Glue

Song: https://open.spotify.com/track/2aJDlirz6v2a4HREki98cP?si=51e34d30904b4459

The passbolt team is excited to share the latest improvements in release 3.10. With the help of our contributors and the community's input, passbolt is proud to present the release of self-registration.

Users can now self-register if their email domain matches the administrator-defined policy. This will make the registration process more efficient and move smoother, especially with larger teams.

Thanks to everyone who contributed to this release, we look forward to continuing to enhance passbolt with your support.

[3.10.0] - 2023-02-14

Added

• PB-19784 As a user I can self register if my email domain matches the policy defined by the administrators

Improved

• PB-21485 As a server administrator I want to configure the list of active proxies the instance
  is behind in order to get client IP when necessary
• PB-21682 As an administrator I want to configure the client option of the SMTP settings
• PB-22019 As a server administrator I want to configure TOTP MFA secret length

Maintenance

• PB-22327 env variable PASSBOLT_PLUGINS_SMTP_SETTINGS renamed in PASSBOLT_PLUGINS_SMTP_SETTINGS_ENABLED (backward compatible)
• PB-22406 curl and openssl extensions requirements added
• PB-22413 bump CakePHP to ^4.3.11

Bunny

Song: https://youtu.be/U_i895w7CfM

The team at passbolt is thrilled to announce the release of v3.9 for immediate availability!

Passbolt CE v3.9 ships with Multi Factor Authentication (MFA) for all community edition users! Users can now set up MFA using various methods, including Duo, TOTP (Google Authenticator, Authy), and YubiKey (with Yubico Cloud).

Additionally, v3.9 also includes support for PHP 8.2.

The team is glad to make MFA, a former passbolt Pro feature, more widely available, as it’s been a highly requested feature within our community (even though one could argue that the existing authentication protocol already combined 2 factors of authentication: the private key and the master passphrase). The goal at passbolt is to provide the best security possible first while constantly improving user experience. It wouldn’t be possible without the incredible community that surrounds passbolt. Thank you to everyone who contributed ideas, reported bugs, and provided input.

Big things are on their way! Keep an eye out for how passbolt continues to grow and evolve in the coming months with additional pro edition features becoming available in the CE such as folders! To show your support please write a review on the app / extension webstore (chrome, firefox, edge, ios, android).

[3.9.0] - 2023-01-19

Added

• PB-20539 As a user I can protect the authentication to passbolt with a second factor method

Fixed

• PB-19601 As an admin running the healthcheck I should not see an unmanaged error if DB connection fails
• PB-21497 GITHUB-437 As an administrator I should see default user avatar in the email I receive when a user complete the setup
• PB-21501 GITHUB-411 As an administrator I should see the correct path relative to config tips in the health check report
• PB-21756 As an anonymous user switching MFA provider I should be redirected to the original target

Improved

• PB-19653 Rename Google authenticator into Totp authenticator
• PB-19807 As an administrator I want to know if email hostname availability is enabled in the health check report
• PB-20985 As an administrator I shouldn't be able to send a test email in command line without defining the recipient
• PB-21502 As an administrator I want to know if I run a passbolt command without using the webserver user
• PB-21635 As an administrator I want to the cron events to be logged
• PB-21751 As anonymous user I don't want to see the TOTP field auto-completed when I verify my second factor authentication
• PB-19715 As an administrator I want to lock the SMTP settings entry points

Maintenance

• PB-19212 Improve PHPUNIT performances
• PB-19541 Add composer audit job on development pipelines
• PB-19594 Avoid duplicated pipelines
• PB-19583 Remove deprecated usage of dummy auth token generation in tests
• PB-19594 Improve phpunit pipelines environment matrix
• PB-19706 Refactor favorites add controller into service
• PB-19707 Refactor favorites delete controller into service
• PB-20512 Ease debug by attaching original exception to InternalErrorException when missing
• PB-20541 Replace usage of Cake core Exception with CakeException when not done yet
• PB-21361 Remove deprecated usage of authenticateAs in tests
• PB-21658 Add support to PHP 8.2

Up Down Jumper

Song: https://youtu.be/BNe7OrleTlg

This release is a small maintenance release of the API only fixing issues reported by the community relative to the latest introduced SMTP settings feature. It also adds additional information to try to improve the debug process when dealing with Gnupg integration issues.

A big thank you to the community members who are reporting issues and help us investigate them.

[3.8.3] - 2022-12-01

Fixed

• PB-21631 Ensure the OpenPGP server key is in the keyring prior to sending any emails

Nana

Song: https://youtu.be/SEJz7PthmAw

This release is a small maintenance release fixing issues reported by the community relative to the just introduced SMTP settings feature. This version should support more authentication use cases and be more flexible while editing an existing configuration.

