openHAB 4.2.1 Release Notes
Important notice: This patch release addresses the following security advisories:
- SSRF/XSS (CometVisu) GHSA-v7gr-mqpj-wwh3
- Sensitive information disclosure (CometVisu) GHSA-3g4c-hjhr-73rj
- RCE through path traversal (CometVisu) GHSA-f729-58x4-gqgf
- Path traversal (CometVisu) GHSA-pcwp-26pw-j98w
All of these are related to the CometVisu add-on for openHAB - if you are a user of CometVisu, we strongly recommend to upgrade your system to openHAB 4.2.1 in order to fix those vulnerabilities.
For all other users, the upgrade is optional - please check the detailed release notes below on whether the included fixes are relevant for you:
Runtime
| Type | Issue | Change |
|---|---|---|
| Enhancements | 4314 | Add default scope to profile when loading items file |
| Bug Fixes | 4303 | PersistenceExtensions: fix DateTimeException when persisting an empty TimeSeries |
| 4305 | Config parameter: Change inferred i18n key for add-ons + alternative key | |
| 4309 | Fix merge of AddonInfo (masterAddonInfo field) | |
| 4312 | Fix dynamic binding of AddonService to ConsoleCommandExtension service | |
| 4313 | Fix Timer.isRunning() returning true immediately after rescheduling | |
| 4320 | Add missing system profile types and UIDs | |
| 4323 | Fix startup of background discovery | |
| 4326 | Clean up removed links in GenericItemChannelLinkProvider |
Add-ons
| Add-on | Type | Issue | Change |
|---|---|---|---|
| awattar | Bug Fixes | 17032 | Fix price handler refresh |
| dbquery | Bug Fixes | 17159 | Fix dependency issues and bump to newer version libs |
| denonmarantz | Bug Fixes | 17185 | Fix clearing Now Playing channels |
| freeboxos | Bug Fixes | 17081 | Fix creation of properties and dynamic channels at init |
| 17082 | Fix macAddress property when discovering a server | ||
| 17124 | Fix websocket registration | ||
| 17203 | Fix enabling/disabling of Mac OS file sharing | ||
| 17217 | Fix IAE when sending a remote key to player | ||
| govee | Bug Fixes | 17048 | Fix invalid status response handling |
| http | Bug Fixes | 17042 | Properly escape + character in query string |
| lutron | Bug Fixes | 17204 | Fix Pico buttons for non-LEAP bridges |
| rrd4j | Bug Fixes | 17054 | Fix unit retrieval for group items |
| shelly | Bug Fixes | 17011 | Revise fix for Gen1 initialization problem for manually created Things |
| 17015 | Fix thing type descriptions for Plus Mini series | ||
| 17053 | Fix initialization of BLU Motion device | ||
| 17122 | Fix BLU Gateway support, IllegalNumberFormatException when favorites are empty in cover mode | ||
| 17163 | Fix thing re-init after power cycle for firmware update | ||
| 17167 | Fix BLU Discovery when Shelly Cloud Bluetooth Gateway is enabled | ||
| 17180 | Fix NullPointerExceptions
|
User Interfaces
| UI | Type | Issue | Change |
|---|---|---|---|
| BasicUI | Bug Fixes | 2660 | Fix description for iconify parameter |
| CometVisu | Bug Fixes | 2671 | Security fixes & cleanup for cometvisu backend |
| 2696 | Add more path checks and secure against XXE attacks | ||
| Main UI | Bug Fixes | 2655 | Fix code editor overflow in sitemap editor |
| 2656 | Page editors: Encapsulate CSS to avoid polluting global CSS | ||
| 2662 | oh-context: Fix rendering failure when not in edit mode | ||
| 2673 | Overview page: Fix defineVars is not working
| ||
| 2677 | Charts: Fix issues with charts not displaying on iOS >= 17.4 | ||
| 2678 | Fix 404s for overview page, semantic model tabs and add-on store | ||
| 2689 | Link add: Fix create item fails for trigger channels | ||
| 2682 | Fix bracketing in context block | ||
| 2688 | Fix code generation for Thing object on Thing status block |