Passbolt - Open source password manager for teams

Passbolt

Last update: Dec 30, 2022

Related tags

Overview

      ____                  __          ____
     / __ \____  _____ ____/ /_  ____  / / /_
    / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
   / ____/ /_/ (__  |__  ) /_/ / /_/ / / /_
  /_/    \__,_/____/____/_,___/\____/_/\__/

The open source password manager for teams
Copyright (c) 2021 Passbolt SA
https://www.passbolt.com

License

Passbolt - Open source password manager for teams

This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License (AGPL) as published by the Free Software Foundation version 3.

The name "Passbolt" is a registered trademark of Passbolt SA, and Passbolt SA hereby declines to grant a trademark license to "Passbolt" pursuant to the GNU Affero General Public License version 3 Section 7(e), without a separate agreement with Passbolt SA.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License along with this program. If not, see GNU Affero General Public License v3.

About Passbolt

Passbolt is an open source password manager for teams. It allows you to securely share and store credentials. For instance, the wifi password of your office, the administrator password of a router or your organization's social media account passwords, all of them can be secured using passbolt.

Passbolt is different from the other password managers because:

It is primarily designed for teams and not individuals
It is free & open source
It is respectful of privacy
It is based on OpenPGP, a proven cryptographic standard
It is easy to use for both novices and IT professionals alike
It is extensible thanks to its RESTful API

Find out more: https://www.passbolt.com

How does it look like?

Trying out passbolt

You can try a demo of passbolt at https://demo.passbolt.com.

You will need to install a browser extension. You can find some help here: https://help.passbolt.com/faq/start/browser-extensions

Installing passbolt

You can install passbolt on your own machine. Follow the instructions on the website here: https://help.passbolt.com/hosting/install

Updating passbolt

Every now and then you will need to update passbolt to benefits from important fixes and improvements. Follow the instructions on the website here: https://help.passbolt.com/hosting/update

Contributing to passbolt

Please check out CONTRIBUTING.md for more information on how to get involved!

Reporting a security issue

If you've found a security-related issue in passbolt, please don't open an issue on GitHub. Instead contact us at [email protected]. In the spirit of responsible disclosure we ask that the reporter keep the issue confidential until we announce it.

The passbolt team will take the following actions:

Try first to reproduce the issue and confirm the vulnerability.
Acknowledge to the reporter that we have received the issue and are working on a fix.
Get a fix/patch prepared and create associated automated tests.
Prepare a post describing the vulnerability and the possible exploits.
Release new versions of all affected major versions.
Prominently feature the problem in the release announcement.
Give credit in the release announcement to the reporter if they so desire.

Credits

https://www.passbolt.com/credits

Comments

The OpenPGP server key cannot be used to decrypt the SMTP settings stored in database.

Hi !

We upgraded last morning to the lastest version:

 Open source password manager for teams
-------------------------------------------------------------------------------
Passbolt CE 3.8.1
Cakephp 4.3.7

Sometimes cronjob send me an email with a GPG error:

Exception: The OpenPGP server key cannot be used to decrypt the SMTP settings stored in database. To fix this problem, you need to configure the SMTP server again. Decryption failed.
In [/usr/share/php/passbolt/plugins/PassboltCe/SmtpSettings/src/Service/SmtpSettingsGetSettingsInDbService.php, line 114]

We have updated the mail configuration, but the error is still here.

I checked the GPG file permission and everything seems to be fine.

-r--r----- 1 www-data www-data 1.8K Apr 28  2022 serverkey.asc
-r--r----- 1 www-data www-data 3.6K Apr 28  2022 serverkey_private.asc

How can we fix this problem ?

installation issue

opened by ponceto 21

No mails are sent when providers offer AUTH PLAIN authentification only

Unable to send Emails to some providers

Passbolt Version: e848cd4d9ef8982e405ee8350fca325e2c562fad
Platform and Target: -- Operating system: Debian Buster (10) -- PHP: 7.3.14-1~deb10u1 -- Web server: nginx/1.14.2 -- Database server: mariadb Ver 15.1 -- etc.: Vserver

What you did

I installed passbolt with the script, everything was working as expected and went very smooth. Except the email sending part. I startet a forum thread with my problems here: https://community.passbolt.com/t/emails-not-sending/2771

First I thought it was the same with every provider, then I found a provider that worked for me (without TLS and instead with the ssl:// URL) Still the provider I want to use doesnt not work in passbolt. I tried connecting to it manually and in the end did so successfully. From the same system and the same user/pass combination. See this post for an exact output of a successful connection.

What happened

Although my email is working in thunderbird/webmail/manual smtp it is not working in passbolt.