Thanks to the community members who reported issues and helped us fix them.

[3.8.1] - 2022-11-17

Fixed

• PB-21478 As an administrator, I should be able to edit SMTP settings having a sender email not being a valid email
• PB-21438 As an administrator using docker, I should be able to access the SMTP settings of my organization
• PB-21486 As an administrator, I can define the SMTP authentication method via the SMTP admin workspace
• PB-21481 As an administrator, I want emails to be sent with the sender settings defined in database, if defined in the database

Syria

Song: https://youtu.be/37JidTgav2g

The team is pleased to announce the v3.8 immediate availability.

This release ships with two new themes, a light and dark Solarized themes. Along with the redesign that occurred earlier this year, these themes served as a foundation to propose additional look and feel, but also welcome your contributions. If you wish to build a new theme, checkout the blog article: How to create a custom passbolt theme with the UI Kit.

In a continuous effort to make passbolt more customizable, administrators will be pleased to find a new administration settings screen that will allow them to update the SMTP settings of their organization. More administration screens are in the works and will be released very soon. Spoiler alert, Multi Factor Authentication is on its way to be released in the community edition.

We wish to thank all the community members for:

• The help with the internationalization;
• The bugs reports and the pull requests on github;
• The help provided to other members on the community forum.

[3.8.0] - 2022-11-09

Added

• PB-19192: As an administrator, I want to manage SMTP settings in the administration workspace
• PB-19151: As a user, I want to use passbolt with the Solarized light theme
• PB-19151: As a user, I want to use passbolt with the Solarized dark theme

Improved

• PB-16948: As group manager, I should be able to add users to groups without getting timeout errors
• PB-19035: TOTP is now deactivated by default and should be activated by an administrator
• PB-19200: GpgAuthenticator now asserts the message is a valid OpenPGP message prior to decryption on stage 0

Fixed

• PB-19312: As a logged-in user, I want to see my first name and last name correctly displayed in email headers
• PB-18718: As a logged-in user, I want my locale not to be overwritten by the server config on pages served by the server
• PB-19261: As a logged-in user, I should not get an internal error if no filter is passed to the get resource.json entry point
• PB-19035: As a logged-in user, I should not get a not found error on MFA authentication if an administrator deactivated MFA
• PB-18515: As a user, I want to see User Agent and IP in account recovery emails

Security

• PB-19204: Sanitize MFA redirection by forbidding redirection to external URI
• PB-19090: Protect forms from spell-jacking attack

Maintenance

• PB-19235: Migrate comments controllers logic into services
• PB-19603: Cover additional “add user to group” case: As group manager I can add a user to a group which have no resources shared with
• PB-6081: Move enterprise plugins into plugins/PassboltEe
• PB-6081: Move community plugins into plugins/PassboltCe
• PB-19621: Stop changing folders permissions in installation tests
• PB-19255 As an administrator I can trigger 500 errors on demand to test my logs

Breathing

Song: https://youtu.be/xF5PzY4b3eQ

This release is a security release fixing a spell-jacking security flaw discovered by otto-js.

You can learn more about this flaw on the dedicated security incident page.

[3.7.3] - 2022-09-27

Security

• PB-19090 Protect forms from spell-jacking attack

Knight Of The Jaguar

Song: https://youtu.be/ZcC3vVh3cOE

This is a small maintenance release which ships with a bug fix reported by the community and few changes that aim to improve the continuous integration pipelines.

[3.7.2] - 2022-09-21

Fixed

• PB-18380 Let passbolt-configure script setup certbot for RHEL9 support
• PB-16983 Handles the lack of permissions on image directory when deleting
• PB-16898 Redesign download a supported browser to get started

Improved

• PB-18650 Add a check on mysql status in order to run mysql commands only when it's ready in unit tests
• PB-18664 Add retry logic to Gitlab CI jobs

Last day

Song: https://youtu.be/Gm4ElZUzLOo

[3.7.1] - 2022-08-10

• PB-18381 Fix source language typos
• PB-18397 Fix as an admin I can generate a server key with the webinstaller within an instance over http
• PB-17096 Fix resouce_types name and slug postgresql compatibility
• PB-18372 Bump styleguide version to 3.7.1

New Morning

Song: https://youtu.be/FvR9HAKNdic

The team is pleased to announce the v3.6 immediate availability which, as you may already have seen, includes a design refresh of the application.

On top of that, this release ships with some more improvements and fixes.

• Performance boost on the client cryptographic operations;
• Additional key validations on setup for better error reporting;
• Experimental support for ECC keys.
• More performance fixes.

