Releases: pglombardo/PasswordPusher
Releases · pglombardo/PasswordPusher
v1.49.3: Dependency, Security Updates & Latest Language Strings
7728a72
This commit was signed with the committer’s verified signature.
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
- Preliminary: Set rel="no-prefetch" to block browser pre-fetch (#2854) @pglombardo
- fix database service names in docker-compose-xx.yml (#2821) @ggruening
🚀 Features
- Latest Language Strings (#2876) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump actionmailer from 7.2.2 to 7.2.2.1 (#2868) @dependabot
- ⬆️ Bump actionview from 7.2.2 to 7.2.2.1 (#2869) @dependabot
- ⬆️ Bump activesupport from 7.2.2 to 7.2.2.1 (#2870) @dependabot
- ⬆️ Bump activejob from 7.2.2 to 7.2.2.1 (#2872) @dependabot
- ⬆️ Bump activestorage from 7.2.2 to 7.2.2.1 (#2873) @dependabot
- ⬆️ Bump rails from 7.2.2 to 7.2.2.1 (#2867) @dependabot
- ⬆️ Bump aws-partitions from 1.1020.0 to 1.1021.0 (#2875) @dependabot
- ⬆️ Bump google-cloud-storage from 1.53.0 to 1.54.0 (#2874) @dependabot
- ⬆️ Bump standard from 1.42.1 to 1.43.0 (#2871) @dependabot
- ⬆️ Bump standard-performance from 1.5.0 to 1.6.0 (#2864) @dependabot
- ⬆️ Bump rubocop from 1.68.0 to 1.69.1 (#2859) @dependabot
- ⬆️ Bump nokogiri from 1.17.0 to 1.17.1 (#2858) @dependabot
- ⬆️ Bump aws-partitions from 1.1019.0 to 1.1020.0 (#2856) @dependabot
- ⬆️ Bump aws-partitions from 1.1018.0 to 1.1019.0 (#2852) @dependabot
- ⬆️ Bump sqlite3 from 2.4.0 to 2.4.1 (#2848) @dependabot
- ⬆️ Bump nokogiri from 1.16.8 to 1.17.0 (#2847) @dependabot
- ⬆️ Bump solid_queue from 1.0.2 to 1.1.0 (#2846) @dependabot
- ⬆️ Bump googleauth from 1.11.2 to 1.12.0 (#2845) @dependabot
- ⬆️ Bump aws-partitions from 1.1017.0 to 1.1018.0 (#2838) @dependabot
- ⬆️ Bump logger from 1.6.1 to 1.6.2 (#2826) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot], @ggruening and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.49.3..and go to http://localhost:5100
🔗 Useful Links
Contributors
pglombardo, dependabot, and ggruening
Assets 2
v1.49.2: Dependency & Security Updates
0084474
This commit was signed with the committer’s verified signature.
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
⬆️ Dependencies updates
- ⬆️ Bump google-cloud-storage from 1.52.0 to 1.53.0 (#2842) @dependabot
- ⬆️ Bump net-http-persistent from 4.0.4 to 4.0.5 (#2843) @dependabot
- ⬆️ Bump useragent from 0.16.10 to 0.16.11 (#2841) @dependabot
- ⬆️ Bump minitest from 5.25.3 to 5.25.4 (#2837) @dependabot
- ⬆️ Bump json from 2.8.2 to 2.9.0 (#2836) @dependabot
- ⬆️ Bump io-console from 0.7.2 to 0.8.0 (#2835) @dependabot
- ⬆️ Bump sqlite3 from 2.3.1 to 2.4.0 (#2831) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.175.0 to 1.176.0 (#2833) @dependabot
- ⬆️ Bump minitest from 5.25.2 to 5.25.3 (#2832) @dependabot
- ⬆️ Bump psych from 5.2.0 to 5.2.1 (#2829) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.174.0 to 1.175.0 (#2828) @dependabot
- ⬆️ Bump securerandom from 0.3.2 to 0.4.0 (#2827) @dependabot
- ⬆️ Bump date from 3.4.0 to 3.4.1 (#2824) @dependabot
- ⬆️ Bump aws-partitions from 1.1014.0 to 1.1015.0 (#2825) @dependabot
- ⬆️ Bump rails-html-sanitizer from 1.6.0 to 1.6.1 (#2823) @dependabot
- ⬆️ Bump regexp_parser from 2.9.2 to 2.9.3 (#2820) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.49.2..and go to http://localhost:5100
🔗 Useful Links
Contributors
pglombardo and dependabot
Assets 2
v1.49.1: Account Locking & Cookie Security
ef98d08
This commit was signed with the committer’s verified signature.
