BookStack v23.10.3

Security Release

• Update Instructions
• Update details on blog

This is a security release that addresses a vulnerability in image handling which could be exploited to perform server-side requests or read the contents of files on the server system.
Additionally, this update addresses a lack of permission check in some image creation actions.

Upgrade is strongly advised where untrusted users have permission to create/edit/update page content in your instance.

Thanks to Carlos Bello from the Fluid Attacks Research Team for discovering and reporting this vulnerability.

Full List of Changes

• Updated thumbnail handling to for use of content as image data. (#4681)

BookStack v23.10.2

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed incorrect audit log dropdown behaviour. (#4652)
• Fixed redirects to the manfiest endpoint in some environments. (#4649)
• Updated translations with latest Crowdin changes. (#4643)

BookStack v23.10.1

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added "Norwegian Nynorsk" to user language options.
• Added JavaScript public event for customizing codemirror instances. (#4639)
• Added handling to allow jumping to headers/sections within collapsible sections. (#4637)
• Added PHP 8.3 support. (#4633)
• Updated translations with latest Crowdin changes. (#4631)
• Fixed header bar peeking through on markdown editor fullscreen mode. (#4641)
• Fixed incorrect color usage for editor toolbox active tabs. (#4630)

BookStack v23.10

Links

• Release video overview
• Update instructions
• Update details on blog

Upgrade Notices

• User Detail/Preference Changes - Many of the URLs, paths and interfaces for user-self management have changed in this release. You may need to update any documentation or user guidance you may have surrounding users updating their own details or preferences.

Full List of Changes

• Added new "My Account" area. (#4615)
• Added Uzbek language translations. Thanks to @mrmuminov. (#4527)
• Added artisan command for re-fetching existing user avatar images. Thanks to @MarcHagen. (#4560, #1893)
• Added basic PWA support. Thanks to @GamerClassN7. (#4430, #1253)
• Added new header bar partials for easier customization. (#4564)
• Added "View Tags" button to non-default homepage views. (#4558)
• Updated page editor interface with a new design. (#4604)
• Updated app caching behaviour to avoid expiry scenarios. (#4600)
• Updated cleanup-images command to allow non-interactive running. (#4541)
• Updated comment notification options to only show if comments active. Thanks to @tusharnain4578. (#4552, #4508)
• Updated editor entity selector to pre-fill with selected text. (#4571)
• Updated file & image upload handling for better indication of issues. (#4578, #4454)
• Updated guest user logic to reduce complexity and overlapping methods. (#4554, #4448)
• Updated HTTP calling in the codebase to align all handling. (#4525)
• Updated icon handling to remove unneeded global helper. (#4553)
• Updated language handling to reduce complexity and duplicated logic. (#4555, #4501)
• Updated logical theme system to capture load errors for better reporting & debugging. (#4504)
• Updated mixed entity endpoints to share and align logic. (#4444)
• Updated OIDC config handling to move logic out of config file. (#4494)
• Updated OIDC request timeout to 5 seconds. (#4397)
• Updated older notifications codebase to align with newer code organisation. (#4500)
• Updated print view to ignore extra elements. (#4594)
• Updated Slack authentication to use official Laravel implementation. (#4464)
• Updated the default email settings to use example domain. (#4518)
• Updated translations with latest Crowdin changes. (#4523)
• Updated username truncation to always show some part of the name. Thanks to @Bajszi97. (#4533, #4489)
• Updated security docs to remove huntr references. Thanks to @radiantwave. (#4616, #4618)
• Fixed awkward sidebar scroll behaviour at mid-level screen sizes. Thanks to @LawssssCat. (#4562)
• Fixed buggy dark/light mode button when dark mode is the default. (#4543)
• Fixed enter press incorrectly clearing tag input field. (#4570)
• Fixed issue where "?" would show shortcuts when typing in an input. (#4606)
• Fixed lack of content in plaintext export options. (#4557)
• Fixed missing notification text in German-language emails. (#4567)
• Fixed odd default homepage layout at iPad-like width. (#4596)
• Fixed un-aligned text across elements when they show their empty states. (#4563)
• Enabled Albanian translations for BookStack on Crowdin. (#4065)
• Enabled Finnish translations for BookStack on Crowdin. (#4614)
• Enabled Norwegian Nynorsk translations for BookStack on Crowdin. (#4447)