We wish to thank the contributors who participated:

• Alpha testers who helped us test the pre-release;
• All the community members who helped with the internationalization;

Next up? We’ll go through a maintenance cycle where we’ll be fixing issues reported in terms of performance (e.g. adding users to a group), as well as preparing for the migration to Manifest v3, and support for PHP 8.1.

[3.6.0] - 2022-05-26

Added

• PB-15026 As a user I should see the new design on the administration workspace
• PB-14675 As a user I should see the new design on the authentication screens
• PB-9739 As AN performing a setup, I can import ECC keys [experimental]

Improved

• PB-9739 OpenPGP key and message validation refactoring
• PB-14141 Enhanced public/private key validation rules
• PB-13685 Enhanced secret validation rules
• PB-14138 Refactor setup and recover related controllers with dependency injection
• PB-14510 Three trivial endpoints, such as GET on login are not logged anymore

Security

• PB-14400 Upgrade firebase/php-jwt to 6.1

Fixed

• PB-14369 Fixes email settings issues in the test suite
• PB-15046 Handle user lost-passphrase scenarios with API <= v3.5

Maintenance

• PB-14812 Upgrade cakephp/cakephp to 4.3

Wide Open

Song: https://youtu.be/BC2dRkm8ATU

The team is pleased to announce the v3.5 immediate availability which includes the most awaited launch of the iOS and Android Mobile applications for all passbolt editions.

Watch the mobile apps video announcement to get a quick glimpse of what’s in it. And let us know what you think in the dedicated community forum thread.

You’ll be pleased to know that both the mobile apps have been entirely audited by Cure 53 prior public release. The audit reports are available here.

What else is in v3.5? Well, a bunch of other nice things:

• New languages: Japanese, Dutch and Polish.

• Postgresql support (experimental). The documentation on how to enable it will follow in the next few days.

• A brand new CLI, written in GO (and audited too): this CLI is a contribution by Samuel Lorch and supports all API entry points including share operations.

On top of that, this release ships with some more improvements and fixes.

• Due to popular demand, the size of the resource.name and resource.username fields have been increased to 255 characters (previously 64).

• The In-Form menu positioning has been improved to appear where it should be with more accuracy.

• The overall performance of the api has been improved, primarily due to the optimization of the permissions table which is at the center of many operations.

We wish to thank the contributors who participated:

• Jesper Schmitz Mouridsen (@jsm222), for his much awaited PostgreSQL implementation.
• Samuel Lorch (@speatzle), for his amazing GO SDK and CLI, making it the first fully functional CLI for passbolt since the other nodejs CLI does not currently support all the operations.
• All the community members who reported bugs and submitted pull requests (@weebl2000, @garrettboone) and helped on the community forum to debug issues with mobile.

[3.5.0] - 2021-01-18

Added

• PB-13161 As LU I should be able to use passbolt with my Android mobile
• PB-13161 As LU I should be able to use passbolt with my IOS mobile
• PB-5967 As AD I can use passbolt with a PostgreSQL database provider [experimental]
• PB-5967 As AD I can migrate an existing instance to PostgreSQL with the help of the command line [experimental] and MySQL to Postgres migration tools, e.g. as described here: https://pgloader.readthedocs.io and here: https://pgloader.io/.
• PB-8513 As LU I can request gpg keys using pagination
• PB-13321 As a user I can use passbolt in Dutch
• PB-13321 As a user I can use passbolt in Japanese
• PB-13321 As a user I can use passbolt in Polish

Improved

• PB-12817 As LU I can import avatars having a jpeg extension
• PB-12943 As AD I should be able to see log when a user tries to sign-in with an invalid bearer token
• PB-12888 Improve performances of the operations requiring permissions accesses by replacing the single index on type by a combined index involving the requested columns
• PB-13177 As AD I should be able to see any gpg keys errors from the healthcheck
• PB-13183 As LU I should be able create resource having a name or a username of 255 characters long
• PB-13265 As AD I can create a JWT key pair even if the database is not set
• PB-13164 As AD I can cleanup duplicate entries in the favorites tables, groups_users and permissions

Security

• PB-13217 PBL-06-011 Fix ACL on mobile transfer view controller

Fixed

• PB-9887 Fix as AD I can send email digest from the /bin/cron script
• PB-12957 Fix multiple language issues reported by community
• PB-12914 Fix as a group manager I should not get multiple notifications when a group is updated
• PB-13158 As AD I should see a tip with proper directory permissions when the JWT assets healthcheck fails

Maintenance

• PB-12835 Move users setup/recover/register controllers logic into services to welcome the upcoming account recovery feature