v21.08.6-ls164

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added custom whoops-based debug view which fixes issue where debug view would not show content due to CSP rules. (#2977, #2976)
• Added throttling to password reset requests. (ca764ca)
• Updated translations with latest changes from Crowdin. (#2980)
• Updated DOMPDF chroot directory to prevent potential unintended file access. (#2965)
• Updated DOMPDF chroot directory to prevent potential unintended file access. (#2965)
• Fixed issue where TOTP setup would provide guest email address upon QR code scan when MFA setup was enforced at login. (#2971)

v21.08.5-ls164

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Security Release

• Update Instructions
• Update details on blog

This security release covers a vulnerability which would allow malicious users, who have permission to update or create pages, to load content from files stored within the storage/ or public/ directories (Such as application logs) via the page HTML export system.

If you allow untrusted users to edit page content you should update as soon as possible.

This release also changes the way browser response caching is performed, while logged in, to help prevent navigating back to confidential content after logout.

• Update instructions
• GitHub release page

Additional Changes

• Added concurrent page editing warnings upon draft save events. Thanks to @MatthieuParis (#2877)
• Updated translations with the latest changes from Crowdin. (#2953)

v21.08.5-ls163

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Security Release

• Update Instructions
• Update details on blog

This security release covers a vulnerability which would allow malicious users, who have permission to update or create pages, to load content from files stored within the storage/ or public/ directories (Such as application logs) via the page HTML export system.

If you allow untrusted users to edit page content you should update as soon as possible.

This release also changes the way browser response caching is performed, while logged in, to help prevent navigating back to confidential content after logout.

• Update instructions
• GitHub release page

Additional Changes

• Added concurrent page editing warnings upon draft save events. Thanks to @MatthieuParis (#2877)
• Updated translations with the latest changes from Crowdin. (#2953)

v21.08.4-ls163

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added IP address to tracked activities and displayed in audit log. Thanks to @johnroyer. (#2936, #2747)
• Added the option to use database table prefixes. Thanks to @floviolleau. (#2935)
• Allowed the use of content includes when using a custom homepage.
• Updated translations with latest content from Crowdin. (#2926)
• Converted old test cases to remove reliance on BrowserKit. (#2928)
• Fixed incorrect audit log detail on social account sign-in. (#2930)
• Fixed issue where QR codes were not readable when using dark mode. (#2925)

v21.08.4-ls162

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added IP address to tracked activities and displayed in audit log. Thanks to @johnroyer. (#2936, #2747)
• Added the option to use database table prefixes. Thanks to @floviolleau. (#2935)
• Allowed the use of content includes when using a custom homepage.
• Updated translations with latest content from Crowdin. (#2926)
• Converted old test cases to remove reliance on BrowserKit. (#2928)
• Fixed incorrect audit log detail on social account sign-in. (#2930)
• Fixed issue where QR codes were not readable when using dark mode. (#2925)

v21.08.3-ls161

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed certain "Custom HTML Head Content" being incorrectly altered or converted. (#2923, #2914)
• Updated translations with latest Crowdin updates. (#2915)

v21.08.3-ls160

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed certain "Custom HTML Head Content" being incorrectly altered or converted. (#2923, #2914)
• Updated translations with latest Crowdin updates. (#2915)

v21.08.3-ls159

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed certain "Custom HTML Head Content" being incorrectly altered or converted. (#2923, #2914)
• Updated translations with latest Crowdin updates. (#2915)

v21.08.3-ls158

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed certain "Custom HTML Head Content" being incorrectly altered or converted. (#2923, #2914)
• Updated translations with latest Crowdin updates. (#2915)

v21.08.2-ls158

LinuxServer Changes:

Rebase to Alpine 3.14.

bookstack Changes:

Security Release

• Update Instructions
• Update details on blog

This security release is intended to cover a couple of XSS vulnerabilities, where a malicious user with page edit access could enter script that would execute upon page view. You should update as soon as possible if you allow untrusted users to edit content in your instance.

In addition, this releases expands the CSP headers set by BookStack to help avoid any similar vulnerabilities from being effective going forward. If you've performed some more advanced customizations on your instance, they may need to be altered to work with the built-in CSP system.