diff --git a/CHANGELOG.md b/CHANGELOG.md index fe50c1654..fc4b4888a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,9 +22,37 @@ Fixing other platforms In Progress. WeKan 8.00-8.06 had wrong raw database directory setting /var/snap/wekan/common/wekan and some cards were not visible. Those are fixed at WeKan 8.07 where database directory is back to /var/snap/wekan/common and all cards are visible. -# Upcoming WeKan ® release +# v8.19 2025-12-29 WeKan ® release -This release adds the following updates: +This release fixes the following CRITICAL SECURITY ISSUES: + +- [Security Fix 1: IDOR in setCreateTranslation. Non-admin could change Custom Translation](https://github.com/wekan/wekan/commit/f244a43771f6ebf40218b83b9f46dba6b940d7de). + Thanks to Joshua Rogers of joshua.hu of Twitter MegaManSec and xet7. +- [Security Fix 2: Private-only board setting can be bypassed](https://github.com/wekan/wekan/commit/7ed76c180ede46ab1dac6b8ad27e9128a272c2c8). + Thanks to Joshua Rogers of joshua.hu of Twitter MegaManSec and xet7. +- [Security Fix 3: Card comment author spoofing (IDOR) via API](https://github.com/wekan/wekan/commit/67cb47173c1a152d9eaf5469740992b2dacdf62d). + Thanks to Joshua Rogers of joshua.hu of Twitter MegaManSec and xet7. +- [Security Fix 4: Cross-board card move without destination authorization](https://github.com/wekan/wekan/commit/198509e7600981400353aec6259247b3c04e043e). + Thanks to Joshua Rogers of joshua.hu of Twitter MegaManSec and xet7. +- [Security Fix 5: Read-only roles can still update cards](https://github.com/wekan/wekan/commit/181f837d8cbae96bdf9dcbd31beaa3653c2c0285). + Thanks to Joshua Rogers of joshua.hu of Twitter MegaManSec and xet7. +- [Security Fix 6: Checklist delete IDOR: checklist not verified against board/card](https://github.com/wekan/wekan/commit/08a6f084eba09487743a7c807fb4a9000fcfa9ac). + Thanks to Joshua Rogers of joshua.hu of Twitter MegaManSec and xet7. +- [Security Fix 7: Checklist create IDOR: cardId not verified against boardId](https://github.com/wekan/wekan/commit/5cd875813fdec5a3c40a0358b30a347967c85c14). + Thanks to Joshua Rogers of joshua.hu of Twitter MegaManSec and xet7. +- [Security Fix 8: Attachments publication leaks metadata without auth](https://github.com/wekan/wekan/commit/6dfa3beb2b6ab23438d0f4395b84bf0749eb4820). + Thanks to Joshua Rogers of joshua.hu of Twitter MegaManSec and xet7. +- [Security Fix 9: Attachment upload not scoped to card/board relationship](https://github.com/wekan/wekan/commit/1d16955b6d4f0a0282e89c2c1b0415c7597019b8). + Thanks to Joshua Rogers of joshua.hu of Twitter MegaManSec and xet7. +- [Security Fix 10: LDAP filter injection in LDAP auth](https://github.com/wekan/wekan/commit/0b0e16c3eae28bbf453d33a81a9c58ce7db6d5bb). + Thanks to Joshua Rogers of joshua.hu of Twitter MegaManSec and xet7. + +and adds the following new features: + +- [Opened card Checklist menu: Hide finished tasks. Show Checklist at Minicard](https://github.com/wekan/wekan/commit/fbfde81bc8208b718c070a6eeba4b2e2d2ce83ba). + Thanks to C0rn3j and xet7. + +and adds the following updates: - [Helm Chart: Updated MongoDB to 7.0.28 at artifacthub.io](https://github.com/wekan/charts/commit/5e6d344e0b976ce683116b66a1fb8417590115aa). Thanks to xet7 and titver968. @@ -39,6 +67,14 @@ and fixes the following bugs: [Part 1](https://github.com/wekan/wekan/commit/2d3bef9033134c3b62cf22179bbee4b6fea81444), [Part 2](https://github.com/wekan/wekan/commit/3af3c9a89d8a4020b6f1ccada7da2ccbec1a8562). Thanks to xet7. +- [Fix find.sh work with spaces, for example: ./find.sh "Some text"](https://github.com/wekan/wekan/commit/db4b04d8377523440fd2c36c1633ee74d7b05146). + Thanks to xet7. +- [Fix copy move card at board and MultiSelect to have numbered target of board, card above or below. Added MultiSelect change color](https://github.com/wekan/wekan/commit/74f1dfde72b9448645552ae28ba8d989d3e823d8). + Thanks to mimZD and xet7. +- [Fix move card last selection is gone](https://github.com/wekan/wekan/commit/2d87ba18b31ab5d8dc91dce01199cf7b313bd560). + Thanks