Commit Graph

79 Commits (6e5d674dda301dec4cadfff978a3c80e92421087)

Author SHA1 Message Date
Richard Hansen 1ad9b1efbb Update `CHANGELOG.md`
Add new entries and refine wording/formatting of existing entries.
2020-11-10 07:22:22 +00:00
John McLear 89667f1d4f
update changelog for release (#4475) 2020-11-08 10:03:22 +00:00
John McLear 66df0a572f
Security: FEATURE REMOVAL: Remove all plain text password logic and ui (#4178)
This will be a breaking change for some people.  

We removed all internal password control logic.  If this affects you, you have two options:

1. Use a plugin for authentication and use session based pad access (recommended).
1. Use a plugin for password setting.

The reasoning for removing this feature is to reduce the overall security footprint of Etherpad.  It is unnecessary and cumbersome to keep this feature and with the thousands of available authentication methods available in the world our focus should be on supporting those and allowing more granual access based on their implementations (instead of half assed baking our own).
2020-10-07 13:43:54 +01:00
Richard Hansen 34b232d658
Update `CHANGELOG.md` with the changes so far (#4393) 2020-10-06 09:16:21 +02:00
Richard Hansen df7fa1fd41
changelog: Mention fix for authz bypass vulnerability in 1.8.6 (#4318) 2020-09-20 19:21:46 +00:00
Stefan Mueller 299bd962b6 Update version to 1.8.6 and add changelog informations 2020-09-18 21:14:19 +02:00
Stefan Mueller 5e03a3b0fe Set changelog informations for new version 2020-09-08 22:10:27 +02:00
John McLear 2a28ff8526
Changelog (#4181) 2020-07-19 23:48:31 +01:00
John McLear e22574c40f
Changelog 2020-06-10 15:43:09 +01:00
muxator 4365598658 release: prepare for 1.8.4 2020-05-15 02:09:18 +02:00
muxator 5e6af287a5 release: prepare for 1.8.3 2020-04-27 03:24:23 +02:00
muxator 684f374ece runtime: require node >= 10.13.0 LTS
At the moment, NodeJS 10.x is the lowest supported LTS version. NodeJS 8.x is no
longer supported upstream.

Implements #3835.
Planned in #3650.
2020-04-09 04:43:37 +02:00
John McLear babf67175c undomodule: disallow undoing "clear authorship colors"
Clearing the authorship colors of a document with at least two authors, and then
undoing that action caused a disconnect from the pad.
This change disallows undoing clearing authorship colors in order to prevent
the problem from affecting users, and adds the relative test coverage.

This is a change of behaviour, and is documented in the changelog.

Fixes #2802 (sidestepping it).
2020-04-08 15:20:37 +02:00
muxator a817acbbcc security: when served over https, set the "secure" flag for "express_sid" and "language" cookie
The mechanism used for determining if the application is being served over SSL
is wrapped by the "express-session" library for "express_sid", and manual for
the "language" cookie, but it's very similar in both cases.

The "secure" flag is set if one of these is true:

1. we are directly serving Etherpad over SSL using the native nodejs
   functionality, via the "ssl" options in settings.json

2. Etherpad is being served in plaintext by nodejs, but we are using a reverse
   proxy for terminating the SSL for us;
   In this case, the user has to be instructed to properly set trustProxy: true
   in settings.json, and the information wheter the application is over SSL or
   not will be extracted from the X-Forwarded-Proto HTTP header.

Please note that this will not be compatible with applications being served over
http and https at the same time.

The change on webaccess.js amends 009b61b338, which did not work when the SSL
termination was performed by a reverse proxy.

Reference for automatic "express_sid" configuration:
https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure

Closes #3561.
2019-12-07 04:36:01 +01:00
ahmadine 0a0b90c4d0 referer: change referrer policy. Stop sending referers as much as possible
Pull request with discussion: https://github.com/ether/etherpad-lite/pull/3636

What's already there:
* `meta name=referrer`: already done in 1.6.1:
  https://github.com/ether/etherpad-lite/pull/3044

  https://caniuse.com/#feat=referrer-policy
  https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta
  (Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1])

The previous two commits (by @joelpurra) I backported in this batch:
* `<a rel=noreferrer>`: a pull request denied before:
  https://github.com/ether/etherpad-lite/pull/2498

  https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer
  https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types
  (Firefox>=37, I can't find more info about support)

This commit adds the following:
* `<a rel="noopener">`: fixing a not-so-well-known way to extract referer
  https://html.spec.whatwg.org/multipage/links.html#link-type-noopener
  (Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge)

* `Referrer-Policy: same-origin`: the last bastion of referrer security
  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
  (Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge)

meta name=referrer wasn't enough. I happened to leak a few referrers with my
Firefox browser, though for some browsers it could have been enough.

