Skip to content

Releases: pglombardo/PasswordPusher

v1.49.0: Trust Only Local Proxies Unless Overridden

20 Nov 15:10
97d28d3
Compare
Choose a tag to compare

This release fixes CVE-2024-52796 where an attacker could spoof the X-Forwarded-For header to bypass the rate limiter.

If you are using an external proxy that is not on the local network, see this documentation on how to authorize the IP of your remote proxy.

📝 What’s Changed

🚀 Features

⬆️ Dependencies updates

👥 List of contributors

@dependabot, @dependabot[bot] and @pglombardo

🛥️ Docker Images

Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush

🏃‍♂️ Run This Version

docker run -d -p 5100:5100 pglombardo/pwpush:1.49.0

..and go to http://localhost:5100

🔗 Useful Links

v1.48.2: Language Strings, Dependency & Security Updates

13 Nov 23:00
d61378d
Compare
Choose a tag to compare

📝 What’s Changed

🚀 Features

⬆️ Dependencies updates

👥 List of contributors

@dependabot, @dependabot[bot] and @pglombardo

🛥️ Docker Images

Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush

🏃‍♂️ Run This Version

docker run -d -p 5100:5100 pglombardo/pwpush:1.48.2

..and go to http://localhost:5100

🔗 Useful Links

v1.48.1: Security Update

06 Nov 21:37
b2b057c
Compare
Choose a tag to compare

This release fixes CVE-2024-51989 (a potential XSS vulnerability) that was introduced in v1.41.1.

All users that are self-hosting and using the login system, please update to this version to best mitigate risk. Details, description and more available in the Github Security Advisory.

Thanks to @igniter07 for reporting!

📝 What’s Changed

⬆️ Dependencies updates

👥 List of contributors

@dependabot, @dependabot[bot] and @pglombardo

🛥️ Docker Images

Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush

🏃‍♂️ Run This Version

docker run -d -p 5100:5100 pglombardo/pwpush:1.48.1

..and go to http://localhost:5100

🔗 Useful Links

v1.48.0: Login Security Improvements

04 Nov 19:13
7ceab94
Compare
Choose a tag to compare

This release improves the overall security of logins in Password Pusher. Details below.

With this release, all pre-existing login sessions will end and users will have to log in again.

The improvements are:

  1. "Remember me" now only remembers for 1 week
  2. Login password length increased to 10 to 128 characters (previously 6 to 128) (preexisting login passwords unaffected)
  3. Login sessions now expire after 2 hours of inactivity
  4. Cookie serialization is now done via JSON to fix https://github.com/pglombardo/PasswordPusher/security/code-scanning/1

Being a security product dealing with sensitive information, these changes are appropriate.

📝 What’s Changed

⬆️ Dependencies updates

👥 List of contributors

@dependabot, @dependabot[bot] and @pglombardo

🛥️ Docker Images

Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush

🏃‍♂️ Run This Version

docker run -d -p 5100:5100 pglombardo/pwpush:1.47.5

..and go to http://localhost:5100

🔗 Useful Links

v1.47.4: Framework, Dependency & Security Updates

01 Nov 15:38
d4dec75
Compare
Choose a tag to compare

📝 What’s Changed

⬆️ Dependencies updates

👥 List of contributors

@dependabot, @dependabot[bot] and @pglombardo

🛥️ Docker Images

Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush

🏃‍♂️ Run This Version

docker run -d -p 5100:5100 pglombardo/pwpush:1.47.4

..and go to http://localhost:5100

🔗 Useful Links

v1.47.3: Throttling Fix & Brute Force Protections

25 Oct 13:02
e4e0bcf
Compare
Choose a tag to compare

📝 What’s Changed

This PR fixes a bug with throttling where if throttling values in settings.yml were commented out, it could cause a stack traces. Now, commenting out throttling values will disable throttling entirely.

Additionally, protections are now in place to rate limit login attempts to make brute force attacks more difficult.

  • Throttling fix & Add protection against login brute forcing (#2685) @pglombardo

⬆️ Dependencies updates

👥 List of contributors

@dependabot, @dependabot[bot] and @pglombardo

🛥️ Docker Images

Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush

🏃‍♂️ Run This Version

docker run -d -p 5100:5100 pglombardo/pwpush:1.47.3

..and go to http://localhost:5100

🔗 Useful Links

v1.47.2: New Admin Menu Item, Dependency & Security Updates

24 Oct 09:34
2a99e73
Compare
Choose a tag to compare

📝 What’s Changed

🚀 Features

⬆️ Dependencies updates

👥 List of contributors

@dependabot, @dependabot[bot] and @pglombardo

🛥️ Docker Images

Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush

🏃‍♂️ Run This Version

docker run -d -p 5100:5100 pglombardo/pwpush:1.47.2

..and go to http://localhost:5100

🔗 Useful Links

v1.47.1: Disable Secret URL Prefetch & Increased Security Logins

20 Oct 19:33
2513a0f
Compare
Choose a tag to compare

This release improves the security of logins. Details in #2651.

Thanks the security firm who pointed out these potential issues.

If I get permission, I'll post their details once all the fixes out. (There are more on the way)

📝 What’s Changed

🚀 Features

👥 List of contributors

@pglombardo

🛥️ Docker Images

Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush

🏃‍♂️ Run This Version

docker run -d -p 5100:5100 pglombardo/pwpush:1.47.1

..and go to http://localhost:5100

🔗 Useful Links

v1.47.0: New Background Worker Dashboard (Admin)

20 Oct 11:28
2504e53
Compare
Choose a tag to compare

📝 What’s Changed

This release bundles a new dashboard for background job monitoring for those running the pglombardo/pwpush-worker container. (Still in Beta).

Available from /admin and directly at /admin/jobs

Screenshot 2024-10-16 at 15 58 04

🚀 Features

⬆️ Dependencies updates

👥 List of contributors

@dependabot, @dependabot[bot] and @pglombardo

🛥️ Docker Images

Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush

🏃‍♂️ Run This Version

docker run -d -p 5100:5100 pglombardo/pwpush:1.46.4

..and go to http://localhost:5100

🔗 Useful Links

v1.46.3: Framework Security Patch

16 Oct 14:56
e0efeeb
Compare
Choose a tag to compare

📝 What’s Changed

👥 List of contributors

@pglombardo

🛥️ Docker Images

Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush

🏃‍♂️ Run This Version

docker run -d -p 5100:5100 pglombardo/pwpush:1.46.3

..and go to http://localhost:5100

🔗 Useful Links