Creep

Song: https://open.spotify.com/track/261RumEq9qqk1I1w4OKdhd?si=5d56e9729796420d&nd=1

Presenting the latest update of passbolt, version 4.0.2. This release revises a previous fix for a community-reported bug. The bug impacts 32-bit operating systems.

Find out more about the reported issue on the community forum.

[4.0.2] - 2023-05-24

Fixed

• PB-24644 As an admin I should be able to run migrations on a 32 bit environment

Under Pressure

Song: https://www.youtube.com/watch?v=a01QQZyl-_I

Introducing the latest update of Passbolt CE, release v4.0.1. This release update fixes a bug reported by the community impacting 32 bit operating systems. The issue reported can be found on the community forum.

[4.0.1] - 2023-05-23

Added

• PB-24644 As an admin I should be able to run migrations on a 32 bit environment

Get up stand up

Song: https://youtu.be/CwIdvOTzvqc

Introducing the latest update of passbolt CE, release v4. This update includes some significant enhancements to the platform’s functionality and overall user experience.

This is a major change, so make sure you check the platform requirements, and do a test upgrade, before you update your live systems to the new version!

Passbolt now requires a minimum of PHP 7.4 to run, but also supports PHP 8.2, which means faster performance and security. The browser extension is also getting a bit of love with some much needed maintenance to Manifest v3 and it requires at least a Passbolt API v3 to run.

This release mainly focuses on platform compatibility and accessibility improvements to ensure an inclusive experience for all users across all versions. Alongside these updates, v4 includes numerous bug fixes and security enhancements to further improve system reliability. It’s recommended that all users update to this latest version to get the most out of passbolt and benefit from the upcoming new features.

We appreciate the continued support and feedback as we strive to provide an exceptional user experience. Reach out on the community forum if you encounter some issues with this new release.

[4.0.0] - 2023-05-16

Added

• PB-24245 As LU using the API I can manage standalone TOTP and TOTP associated with passwords resources types
• PB-24086 As an admin I can create a user recovery link from the command line

Maintenance

• PB-23321 Upgrade CakePHP to 4.4
• PB-24296 As a developer I can retrieve in integration tests the body of json requests in array
• PB-24083 Removes the usage of the Paginator deprecated in CakePHP 4.4
• PB-23926 Bump PHPUnit to ~9.5.2 to avoid warning messages of 9.6
• PB-22758 Introduce JWT key injection to enable parallel tests
• PB-22622 Add CS rule to disallow space after NOT operator
• PB-23786 Remove PHP 7.3 from the testing pipes
• PB-24561 Upgrades cakephp/migrations library
• PB-24073 As a developer I should ensure that the CHANGELOG.md file is in the right format
• PB-24071 As a developer I can enable feature plugins with the plugins class name
• PB-24272 Adds contribution link in CONTRIBUTING.md

Fixed

• PB-24078 As a user I should receive the correct email avatar text after folder manipulation
• PB-24039 Action log event listener should not throw error on missing connection
• PB-23558 Remove PHP 8.2 deprecation warnings
• PB-23557 Remove PHP 8.1 deprecation warnings

Security

• PB-24056 As an admin I can view log stack traces when debug mode is enabled
• PB-24297 Update guzzlehttp/psr7 to fix composer audit security vulnerability

Stille Einfuegen

Song: https://soundcloud.com/acidpauli/stille-einfugen

This is a small security release of the API only. It addresses an information leak issue while creating a resource with encrypted description and misusing the API. A client could inadvertently insert an unencrypted version of the description along with its encrypted version in the database.

If you want to know more about the issue, checkout the incident report.

[3.12.2] - 2023-04-26

Security

• PB-24315 As signed-in user creating resources with encrypted description the API should not store unencrypted descriptions even if provided by the client
• PB-24316 Cleanup description of resources with resource type password and description

Introspective

Song: https://open.spotify.com/track/3LU41qIkh4lND6PM4W8jHw?si=44039421ff734292

Release 3.12 includes a number of new features and enhancements, including the much-anticipated addition of folders in the Community Edition, which allows users to better organise resources.

Another notable new feature is the ability to customise passbolt to output the action logs in syslog or a file, giving administrators more control and visibility on what is happening on their instance and leverage other tools for threat and unusual activity detection. Administrators can also implement their own handler for action logs to further customise their passbolt instance reporting. A blog to demonstrate this new feature will be available soon.