[1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it
    most probably incompatible (but I may be wrong on that, they may support
    both, but I have no way to test it currently). The next Edge release will be
    based on Chromium, so for that the Chrome version applies.
2019-11-25 00:05:40 +01:00
muxator 7e44dc569b changelog: mention the conditional user creation feature (now that it's fixed) 2019-11-02 23:37:59 +01:00
muxator 4f53b35bcb changelog: reflect the fact that next release will be 1.8-beta.1
This change should have been part of 84479851fe.
2019-11-02 23:37:01 +01:00
muxator 55fb10c685 release: prepare for 1.8.0 2019-10-19 03:42:13 +02:00
muxator 705cc6f5e4 Change everywhere the link to https://etherpad.org (it was plain http) 2019-04-16 00:54:54 +02:00
muxator a6656102d8 CHANGELOG.md: link to https://translatewiki.net instead of plain http 2019-04-16 00:53:00 +02:00
muxator 4f0a2785da release: prepare for 1.7.5
Written the changelog and updated package.json.
2019-01-26 00:16:03 +01:00
muxator 4408a1e505 release: prepare for 1.7.0
Written the changelog and updated package.json.

From now on, releases will be cut from develop, and merged directly into master.

Each release will be a tag on the master branch (e.g. 1.7.0).
A "release/1.7.0" branch will eventually be created only if/when a hotfix will
be needed.
2018-08-17 00:18:31 +02:00
muxator 60c1036ecb
changelog: put <ol> in backticks
Github's Markdown renderer broke the layout of the readme file.
Putting `<ol>` in backticks keeps it happy.
2018-07-20 12:33:45 +02:00
muxator bfec44e346 Release version 1.6.6 2018-05-05 00:53:59 +02:00
muxator e13ae0aec5 changelog: better specified CVE description
Previous commit was wrong.
Fixes #3372, really.
2018-05-04 23:24:58 +02:00
muxator 10d555bc91 changelog: better specified CVE description
fixes #3372
2018-05-04 23:15:22 +02:00
muxator 3eb3e301a2 manually updated CHANGELOG.md
due to createRelease.sh not catching an error from sed and continuing:
   sed: -e expression #1, char 66: unterminated `s' command
2018-04-10 00:50:28 +02:00
John McLear 0132f4d1da Include CVE # 2018-04-07 10:13:09 +01:00
John McLear c34350f307 Beginning to make release 2018-04-07 09:22:13 +01:00
Stefan 1e25e7fc77 Release version 1.6.3 2018-02-03 12:57:22 +01:00
Stefan (Gared) e84c696225 Updated CHANGELOG.md 2017-11-04 17:38:59 +01:00
Jonah Duckles fcde66050e Fix markdown H1 2017-05-30 13:34:07 +12:00
Stefan 9f51432175 Update CHANGELOG.md 2016-12-23 22:12:18 +01:00
Stefan 5ed9f2736a Add version 1.6.0 changelogs 2016-04-24 21:32:21 +02:00
Stefan 6fae670476 Release version 1.5.7 (changelog) 2015-08-05 19:25:11 +02:00
Stefan 2393ea01f0 Release version 1.5.6 2015-04-16 23:06:24 +02:00
Stefan 64d94cb346 Release version 1.5.5 2015-04-13 17:27:14 +02:00
Stefan 1b9a51c879 Release version 1.5.4 2015-04-11 10:19:02 +02:00
John McLear fc60ddded1 changelog 2015-04-10 22:23:07 +01:00
Stefan c0260bcc40 Add changelog for v1.5.2 2015-03-15 14:28:47 +01:00
Stefan c80a64a379 Update CHANGELOG.md 2015-01-24 19:24:20 +01:00
John McLear af7cd91a82 formatting 2015-01-24 15:14:19 +00:00
John McLear e41b3ae0a3 updated CL 2015-01-24 15:13:26 +00:00
John McLear 95af55992a changelog 2015-01-01 17:13:50 +00:00
John McLear 2530bf0a86 add changelog and bump v number 2014-09-06 17:25:09 +01:00
John McLear e23af7e439 changelog, package file and fix for redo 2014-03-26 15:44:04 +00:00
Marcel Klehr e8c69a5474 Update changelog and bump version 2013-10-21 20:18:16 +02:00
Marcel Klehr b9cc91e6ad Update CHANGELOG 2013-10-12 20:35:23 +02:00
Marcel Klehr 74bc2bd761 Prepare release 2013-10-12 14:16:06 +02:00
John McLear ba1a5da76d bump and changelog 2013-06-24 13:35:17 +01:00