to mimZD and xet7. +- [Fix Unable to delete Checklist. Added confirm delete to Checklist and Chekclist Item](https://github.com/wekan/wekan/commit/cf62807ad5d056ce9b8045c55f7cf6c29044967b). + Thanks to C0rn3j and xet7. Thanks to above GitHub users for their contributions and translators for their translations. diff --git a/Dockerfile b/Dockerfile index 5f5de8645..d322f66f1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -249,9 +249,9 @@ cd /home/wekan/app # Remove legacy webbroser bundle, so that Wekan works also at Android Firefox, iOS Safari, etc. #rm -rf /home/wekan/app_build/bundle/programs/web.browser.legacy #mv /home/wekan/app_build/bundle /build -wget "https://github.com/wekan/wekan/releases/download/v8.18/wekan-8.18-amd64.zip" -unzip wekan-8.18-amd64.zip -rm wekan-8.18-amd64.zip +wget "https://github.com/wekan/wekan/releases/download/v8.19/wekan-8.19-amd64.zip" +unzip wekan-8.19-amd64.zip +rm wekan-8.19-amd64.zip mv /home/wekan/app/bundle /build # Put back the original tar diff --git a/Stackerfile.yml b/Stackerfile.yml index 8796fe0e0..fb8614872 100644 --- a/Stackerfile.yml +++ b/Stackerfile.yml @@ -1,5 +1,5 @@ appId: wekan-public/apps/77b94f60-dec9-0136-304e-16ff53095928 -appVersion: "v8.18.0" +appVersion: "v8.19.0" files: userUploads: - README.md diff --git a/docs/Platforms/Propietary/Windows/Offline.md b/docs/Platforms/Propietary/Windows/Offline.md index 74049aa93..583bdd931 100644 --- a/docs/Platforms/Propietary/Windows/Offline.md +++ b/docs/Platforms/Propietary/Windows/Offline.md @@ -10,7 +10,7 @@ This is without container (without Docker or Snap). Right click and download files 1-4: -1. [wekan-8.18-amd64-windows.zip](https://github.com/wekan/wekan/releases/download/v8.18/wekan-8.18-amd64-windows.zip) +1. [wekan-8.19-amd64-windows.zip](https://github.com/wekan/wekan/releases/download/v8.19/wekan-8.19-amd64-windows.zip) 2. [node.exe](https://nodejs.org/dist/latest-v14.x/win-x64/node.exe) @@ -22,7 +22,7 @@ Right click and download files 1-4: 6. Double click `mongodb-windows-x86_64-7.0.28-signed.msi` . In installer, uncheck downloading MongoDB compass. -7. Unzip `wekan-8.18-amd64-windows.zip` , inside it is directory `bundle`, to it copy other files: +7. Unzip `wekan-8.19-amd64-windows.zip` , inside it is directory `bundle`, to it copy other files: ``` bundle (directory) diff --git a/package-lock.json b/package-lock.json index 9ab4b9978..0fae4c525 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "wekan", - "version": "v8.18.0", + "version": "v8.19.0", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/package.json b/package.json index a436c3068..a02c25760 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "wekan", - "version": "v8.18.0", + "version": "v8.19.0", "description": "Open-Source kanban", "private": true, "repository": { diff --git a/sandstorm-pkgdef.capnp b/sandstorm-pkgdef.capnp index 7564ad2b1..72a42f536 100644 --- a/sandstorm-pkgdef.capnp +++ b/sandstorm-pkgdef.capnp @@ -22,10 +22,10 @@ const pkgdef :Spk.PackageDefinition = ( appTitle = (defaultText = "Wekan"), # The name of the app as it is displayed to the user. - appVersion = 818, + appVersion = 819, # Increment this for every release. - appMarketingVersion = (defaultText = "8.18.0~2025-12-28"), + appMarketingVersion = (defaultText = "8.19.0~2025-12-29"), # Human-readable presentation of the app version. minUpgradableAppVersion = 0, diff --git a/snapcraft.yaml b/snapcraft.yaml index e2affaf0f..aeef629b0 100644 --- a/snapcraft.yaml +++ b/snapcraft.yaml @@ -1,5 +1,5 @@ name: wekan -version: '8.18' +version: '8.19' base: core24 summary: Open Source kanban description: | @@ -166,9 +166,9 @@ parts: # Cleanup mkdir .build cd .build - wget https://github.com/wekan/wekan/releases/download/v8.18/wekan-8.18-amd64.zip - unzip wekan-8.18-amd64.zip - rm wekan-8.18-amd64.zip + wget https://github.com/wekan/wekan/releases/download/v8.19/wekan-8.19-amd64.zip + unzip wekan-8.19-amd64.zip + rm wekan-8.19-amd64.zip cd .. ##cd .build/bundle ##find . -type d -name '*-garbage*' | xargs rm -rf