Added v0.30.6 post
This commit is contained in:
parent abc76ca64c
commit d77b5fce8e
GPG key ID: 46D9F943C24A2EF9
3 changed files with 59 additions and 1 deletions
51 content/blog/beta-security-release-v0-30-6.md Normal file
51
content/blog/beta-security-release-v0-30-6.md Normal file | | @ -0,0 +1,51 @@ | |||
+++ | ||||
categories = ["Releases"] | ||||
tags = ["Releases"] | ||||
title = "Beta Security Release v0.30.6" | ||||
date = 2020-12-17T21:30:00Z | ||||
author = "Dan Brown" | ||||
image = "/images/blog-cover-images/lock-door-waldemar-brandt.jpg" | ||||
description = "BookStack v0.30.6 has been released to address an issue that could lead to restricted page content being visible in certain circumstances." | ||||
slug = "beta-release-v0-30-6" | ||||
draft = false | ||||
+++ | ||||
| ||||
| ||||
BookStack v0.30.6 has been released to address an issue that could lead to restricted page content being visible in certain circumstances. | ||||
You should upgrade to this released as soon as possible if you make use of page-level permissions at all. | ||||
| ||||
* [Update instructions](https://www.bookstackapp.com/docs/admin/updates) | ||||
* [GitHub release page](https://github.com/BookStackApp/BookStack/releases/tag/v0.30.6) | ||||
| ||||
| ||||
### Impact | ||||
| ||||
If a chapter was visible to a user, but all of it's pages were made not visible, then the details of these pages could be visible. Within the BookStack interface, the names of the pages and preview content could be seen. If the parent book was exported then this would include the content of the pages that had been restricted. | ||||
| ||||
### Patches | ||||
| ||||
This has been patched in v0.30.6. | ||||
| ||||
### Workarounds | ||||
| ||||
Please update. As a temporary workaround you could ensure that there is at least one other page within a chapter that's visible to users. | ||||
| ||||
### References | ||||
| ||||
* [BookStack Beta v0.30.6](https://github.com/BookStackApp/BookStack/releases/tag/v0.30.6) | ||||
* [GitHub Issue #2414](https://github.com/BookStackApp/BookStack/issues/2414) | ||||
| ||||
### Attribution | ||||
| ||||
A big thanks to [@cdrfun](https://github.com/cdrfun) for [discovering and reporting](https://github.com/BookStackApp/BookStack/issues/2414) this issue. | ||||
| ||||
### For more information | ||||
| ||||
If you have any questions or comments about this advisory: | ||||
* Open an issue in [the BookStack GitHub repository](BookStackApp/BookStack/issues). | ||||
* Ask on the [BookStack Discord chat](https://discord.gg/ztkBqR2). | ||||
* Follow the [BookStack Security Advice](https://github.com/BookStackApp/BookStack#-security) to contact someone privately. | ||||
| ||||
---- | ||||
| ||||
<span style="font-size: 0.8em;opacity:0.9;">Header Image Credits: <span>Photo by <a href="https://unsplash.com/@waldemarbrandt67w?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Waldemar Brandt</a> on <a href="https://unsplash.com/s/photos/lock?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a></span></span> | ||||
| | @ -33,6 +33,10 @@ Check the below list for the version you are updating to for any additional inst | |||
| ||||
The below lists things you may need to be aware of when upgrading to a newer version of BookStack. | ||||
| ||||
#### Updating to v0.30.6 or higher | ||||
| ||||
**Security** - v0.30.6 addresses an issue where page content could be visible to those without permission. If a chapter was visible to a user, but all of it's pages were made not visible, then the details of these pages could be visible. Within the BookStack interface, the names of the pages and preview content could be seen. If the parent book was exported then this would include the content of the pages that had been restricted. Please see the [blog release page for more details](/blog/beta-release-v0-30-6/). | ||||
| ||||
#### Updating to v0.30.5 or higher | ||||
| ||||
**Security** - v0.30.5 fixes an potential vulnerability where a user with edit permissions could perform server-side requests using the export system. Additionally it was found that, if using standard email/password authentication, the system host URL could be manipulated on the forgot password form which could allow for email phishing attempts. Ensure you have set the `APP_URL` option in your `.env` file to help prevent this. Please see the [blog release page for more details](/blog/beta-release-v0-30-5/). | ||||
| | @ -83,7 +87,7 @@ sudo systemctl restart nginx.service | |||
| ||||
#### Updating to v0.26 or higher | ||||
| ||||
**Internet Explorer Support** - IE11 Support has now been dropped. We *may* support any critical issues for view-only scenarios otherwise please use a modern browser. | ||||
**Internet Explorer Support** - IE11 Support has now been dropped. Please use a modern browser. | ||||
| ||||
**Translations** - Since many interfaces and lines of text have been updated, It may take a little while for some translations to catch-up. Expect to see more English text than usual if you're using a non-English language option. | ||||
| ||||
| | | |||
Loading…
Add table
Add a link
Reference in a new issue