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
- Login: Lock accounts after 10 failed attempts (#2806) @pglombardo
- Passphrase: Increase cookie security (#2805) @pglombardo
🚀 Features
- Latest Language Strings (#2807) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump reline from 0.5.11 to 0.5.12 (#2818) @dependabot
- ⬆️ Bump aws-partitions from 1.1013.0 to 1.1014.0 (#2817) @dependabot
- ⬆️ Bump rubocop-ast from 1.36.1 to 1.36.2 (#2816) @dependabot
- ⬆️ Bump sqlite3 from 2.3.0 to 2.3.1 (#2812) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.173.0 to 1.174.0 (#2813) @dependabot
- ⬆️ Bump puma from 6.4.3 to 6.5.0 (#2809) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.172.0 to 1.173.0 (#2804) @dependabot
- ⬆️ Bump aws-partitions from 1.1011.0 to 1.1012.0 (#2803) @dependabot
- ⬆️ Bump minitest from 5.25.1 to 5.25.2 (#2802) @dependabot
- ⬆️ Bump sqlite3 from 2.2.0 to 2.3.0 (#2801) @dependabot
- ⬆️ Bump aws-partitions from 1.1010.0 to 1.1011.0 (#2800) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.49.1..and go to http://localhost:5100
🔗 Useful Links
Contributors
pglombardo and dependabot
Assets 2
v1.49.0: Trust Only Local Proxies Unless Overridden
97d28d3
This commit was signed with the committer’s verified signature.
pglombardo
Peter Giacomo Lombardo
This release fixes CVE-2024-52796 where an attacker could spoof the X-Forwarded-For header to bypass the rate limiter.
If you are using an external proxy that is not on the local network, see this documentation on how to authorize the IP of your remote proxy.
📝 What’s Changed
- Security: Only trust local proxies unless overidden (#2797) @pglombardo
- [Snyk] Upgrade esbuild from 0.23.1 to 0.24.0 (#2796) @pglombardo
🚀 Features
- Yarn package updates (#2782) @pglombardo
- Latest Language Strings (#2779) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump rdoc from 6.7.0 to 6.8.1 (#2795) @dependabot
- ⬆️ Bump aws-partitions from 1.1009.0 to 1.1010.0 (#2794) @dependabot
- ⬆️ Bump mutex_m from 0.2.0 to 0.3.0 (#2793) @dependabot
- ⬆️ Bump prime from 0.1.2 to 0.1.3 (#2792) @dependabot
- ⬆️ Bump standard from 1.42.0 to 1.42.1 (#2791) @dependabot
- ⬆️ Bump aws-sdk-kms from 1.95.0 to 1.96.0 (#2790) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.171.0 to 1.172.0 (#2789) @dependabot
- ⬆️ Bump kramdown from 2.4.0 to 2.5.1 (#2788) @dependabot
- ⬆️ Bump aws-partitions from 1.1007.0 to 1.1009.0 (#2786) @dependabot
- ⬆️ Bump pry from 0.14.2 to 0.15.0 (#2784) @dependabot
- ⬆️ Bump solid_queue from 1.0.1 to 1.0.2 (#2785) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.170.1 to 1.171.0 (#2775) @dependabot
- ⬆️ Bump mini_portile2 from 2.8.7 to 2.8.8 (#2776) @dependabot
- ⬆️ Bump json from 2.8.1 to 2.8.2 (#2774) @dependabot
- ⬆️ Bump aws-partitions from 1.1006.0 to 1.1007.0 (#2773) @dependabot
- ⬆️ Bump rackup from 2.2.0 to 2.2.1 (#2772) @dependabot
- ⬆️ Bump aws-partitions from 1.1005.0 to 1.1006.0 (#2771) @dependabot
- ⬆️ Bump rubocop-ast from 1.35.0 to 1.36.1 (#2770) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.49.0..and go to http://localhost:5100
🔗 Useful Links
Contributors
pglombardo and dependabot
Assets 2
v1.48.2: Language Strings, Dependency & Security Updates
d61378d
This commit was signed with the committer’s verified signature.