BookStack v23.08.3

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed comment reply notifications not being sent to the correct/expected user. (#4548)
• Fixed JavaScript error that could appear when not having comment permissions. (#4531)
• Fixed wrong French translation in notification preferences. (#4511)
• Updated translations with latest Crowdin changes. (#4512)

BookStack v23.08.2

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed WYSIWYG filtering issue, introduced in v23.08.1, which breaks page editing and drawing use when certain elements exist in page content. (#4510, #4509)
• Updated translations with latest Crowdin changes. (#4506)

BookStack v23.08.1

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated preferences view styles to better respond to content and screen sizes to prevent wrapping buttons. (#4502)
• Updated WYSIWYG editor filtering to help prevent page pointer being pasted into pages. (#4474)
• Updated translations with latest Crowdin changes. (#4481)
• Fixed a range of typos in our dev docs. Thanks to @omahs. (#4484)
• Fixed deleted watched books/chapters/pages breaking notification preferences view from loading. (#4499)
• Fixed notifications not being sent in receiver language preference. (#4497, #4480)

BookStack v23.08

Links

• Release video overview
• Update instructions
• Update details on blog

Upgrade Notices

• Security - Webhooks - In scenarios where admin users are not trusted, webhooks could potentially be used maliciously. This update adds a control for such functionality. Please read our documentation for the new ALLOWED_SSR_HOSTS option if this may be a concern for your instance.

Full List of Changes

• Added content notification system. (#4390, #4371, #241)
• Added browser-based drawing backup storage mechanism. (#4457, #4421)
• Added order/priority control within books via the API. Thanks to @rouet. (#4313, #4298)
• Added host allow list option for server side requests like webhooks. (#4410)
• Added additional comment-specific activities. (#4389)
• Updated translations with latest Crowdin changes. (#4380, #4462)
• Fixed API docs caching failure when using DB cache driver. (#4453)
• Fixed overly wide page view when using an RTL language. (#4429)
• Fixed status cache check to work better for simultaneous requests. (#4396)
• Fixed markdown editor scrolling on mobile screen sizes. (#4466)

BookStack v23.06.2

Links

• Update instructions

Upgrade Notices

• Shelf Create Permissions - If you upgraded specifically to v23.06 or v23.06.1, then create permissions for bookshelves would have been removed upon upgrade. If you made use of these via the "Copy Permissions to Books" action, or CLI command, then you will need to re-apply these permissions where required. If you jumped right over v23.06 and v23.06.1, then no permissions were removed.

Full List of Changes

This release contains the following fixes and changes:

• Re-added shelf create permissions, now include a note to indicate permission usage. (#4375)
• Fixed issue causing some delete-based action webhooks to create not-found errors. (#4373)
• Updated translations with latest Crowdin changes. (#4367)

BookStack v23.06.1

Links

• Update instructions

Upgrade Notices

• Email Configuration (TLS) - Due to issues experienced in v23.06, MAIL_ENCRYPTION=ssl or MAIL_ENCRYPTION=tls will now simply ensure that TLS or STARTTLS are used, rather than forcing full TLS to be used. Our email documentation has been updated to reflect this.

Full List of Changes

This release contains the following fixes and changes:

• Updated MAIL_ENCRYPTION usage due to incorrectly forcing initial TLS usage. (#4358)
• Updated translations with latest Crowdin changes. (#4352)
• Fixed image updated timestamp not updating when gallery images are replaced. (#4354)
• Fixed sort options breaking roles page load. (#4350)
• Fixed IPv6 addresses in audit log spilling into date column. (#4349)
• Fixed many inaccuracies in API example responses. Thanks to @devdot. (#4344)