Releases: pglombardo/PasswordPusher
v1.49.0: Trust Only Local Proxies Unless Overridden
This release fixes CVE-2024-52796 where an attacker could spoof the X-Forwarded-For
header to bypass the rate limiter.
If you are using an external proxy that is not on the local network, see this documentation on how to authorize the IP of your remote proxy.
📝 What’s Changed
- Security: Only trust local proxies unless overidden (#2797) @pglombardo
- [Snyk] Upgrade esbuild from 0.23.1 to 0.24.0 (#2796) @pglombardo
🚀 Features
- Yarn package updates (#2782) @pglombardo
- Latest Language Strings (#2779) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump rdoc from 6.7.0 to 6.8.1 (#2795) @dependabot
- ⬆️ Bump aws-partitions from 1.1009.0 to 1.1010.0 (#2794) @dependabot
- ⬆️ Bump mutex_m from 0.2.0 to 0.3.0 (#2793) @dependabot
- ⬆️ Bump prime from 0.1.2 to 0.1.3 (#2792) @dependabot
- ⬆️ Bump standard from 1.42.0 to 1.42.1 (#2791) @dependabot
- ⬆️ Bump aws-sdk-kms from 1.95.0 to 1.96.0 (#2790) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.171.0 to 1.172.0 (#2789) @dependabot
- ⬆️ Bump kramdown from 2.4.0 to 2.5.1 (#2788) @dependabot
- ⬆️ Bump aws-partitions from 1.1007.0 to 1.1009.0 (#2786) @dependabot
- ⬆️ Bump pry from 0.14.2 to 0.15.0 (#2784) @dependabot
- ⬆️ Bump solid_queue from 1.0.1 to 1.0.2 (#2785) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.170.1 to 1.171.0 (#2775) @dependabot
- ⬆️ Bump mini_portile2 from 2.8.7 to 2.8.8 (#2776) @dependabot
- ⬆️ Bump json from 2.8.1 to 2.8.2 (#2774) @dependabot
- ⬆️ Bump aws-partitions from 1.1006.0 to 1.1007.0 (#2773) @dependabot
- ⬆️ Bump rackup from 2.2.0 to 2.2.1 (#2772) @dependabot
- ⬆️ Bump aws-partitions from 1.1005.0 to 1.1006.0 (#2771) @dependabot
- ⬆️ Bump rubocop-ast from 1.35.0 to 1.36.1 (#2770) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.49.0
..and go to http://localhost:5100
🔗 Useful Links
v1.48.2: Language Strings, Dependency & Security Updates
📝 What’s Changed
- Background Jobs: Fix environment variable check (#2768) @pglombardo
🚀 Features
- Latest Language Strings (#2767) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump standard from 1.41.1 to 1.42.0 (#2765) @dependabot
- ⬆️ Bump aws-partitions from 1.1004.0 to 1.1005.0 (#2764) @dependabot
- ⬆️ Bump debase from 0.2.6 to 0.2.7 (#2763) @dependabot
- ⬆️ Bump rubocop from 1.66.1 to 1.68.0 (#2762) @dependabot
- ⬆️ Bump aws-partitions from 1.1003.0 to 1.1004.0 (#2760) @dependabot
- ⬆️ Bump securerandom from 0.3.1 to 0.3.2 (#2759) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.170.0 to 1.170.1 (#2758) @dependabot
- ⬆️ Bump rubocop-ast from 1.34.1 to 1.35.0 (#2756) @dependabot
- ⬆️ Bump msgpack from 1.7.3 to 1.7.5 (#2757) @dependabot
- ⬆️ Bump solid_queue from 1.0.0 to 1.0.1 (#2754) @dependabot
- ⬆️ Bump aws-partitions from 1.1002.0 to 1.1003.0 (#2752) @dependabot
- ⬆️ Bump net-imap from 0.5.0 to 0.5.1 (#2750) @dependabot
- ⬆️ Bump mission_control-jobs from 0.4.0 to 0.5.0 (#2751) @dependabot
- ⬆️ Bump benchmark from 0.3.0 to 0.4.0 (#2749) @dependabot
- ⬆️ Bump singleton from 0.2.0 to 0.3.0 (#2748) @dependabot
- ⬆️ Bump ostruct from 0.6.0 to 0.6.1 (#2746) @dependabot
- ⬆️ Bump psych from 5.1.2 to 5.2.0 (#2747) @dependabot
- ⬆️ Bump aws-partitions from 1.1001.0 to 1.1002.0 (#2745) @dependabot
- ⬆️ Bump stringio from 3.1.1 to 3.1.2 (#2744) @dependabot
- ⬆️ Bump rubocop-ast from 1.34.0 to 1.34.1 (#2743) @dependabot
- ⬆️ Bump timeout from 0.4.1 to 0.4.2 (#2740) @dependabot
- ⬆️ Bump mission_control-jobs from 0.3.3 to 0.4.0 (#2741) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.169.0 to 1.170.0 (#2739) @dependabot
- ⬆️ Bump json from 2.7.6 to 2.8.1 (#2738) @dependabot
- ⬆️ Bump aws-sdk-core from 3.211.0 to 3.212.0 (#2737) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.48.2
..and go to http://localhost:5100
🔗 Useful Links
v1.48.1: Security Update
This release fixes CVE-2024-51989 (a potential XSS vulnerability) that was introduced in v1.41.1.