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
- Background Jobs: Fix environment variable check (#2768) @pglombardo
🚀 Features
- Latest Language Strings (#2767) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump standard from 1.41.1 to 1.42.0 (#2765) @dependabot
- ⬆️ Bump aws-partitions from 1.1004.0 to 1.1005.0 (#2764) @dependabot
- ⬆️ Bump debase from 0.2.6 to 0.2.7 (#2763) @dependabot
- ⬆️ Bump rubocop from 1.66.1 to 1.68.0 (#2762) @dependabot
- ⬆️ Bump aws-partitions from 1.1003.0 to 1.1004.0 (#2760) @dependabot
- ⬆️ Bump securerandom from 0.3.1 to 0.3.2 (#2759) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.170.0 to 1.170.1 (#2758) @dependabot
- ⬆️ Bump rubocop-ast from 1.34.1 to 1.35.0 (#2756) @dependabot
- ⬆️ Bump msgpack from 1.7.3 to 1.7.5 (#2757) @dependabot
- ⬆️ Bump solid_queue from 1.0.0 to 1.0.1 (#2754) @dependabot
- ⬆️ Bump aws-partitions from 1.1002.0 to 1.1003.0 (#2752) @dependabot
- ⬆️ Bump net-imap from 0.5.0 to 0.5.1 (#2750) @dependabot
- ⬆️ Bump mission_control-jobs from 0.4.0 to 0.5.0 (#2751) @dependabot
- ⬆️ Bump benchmark from 0.3.0 to 0.4.0 (#2749) @dependabot
- ⬆️ Bump singleton from 0.2.0 to 0.3.0 (#2748) @dependabot
- ⬆️ Bump ostruct from 0.6.0 to 0.6.1 (#2746) @dependabot
- ⬆️ Bump psych from 5.1.2 to 5.2.0 (#2747) @dependabot
- ⬆️ Bump aws-partitions from 1.1001.0 to 1.1002.0 (#2745) @dependabot
- ⬆️ Bump stringio from 3.1.1 to 3.1.2 (#2744) @dependabot
- ⬆️ Bump rubocop-ast from 1.34.0 to 1.34.1 (#2743) @dependabot
- ⬆️ Bump timeout from 0.4.1 to 0.4.2 (#2740) @dependabot
- ⬆️ Bump mission_control-jobs from 0.3.3 to 0.4.0 (#2741) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.169.0 to 1.170.0 (#2739) @dependabot
- ⬆️ Bump json from 2.7.6 to 2.8.1 (#2738) @dependabot
- ⬆️ Bump aws-sdk-core from 3.211.0 to 3.212.0 (#2737) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.48.2..and go to http://localhost:5100
🔗 Useful Links
Contributors
pglombardo and dependabot
Assets 2
v1.48.1: Security Update
b2b057c
This commit was signed with the committer’s verified signature.
pglombardo
Peter Giacomo Lombardo
This release fixes CVE-2024-51989 (a potential XSS vulnerability) that was introduced in v1.41.1.
All users that are self-hosting and using the login system, please update to this version to best mitigate risk. Details, description and more available in the Github Security Advisory.
Thanks to @igniter07 for reporting!
📝 What’s Changed
- Sanitize Confirmation Parameter (#2736) @pglombardo
- Allow Anonymous=false: Fix after sign up redirect path (#2735) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump parser from 3.3.5.1 to 3.3.6.0 (#2734) @dependabot
- ⬆️ Bump json from 2.7.5 to 2.7.6 (#2733) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.48.1..and go to http://localhost:5100
🔗 Useful Links
Contributors
pglombardo, dependabot, and igniter07
Assets 2
v1.48.0: Login Security Improvements
7ceab94
This commit was signed with the committer’s verified signature.
pglombardo
Peter Giacomo Lombardo
This release improves the overall security of logins in Password Pusher. Details below.
With this release, all pre-existing login sessions will end and users will have to log in again.
The improvements are:
- "Remember me" now only remembers for 1 week
- Login password length increased to 10 to 128 characters (previously 6 to 128) (preexisting login passwords unaffected)
- Login sessions now expire after 2 hours of inactivity
- Cookie serialization is now done via JSON to fix https://github.com/pglombardo/PasswordPusher/security/code-scanning/1
Being a security product dealing with sensitive information, these changes are appropriate.
📝 What’s Changed
- Improved Login Security (#2731) @pglombardo
- Security: Use json for cookie serialization (#2720) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump rubocop-ast from 1.33.0 to 1.34.0 (#2730) @dependabot
- ⬆️ Bump date from 3.3.4 to 3.4.0 (#2729) @dependabot
- ⬆️ Bump aws-partitions from 1.1000.0 to 1.1001.0 (#2728) @dependabot
- ⬆️ Bump rackup from 2.1.0 to 2.2.0 (#2725) @dependabot
- ⬆️ Bump debase from 0.2.5.beta2 to 0.2.6 (#2724) @dependabot
- ⬆️ Bump oj from 3.16.6 to 3.16.7 (#2722) @dependabot
- ⬆️ Bump google-apis-iamcredentials_v1 from 0.21.0 to 0.22.0 (#2723) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.5..and go to http://localhost:5100
🔗 Useful Links
Contributors
pglombardo and dependabot
Assets 2
v1.47.4: Framework, Dependency & Security Updates
d4dec75
This commit was signed with the committer’s verified signature.