Version 3.12 also includes important fixes, such as a fix to ensure that only administrators can see which users have MFA enabled. This regression was spotted during the Cure53 march security audit. The full report will be available shortly. Spoiler alert: no critical vulnerability was found.

Lastly, more file formats for export are included in release 3.12. This provides more options for migrating data between applications.

Overall, the release of version 3.12 provides several useful improvements. Thank you to the members of the community who’ve reported issues and helped us fix them.

[3.12.0] - 2023-03-15

Added

• PB-20535 As a community user I want to use folders
• PB-22749 As an administrator I can customise passbolt to output the action logs in syslog
• PB-22749 As an administrator I can customise passbolt to output the action logs in a file
• PB-22749 As an administrator I can implement my own action logs handler

Fixed

• PB-23717 As a user using the json API I should get a bad request error instead of an internal error if using api-version=v1
• PB-21826 Fix emails entries should not be locked when threshold limit is exceeded
• PB-23519 As an administrator running the DUO v4 migration I should not see a warning message if DUO was not configured
• PB-23721 As an administrator I want to be sure the server key is in the keyring before decrypting users directory settings

Security

• PB-23311 As an administrator I should be the only one to know which users have enabled MFA

Improved

• PB-23333 As an administrator I should see a notice instead of a warning if I enabled the self registration plugin
• PB-23722 As a developer running the unit tests I want to be sure the version from the config matches the one from the changelog
• PB-22892 As a user recovering my account I want to see the success and error pages feedback

Maintenance

• PB-23287 Duo multi-factor authentication redirection refactoring
• PB-23702 Update phpseclib/phpseclib dependency

Birdie

Song: https://youtu.be/reXhjQ50iug

This is a small maintenance release addressing community reported issues related to the recently introduced Duo v4 support.

This release also includes a security fix for the browser extension to mitigate clickjacking attacks discovered during an independent security audit of the API and browser extension by Cure53. As always, detailed findings will be published on our dedicated incident page soon.

Thank you to the members of the community who’ve reported issues and helped us fix them.

[3.11.1] - 2023-03-03

Fixed

PB-23283 As an administrator I can disable username validation in Duo Callback endpoints

Regular

Song: https://youtu.be/yR1u-v66iT4

Community Edition v3.11 introduces new features and enhancements to your passbolt experience.

Duo v4 MFA support is now available in the browser, an update from the previously supported v2. The API also now features a new endpoint that allows administrators to get paginated action logs, to make it easier to browse and find specific events or actions programmatically. In addition, the browser extension is now available in Italian, Portuguese, Korean, and Romanian (these languages are in beta, let passbolt know if you find anything that needs updating).

As part of ongoing efforts to improve passbolt, v3.11 also deprecates PHP 7.3 support and passbolt API v2 support. While you will not be able to install a new instance on PHP 7.3, existing instances will still work until the next version. We encourage users to upgrade to PHP 7.4 or higher and use the latest version of the passbolt’s API.

Passbolt appreciates the support of the community and the contributions we receive. Thank you for choosing passbolt, users play an integral role in growth and development.

[3.11.0] - 2023-03-01

Added

PB-22435 As a user using SSO Azure I can recover my account using SSO Azure
PB-22741 As an administrator I should see an error in the healthcheck if I use php 7.3 or less
PB-22747 As an administrator I can define a regular expression to customise email validation
PB-22748 As an administrator I can access to the paginated list of action logs on the browser
PB-22866 As a user I want to use passbolt in Italian
PB-22866 As a user I want to use passbolt in Portuguese (Brazil)
PB-22866 As a user I want to use passbolt in Korean
PB-22866 As a user I want to use passbolt in Romanian

Fixed

PB-21489 As a user I should not see double headers in emails sent by the email digest

Improved

PB-22725 As an administrator I want to manage Duo v4 settings
PB-21763 As a user I want to see a clean SSO error feedback in the popup after failing to sign-up with SSO
PB-21764 As a user I want to see a clean SSO feedback in the popup after signing-in with SSO
PB-21906 As a user I don’t want to receive email by default when I create a resource or a folder as well as I don’t want to see any details for this content by default
PB-22512 As an SSO administrator I want to see the access_token details when it is missing or has invalid claims
PB-22610 As a user I want the SSO Azure authentication to support nonce

Maintenance

PB-22416 As a developer I can safely deactivate plugins between solutions
PB-22756 Fixes a range of failing pagination tests
PB-22760 SSO State Type refactoring
PB-22495 Refactors the SmtpTransport to enhance the code coverage of emails
PB-22430 Refactoring of SSO state to use separate table

Glue

Song: https://open.spotify.com/track/2aJDlirz6v2a4HREki98cP?si=51e34d30904b4459

The passbolt team is excited to share the latest improvements in release 3.10. With the help of our contributors and the community's input, passbolt is proud to present the release of self-registration.