All users that are self-hosting and using the login system, please update to this version to best mitigate risk. Details, description and more available in the Github Security Advisory.
Thanks to @igniter07 for reporting!
📝 What’s Changed
- Sanitize Confirmation Parameter (#2736) @pglombardo
- Allow Anonymous=false: Fix after sign up redirect path (#2735) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump parser from 3.3.5.1 to 3.3.6.0 (#2734) @dependabot
- ⬆️ Bump json from 2.7.5 to 2.7.6 (#2733) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.48.1
..and go to http://localhost:5100
🔗 Useful Links
v1.48.0: Login Security Improvements
This release improves the overall security of logins in Password Pusher. Details below.
With this release, all pre-existing login sessions will end and users will have to log in again.
The improvements are:
- "Remember me" now only remembers for 1 week
- Login password length increased to 10 to 128 characters (previously 6 to 128) (preexisting login passwords unaffected)
- Login sessions now expire after 2 hours of inactivity
- Cookie serialization is now done via JSON to fix https://github.com/pglombardo/PasswordPusher/security/code-scanning/1
Being a security product dealing with sensitive information, these changes are appropriate.
📝 What’s Changed
- Improved Login Security (#2731) @pglombardo
- Security: Use json for cookie serialization (#2720) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump rubocop-ast from 1.33.0 to 1.34.0 (#2730) @dependabot
- ⬆️ Bump date from 3.3.4 to 3.4.0 (#2729) @dependabot
- ⬆️ Bump aws-partitions from 1.1000.0 to 1.1001.0 (#2728) @dependabot
- ⬆️ Bump rackup from 2.1.0 to 2.2.0 (#2725) @dependabot
- ⬆️ Bump debase from 0.2.5.beta2 to 0.2.6 (#2724) @dependabot
- ⬆️ Bump oj from 3.16.6 to 3.16.7 (#2722) @dependabot
- ⬆️ Bump google-apis-iamcredentials_v1 from 0.21.0 to 0.22.0 (#2723) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.5
..and go to http://localhost:5100
🔗 Useful Links
v1.47.4: Framework, Dependency & Security Updates
📝 What’s Changed
⬆️ Dependencies updates
- ⬆️ Bump rubocop-ast from 1.32.3 to 1.33.0 (#2698) @dependabot
- ⬆️ Bump aws-partitions from 1.999.0 to 1.1000.0 (#2716) @dependabot
- ⬆️ Bump parser from 3.3.5.0 to 3.3.5.1 (#2718) @dependabot
- ⬆️ Bump overcommit from 0.64.0 to 0.64.1 (#2717) @dependabot
- ⬆️ Bump actionview from 7.2.1.2 to 7.2.2 (#2715) @dependabot
- ⬆️ Bump actioncable from 7.2.1.2 to 7.2.2 (#2714) @dependabot
- ⬆️ Bump activestorage from 7.2.1.2 to 7.2.2 (#2713) @dependabot
- ⬆️ Bump actiontext from 7.2.1.2 to 7.2.2 (#2712) @dependabot
- ⬆️ Bump activemodel from 7.2.1.2 to 7.2.2 (#2711) @dependabot
- ⬆️ Bump actionmailer from 7.2.1.2 to 7.2.2 (#2710) @dependabot
- ⬆️ Bump sqlite3 from 2.1.1 to 2.2.0 (#2705) @dependabot
- ⬆️ Bump actionpack from 7.2.1.2 to 7.2.2 (#2709) @dependabot
- ⬆️ Bump activesupport from 7.2.1.2 to 7.2.2 (#2707) @dependabot
- ⬆️ Bump aws-partitions from 1.998.0 to 1.999.0 (#2704) @dependabot
- ⬆️ Bump json from 2.7.4 to 2.7.5 (#2703) @dependabot
- ⬆️ Bump activerecord from 7.2.1.2 to 7.2.2 (#2700) @dependabot
- ⬆️ Bump aws-partitions from 1.997.0 to 1.998.0 (#2697) @dependabot
- ⬆️ Bump nio4r from 2.7.3 to 2.7.4 (#2696) @dependabot
- ⬆️ Bump rails-i18n from 7.0.9 to 7.0.10 (#2695) @dependabot
- ⬆️ Bump aws-partitions from 1.996.0 to 1.997.0 (#2694) @dependabot
- ⬆️ Bump aws-partitions from 1.995.0 to 1.996.0 (#2690) @dependabot
- ⬆️ Bump loofah from 2.23.0 to 2.23.1 (#2691) @dependabot
- ⬆️ Bump json from 2.7.3 to 2.7.4 (#2689) @dependabot
- ⬆️ Bump rubocop-rails from 2.26.2 to 2.27.0 (#2688) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.4
..and go to http://localhost:5100
🔗 Useful Links
v1.47.3: Throttling Fix & Brute Force Protections
📝 What’s Changed
This PR fixes a bug with throttling where if throttling values in settings.yml
were commented out, it could cause a stack traces. Now, commenting out throttling values will disable throttling entirely.
