Security Fixes
This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.
- GHSA-937x-3j8m-7w7p Unconfirmed Owner Can Purge Entire Organization Vault.
- GHSA-569v-845w-g82p Cross-Org Group Binding Enables Unauthorized Read And Write Access Into Another Organization
- GHSA-6j4w-g4jh-xjfx Refresh tokens not invalidated on security stamp rotation
These are private for now, pending CVE assignment.
Notes
- The admin templates have changed, please update them if you override these via templates.
- Two Factor Remember Tokens are now valid for max 30 days. Old tokens are invalid directly after upgrading.
What's Changed
- apply policies only to confirmed members by @stefan0xC in #6892
- Feat(config): add feature flag for Safari account switching by @DerPlayer2001 in #6891
- fix: add ForcePasswordReset to api key login by @montdidier in #6904
- Add Webauthn related origins flag to known flags. by @pasarenicu in #6900
- Add 30s cache to SSO exchange_refresh_token by @Timshel in #6866
- Add cxp-import-mobile and cxp-export-mobile: feature flags on mobile by @phoeagon in #6853
- Misc updates and fixes by @BlackDex in #6910
- Support new desktop origin on CORS by @dani-garcia in #6920
- Fix
checkoutaction version by @dfunkt in #6921 - Fix apikey login by @BlackDex in #6922
- Fix email header base64 padding by @BlackDex in #6961
- Update Feature Flags by @BlackDex in #6981
- Update crates and GHA by @BlackDex in #6980
- Use protected CI environment by @dani-garcia in #7004
- Fix 2FA Remember to actually be 30 days by @BlackDex in #6929
- Misc Updates by @BlackDex in #7027
- Switch to
attestaction by @dfunkt in #7017 - Rotate refresh-tokens on sstamp reset by @BlackDex in #7031
- Misc org fixes by @BlackDex in #7032
- Fix empty string FolderId by @BlackDex in #7048
- Disable deployments for release env by @dfunkt in #7033
- Fix Send icons by @BlackDex in #7051
- prevent managers from creating collections by @stefan0xC in #6890
- Change SQLite backup to use VACUUM INTO query by @getaaron in #6989
- Handle
SIGTERMandSIGQUITshutdown signals. by @0x484558 in #7008 - Do not display unavailable 2FA options by @0x484558 in #7013
- Fix logout push identifiers and send logout before clearing devices by @qaz741wsd856 in #7047
- Fix windows build issues by @idontneedonetho in #7065
- Crate and GHA updates by @BlackDex in #7081
New Contributors
- @DerPlayer2001 made their first contribution in #6891
- @montdidier made their first contribution in #6904
- @pasarenicu made their first contribution in #6900
- @phoeagon made their first contribution in #6853
- @getaaron made their first contribution in #6989
- @0x484558 made their first contribution in #7008
- @qaz741wsd856 made their first contribution in #7047
- @idontneedonetho made their first contribution in #7065
Full Changelog: 1.35.4...1.35.5