release-2.13.0

This 2.13.0 release fixes multiple security issues (see below). All issues fixed in this release are subject to public disclosure on September 1, 2022. Please make sure to update your systems in time.

We would like to thank khanhchauminh for responsibly disclosing and assisting with the fixing this security issue.

What's Changed

• CVE-2022-36028 - Severity: Moderate Value of return_to cookie is now checked to ensure it is a Greenlight url (#3631)
• CVE-2022-36029 - Severity: High Sessions are now expired if the password is changed (either through forget password or profile) (#3096)
• Removed JQuery UI which was using a version with known vulnerabilities (#3783)
• Multiple gem updates (#3615, #3653, #3686, #3688)
• Language updates

release-2.12.6

This 2.12.6 release fixes a security issue - the severity of the CVE is Low. All issues fixed in this release are subject to public disclosure on June 17, 2022. Please make sure to update your systems in time.

We would like to thank hoangnguyen for responsibly disclosing and assisting with the fixing this security issue.

What's Changed

• CVE-2022-31039 - Fixed a security issue which allowed anyone to see the values of a room's settings (#3508)
  • The only information accessible was the value of the 5 toggles in the room settings modal (whether it was true or false)
  • No access codes or "private" information is visible
• Updated multiple gems for security reasons (#3497, #3480, #3459)

release-2.12.6-beta.1

Release: Major 2, Minor 12, Revision 6, Beta 1

release-2.12.5

• Fixed circumvention bug which allowed a user to view all users' names and uids using the shared access modal #3432
• Upgraded Rails to 5.2.7.1 #3433

release-2.12.4

What's Changed

• Added env variable needed when switching social_uids #3393
  • Social users will still be able to sign in even if they switch social uids
  • Set SOCIAL_SWITCHING to true until all users have logged in -> then remove it from the .env file
• Translate '/config/locales/en.yml' in 'sv_SE' by #3413

release-2.12.3

What's Changed

• Bump nokogiri from 1.13.3 to 1.13.4 in #3384
• Fix: docker build on Apple M1 is broken in #3293
• Translate '/config/locales/en.yml' in 'hu_HU' in #3353
• Translate '/config/locales/en.yml' in 'tr' in #3363

release-2.12.2.1

• Follow-up to CVE-2015-9284 in OmniAuth gem. Solves issues with deployments with single external authentication method and LDAP.

release-2.12.2

• Solved CVE-2015-9284 in OmniAuth gem by using the recommended remediation
• Fixed the bad date format in Arabic causing a 500
• Raised join_name length to 99
• Bumped puma from 4.3.11 to 4.3.12

release-2.12.1.1

• CI/CD: multiple updates to dockerfiles, gcloud scripts and gems #3302

release-2.12.1.1-beta.1

Release: Major 2, Minor 12, Revision 1, Patch 1, Beta 1