Additionally, protections are now in place to rate limit login attempts to make brute force attacks more difficult.
- Throttling fix & Add protection against login brute forcing (#2685) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump aws-partitions from 1.994.0 to 1.995.0 (#2683) @dependabot
- ⬆️ Bump pg from 1.5.8 to 1.5.9 (#2682) @dependabot
- ⬆️ Bump loofah from 2.22.0 to 2.23.0 (#2681) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.3
..and go to http://localhost:5100
🔗 Useful Links
v1.47.2: New Admin Menu Item, Dependency & Security Updates
📝 What’s Changed
🚀 Features
- Framework Update in 9b9f4e6
- Admin: Add admin dashboard to account menu (#2661) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump aws-partitions from 1.993.0 to 1.994.0 (#2676) @dependabot
- ⬆️ Bump googleauth from 1.11.1 to 1.11.2 (#2677) @dependabot
- ⬆️ Bump execjs from 2.9.1 to 2.10.0 (#2668) @dependabot
- ⬆️ Bump sqlite3 from 2.1.0 to 2.1.1 (#2663) @dependabot
- ⬆️ Bump aws-partitions from 1.992.0 to 1.993.0 (#2662) @dependabot
- ⬆️ Bump aws-sdk-core from 3.210.0 to 3.211.0 (#2660) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.168.0 to 1.169.0 (#2653) @dependabot
- ⬆️ Bump aws-sdk-kms from 1.94.0 to 1.95.0 (#2655) @dependabot
- ⬆️ Bump brakeman from 6.2.1 to 6.2.2 (#2657) @dependabot
- ⬆️ Bump zeitwerk from 2.7.0 to 2.7.1 (#2654) @dependabot
- ⬆️ Bump aws-partitions from 1.991.0 to 1.992.0 (#2652) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.2
..and go to http://localhost:5100
🔗 Useful Links
v1.47.1: Disable Secret URL Prefetch & Increased Security Logins
This release improves the security of logins. Details in #2651.
Thanks the security firm who pointed out these potential issues.
If I get permission, I'll post their details once all the fixes out. (There are more on the way)
📝 What’s Changed
- Disable prefetch on secret URLs (#2650) @pglombardo
🚀 Features
- Enable increased login security (#2651) @pglombardo
👥 List of contributors
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.1
..and go to http://localhost:5100
🔗 Useful Links
v1.47.0: New Background Worker Dashboard (Admin)
📝 What’s Changed
This release bundles a new dashboard for background job monitoring for those running the pglombardo/pwpush-worker
container. (Still in Beta).
Available from /admin
and directly at /admin/jobs
- New Background worker Dashboard (Admin) (#2638) @pglombardo
- Add missing translation keys (#2649) @pglombardo
🚀 Features
- Latest Language Strings (#2648) @pglombardo
- Remove the Feedback Form (#2640) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump standard from 1.41.0 to 1.41.1 (#2645) @dependabot
- ⬆️ Bump erb_lint from 0.6.0 to 0.7.0 (#2641) @dependabot
- ⬆️ Bump net-imap from 0.4.17 to 0.5.0 (#2643) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.167.0 to 1.168.0 (#2642) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.46.4
..and go to http://localhost:5100
🔗 Useful Links
v1.46.3: Framework Security Patch
📝 What’s Changed
- Framework Security Patch (#2639) @pglombardo
👥 List of contributors
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.46.3
..and go to http://localhost:5100