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
⬆️ Dependencies updates
- ⬆️ Bump rubocop-ast from 1.32.3 to 1.33.0 (#2698) @dependabot
- ⬆️ Bump aws-partitions from 1.999.0 to 1.1000.0 (#2716) @dependabot
- ⬆️ Bump parser from 3.3.5.0 to 3.3.5.1 (#2718) @dependabot
- ⬆️ Bump overcommit from 0.64.0 to 0.64.1 (#2717) @dependabot
- ⬆️ Bump actionview from 7.2.1.2 to 7.2.2 (#2715) @dependabot
- ⬆️ Bump actioncable from 7.2.1.2 to 7.2.2 (#2714) @dependabot
- ⬆️ Bump activestorage from 7.2.1.2 to 7.2.2 (#2713) @dependabot
- ⬆️ Bump actiontext from 7.2.1.2 to 7.2.2 (#2712) @dependabot
- ⬆️ Bump activemodel from 7.2.1.2 to 7.2.2 (#2711) @dependabot
- ⬆️ Bump actionmailer from 7.2.1.2 to 7.2.2 (#2710) @dependabot
- ⬆️ Bump sqlite3 from 2.1.1 to 2.2.0 (#2705) @dependabot
- ⬆️ Bump actionpack from 7.2.1.2 to 7.2.2 (#2709) @dependabot
- ⬆️ Bump activesupport from 7.2.1.2 to 7.2.2 (#2707) @dependabot
- ⬆️ Bump aws-partitions from 1.998.0 to 1.999.0 (#2704) @dependabot
- ⬆️ Bump json from 2.7.4 to 2.7.5 (#2703) @dependabot
- ⬆️ Bump activerecord from 7.2.1.2 to 7.2.2 (#2700) @dependabot
- ⬆️ Bump aws-partitions from 1.997.0 to 1.998.0 (#2697) @dependabot
- ⬆️ Bump nio4r from 2.7.3 to 2.7.4 (#2696) @dependabot
- ⬆️ Bump rails-i18n from 7.0.9 to 7.0.10 (#2695) @dependabot
- ⬆️ Bump aws-partitions from 1.996.0 to 1.997.0 (#2694) @dependabot
- ⬆️ Bump aws-partitions from 1.995.0 to 1.996.0 (#2690) @dependabot
- ⬆️ Bump loofah from 2.23.0 to 2.23.1 (#2691) @dependabot
- ⬆️ Bump json from 2.7.3 to 2.7.4 (#2689) @dependabot
- ⬆️ Bump rubocop-rails from 2.26.2 to 2.27.0 (#2688) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.4..and go to http://localhost:5100
🔗 Useful Links
Contributors
pglombardo and dependabot
Assets 2
v1.47.3: Throttling Fix & Brute Force Protections
e4e0bcf
This commit was signed with the committer’s verified signature.
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
This PR fixes a bug with throttling where if throttling values in settings.yml were commented out, it could cause a stack traces. Now, commenting out throttling values will disable throttling entirely.
Additionally, protections are now in place to rate limit login attempts to make brute force attacks more difficult.
- Throttling fix & Add protection against login brute forcing (#2685) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump aws-partitions from 1.994.0 to 1.995.0 (#2683) @dependabot
- ⬆️ Bump pg from 1.5.8 to 1.5.9 (#2682) @dependabot
- ⬆️ Bump loofah from 2.22.0 to 2.23.0 (#2681) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.3..and go to http://localhost:5100
🔗 Useful Links
Contributors
pglombardo and dependabot
Assets 2
v1.47.2: New Admin Menu Item, Dependency & Security Updates
2a99e73
This commit was signed with the committer’s verified signature.
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
🚀 Features
- Framework Update in 9b9f4e6
- Admin: Add admin dashboard to account menu (#2661) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump aws-partitions from 1.993.0 to 1.994.0 (#2676) @dependabot
- ⬆️ Bump googleauth from 1.11.1 to 1.11.2 (#2677) @dependabot
- ⬆️ Bump execjs from 2.9.1 to 2.10.0 (#2668) @dependabot
- ⬆️ Bump sqlite3 from 2.1.0 to 2.1.1 (#2663) @dependabot
- ⬆️ Bump aws-partitions from 1.992.0 to 1.993.0 (#2662) @dependabot
- ⬆️ Bump aws-sdk-core from 3.210.0 to 3.211.0 (#2660) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.168.0 to 1.169.0 (#2653) @dependabot
- ⬆️ Bump aws-sdk-kms from 1.94.0 to 1.95.0 (#2655) @dependabot
- ⬆️ Bump brakeman from 6.2.1 to 6.2.2 (#2657) @dependabot
- ⬆️ Bump zeitwerk from 2.7.0 to 2.7.1 (#2654) @dependabot
- ⬆️ Bump aws-partitions from 1.991.0 to 1.992.0 (#2652) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.2..and go to http://localhost:5100
🔗 Useful Links
Contributors
pglombardo and dependabot