Users can now self-register if their email domain matches the administrator-defined policy. This will make the registration process more efficient and move smoother, especially with larger teams.

Thanks to everyone who contributed to this release, we look forward to continuing to enhance passbolt with your support.

[3.10.0] - 2023-02-14

Added

• PB-19784 As a user I can self register if my email domain matches the policy defined by the administrators

Improved

• PB-21485 As a server administrator I want to configure the list of active proxies the instance
  is behind in order to get client IP when necessary
• PB-21682 As an administrator I want to configure the client option of the SMTP settings
• PB-22019 As a server administrator I want to configure TOTP MFA secret length

Maintenance

• PB-22327 env variable PASSBOLT_PLUGINS_SMTP_SETTINGS renamed in PASSBOLT_PLUGINS_SMTP_SETTINGS_ENABLED (backward compatible)
• PB-22406 curl and openssl extensions requirements added
• PB-22413 bump CakePHP to ^4.3.11

Bunny

Song: https://youtu.be/U_i895w7CfM

The team at passbolt is thrilled to announce the release of v3.9 for immediate availability!

Passbolt CE v3.9 ships with Multi Factor Authentication (MFA) for all community edition users! Users can now set up MFA using various methods, including Duo, TOTP (Google Authenticator, Authy), and YubiKey (with Yubico Cloud).

Additionally, v3.9 also includes support for PHP 8.2.

The team is glad to make MFA, a former passbolt Pro feature, more widely available, as it’s been a highly requested feature within our community (even though one could argue that the existing authentication protocol already combined 2 factors of authentication: the private key and the master passphrase). The goal at passbolt is to provide the best security possible first while constantly improving user experience. It wouldn’t be possible without the incredible community that surrounds passbolt. Thank you to everyone who contributed ideas, reported bugs, and provided input.

Big things are on their way! Keep an eye out for how passbolt continues to grow and evolve in the coming months with additional pro edition features becoming available in the CE such as folders! To show your support please write a review on the app / extension webstore (chrome, firefox, edge, ios, android).

[3.9.0] - 2023-01-19

Added

• PB-20539 As a user I can protect the authentication to passbolt with a second factor method

Fixed

• PB-19601 As an admin running the healthcheck I should not see an unmanaged error if DB connection fails
• PB-21497 GITHUB-437 As an administrator I should see default user avatar in the email I receive when a user complete the setup
• PB-21501 GITHUB-411 As an administrator I should see the correct path relative to config tips in the health check report
• PB-21756 As an anonymous user switching MFA provider I should be redirected to the original target

Improved

• PB-19653 Rename Google authenticator into Totp authenticator
• PB-19807 As an administrator I want to know if email hostname availability is enabled in the health check report
• PB-20985 As an administrator I shouldn't be able to send a test email in command line without defining the recipient
• PB-21502 As an administrator I want to know if I run a passbolt command without using the webserver user
• PB-21635 As an administrator I want to the cron events to be logged
• PB-21751 As anonymous user I don't want to see the TOTP field auto-completed when I verify my second factor authentication
• PB-19715 As an administrator I want to lock the SMTP settings entry points

Maintenance

• PB-19212 Improve PHPUNIT performances
• PB-19541 Add composer audit job on development pipelines
• PB-19594 Avoid duplicated pipelines
• PB-19583 Remove deprecated usage of dummy auth token generation in tests
• PB-19594 Improve phpunit pipelines environment matrix
• PB-19706 Refactor favorites add controller into service
• PB-19707 Refactor favorites delete controller into service
• PB-20512 Ease debug by attaching original exception to InternalErrorException when missing
• PB-20541 Replace usage of Cake core Exception with CakeException when not done yet
• PB-21361 Remove deprecated usage of authenticateAs in tests
• PB-21658 Add support to PHP 8.2

Up Down Jumper

Song: https://youtu.be/BNe7OrleTlg

This release is a small maintenance release of the API only fixing issues reported by the community relative to the latest introduced SMTP settings feature. It also adds additional information to try to improve the debug process when dealing with Gnupg integration issues.

A big thank you to the community members who are reporting issues and help us investigate them.

[3.8.3] - 2022-12-01

Fixed

• PB-21631 Ensure the OpenPGP server key is in the keyring prior to sending any emails