Bambuddy v0.1.6.2 (Security Release)
Security Release: This release addresses critical security vulnerabilities. Users running authentication-enabled instances should upgrade immediately.
Security Fixes
- Critical: Hardcoded JWT Secret Key (GHSA-gc24-px2r-5qmf, CWE-321)
- Fixed hardcoded JWT secret that could allow token forgery
- JWT secret now loaded from JWT_SECRET_KEY env var or auto-generated secure file
- Action Required: Users will need to re-login after upgrading
- Critical: Missing API Authentication (GHSA-gc24-px2r-5qmf, CWE-306)
- Fixed 77+ API endpoints lacking authentication checks
- All API routes now require valid JWT/API key when auth is enabled
Bug Fixes
- File Manager permissions not enforced (#224)
- External spool AMS mapping failures (#213)
- Filename matching for files with spaces (#218)
- P2S FTP upload failure (#218)
- Printer deletion freeze (#214)
- Stack trace exposure in error responses (CodeQL #68)
- Printer serial numbers in support bundles (#216)
- Missing sliced_for_model migration (#211)
- JWT secret not persistent across restarts
- Images/thumbnails returning 401 with auth enabled
- Library thumbnails missing after restore
- File uploads failing with auth enabled
Enhancements