Releasenotes

⚠️ Major Security Issue - Update as soon as possible!

It rarely happens, but with this update we are closing a critical security bug. Security Analyst Christian Pöschl and the company usd AG (https://www.usd.de/en/) have informed us in with a responsible disclosure that sensitive data could be visible to third parties (when calling setup.php via the browser), especially the LDAP connection, could be visible to third parties. We have closed this gap immediately and therefore also published this release earlier.

The problem also affects earlier tine versions, which is why the still supported 2022.11 ("Pino") has also been updated.

We recommend installing the update as soon as possible, especially if the LDAP functionalities of tine are used and the call of setup.php is not protected separately, e.g. by an htaccess / basic authentication. We have also updated the Docker image to the effect that now protects the setup.php with an additional password query.

The fix can be found here: 5d556a1

Information about the docker image setup.php basic auth can be found in the tine docs: https://tine-docu.s3web.rz1.metaways.net/operators/Installation_Guide/#setupphp-ui

Changelog

Features

Bugfixes

ee5b057 fix(Felamimail/Message): improve encoding detection
5d556a1 fix(Setup/Frontend/Json): don't show auth data in anonymous call
7f29602 fix(Felamimail/js): parse recipient as string in encryped email
143ad76 fix(Tinebase/js): init custom fields to registry before render

Refactoring

Tweaks

1f158fd tweak(Sales/Frontend/Json): allow saveInvoice to run for 1 hour
42cae0f tweak(Felamimail/Message/Send): don't log 403 file exceptions to sentry
a148358 tweak(Tinebase/Record/Expander): catch 403 on getApplicationInstance
90eef3e tweak(ansible/dockercompose): allow to define documentserver_additional_mounts