASSBOLT-1917: Migrate to canjs 3.x
PASSBOLT-2883: Fix logout link should not prevent event propagation
PASSBOLT-2886: Fix fingerprint tooltips in user group management dialog
PASSBOLT-2894: Fix missing div breaking elipsis on long url in password workspace
PASSBOLT-2891: Fix group edit users tooltips
PASSBOLT-2884: Update header left menu. Remove home and add help.
PASSBOLT-2885: Update user settings menus
PASSBOLT-2895: Fix notifications homogeneity
PASSBOLT-1337: Fix a logged in user should not be allowed to login or recover
PASSBOLT-1337: Remove gpg json sign middleware
PASSBOLT-1337: Wordsmithing healthcheck GPG feedback

Assets 2

09 May 17:12

kevinmuller

v2.0.7

3d79f9d

Struggle

Release song: https://www.youtube.com/watch?v=7BrcfBUlVu8

Security notice: Nginx user, please review your configuration file to make sure you are using the correct application root. It should be: /var/www/passbolt/webroot
Read more

This is a maintenance release for both Passbolt Pro and Community edition. It fixes issues introduced by the v2.0.5 both in the webextension and in the API. As you can see version v2.0.6 is skipped in the history because it was used as quickfix to revert the breaking changes with login when running API version < 1.6.10.

Please note that the version 1 will reach end of life by the end of the month. Make sure you update your instance before the end of the month. This will allow us to drop the support for the legacy v1 API in passbolt version 2 and makes the rollout of new features easier.

Passbolt API

Fixed

Fix missing css on error pages
Add version numbers to CSS and JS files calls to prevent caching
Fix do not enable debugKit when debug is set to true