# sudo -u www-data /var/www/passbolt/bin/cake passbolt  send_test_email [email protected]

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
---------------------------------------------------------------
 Debug email shell
---------------------------------------------------------------

Email configuration
---------------------------------------------------------------
Host: mail.systemli.org
Port: 587
Username: myworkingusername
Password: *********
TLS: true

Sending email from: myemailname
Sending email to: [email protected]
---------------------------------------------------------------

Trace
[220] mail1.systemli.org ESMTP Postfix (Debian/GNU)
> EHLO localhost
[250] mail1.systemli.org
[250] PIPELINING
[250] SIZE 40960000
[250] ETRN
[250] STARTTLS
[250] ENHANCEDSTATUSCODES
[250] 8BITMIME
[250] DSN
[250] CHUNKING
> STARTTLS
[220] 2.0.0 Ready to start TLS
> EHLO localhost
[250] mail1.systemli.org
[250] PIPELINING
[250] SIZE 40960000
[250] ETRN
[250] AUTH PLAIN
[250] AUTH=PLAIN
[250] ENHANCEDSTATUSCODES
[250] 8BITMIME
[250] DSN
[250] CHUNKING

A test email could not be sent.
Error: SMTP Error: 535 5.7.8 Error: authentication failed: Invalid authentication mechanism

What you expected to happen

I expected a successful mail transfer.

bug

opened by wnhre2ur8cxx8 21

Debian 9 / Mariadb 10.1: install fails when creating session tables - "1071 Specified key was too long"
i tried to set up passbolt 1.6.3 on a debian server running PHP 7.0.19-1 and MariaDB 10.1.26-0+deb9u1 . but when running app/Console/cake install --no-admin as the user, the routine seems to run fine but actually fails in the middle with

The following table(s) will be created. cake_sessions Creating table(s). cake_sessions: SQLSTATE[42000]: Syntax error or access violation: 1071 Specified key was too long; max key length is 767 bytes End create. passbolt session table deployed

did i miss something?
bug
opened by rotanid 18
Could not add user to a group
Could not add user to a group

Passbolt Version: 2.5.0

Platform and Target: -- Operating system: Debian 9.6 -- PHP: 7.0.30 -- Web server: Apache/2.4.25 (Debian) -- Database server: 10.1.37-MariaDB-0+deb9u1 Debian 9.6

What you did

Click on "users" in the top bar.

Click on the "+" symbol in the left bar for the group I want to add a user in.

Click on "edit group".

Search user in the add people field and then click on the user found.

Save the group

Enter the password to validate my privilege (I guess)

Get this error message : Error The group could not be saved

What happened

The user is not added to the group. I'm get error: "Error The group could not be saved"

What you expected to happen

The user being added to the group.
bug can not reproduce
opened by AnswerKAS 17
Users in group edit window are listed multiple times
Users in group edit window are listed multiple times

Passbolt Version: 2.0.4-debian

Platform and Target: -- Database server: mysql:5.7 -- docker -- updated installation from v1

What you did

I pressed the button "Edit group" in the groups tooltip.

What happened

Sometimes all users in the list are listed multiple times. But without role information.

What you expected to happen

A user should only be listed once.
bug
opened by joberthel 16
The requested URL /users/login was not found on this server.

I did a new installation on debian jessie, i used /var/www/passbolt/app/webroot as document root

rewrite module is enabled and running in apache2

this runs without errors and creates mysql tables: app/Console/cake install --no-admin

when i create admin like this: app/Console/cake passbolt register_user -u [email protected] -f myFirtsname -l myLastname -r admin

i get mail, but in the url it mentions "localhost", when i correct localhost to the actual ip, it also cannot find the URL

If i go to server like https://ip-address it gives: Not Found The requested URL /users/login was not found on this server.

User www-data has read rights to passbolt folders and write rights to: /var/www/passbolt/app/tmp/

Please help, below are installed php modules:

php -m [PHP Modules] bcmath bz2 calendar Core ctype date dba dom ereg exif fileinfo filter ftp gd gettext gnupg hash iconv intl json libxml mbstring memcached mhash mysql mysqli openssl pcntl pcre PDO pdo_mysql Phar posix readline Reflection session shmop SimpleXML soap sockets SPL standard sysvmsg sysvsem sysvshm tokenizer wddx xml xmlreader xmlwriter Zend OPcache zip zlib

[Zend Modules] Zend OPcache
installation issue

opened by tomghub 16
SMTP Error: 550 / Gandi RULE3_2
Hi all,

I cant undestand why i dont got the email for new user :

root@passbolt:/var/www/passbolt# ./bin/cake EmailQueue.sender SMTP Error: 550 5.7.1 Reject for policy reason RULE3_2. See http://postmaster.gandi.net Email 50 was not sent

But i make a test :

`root@passbolt:/var/www/passbolt# ./bin/cake passbolt send_test_email

____ __ ____ / __ \____ _____ ____/ /_ ____ / / /_

/ // / __ `/ __/ __/ __ / __ / / / / / // ( | ) // / // / / / // _,//__/.__/___//_/

Open source password manager for teams

Debug email shell

Email configuration

Host: mail.gandi.net Port: 587 Username: [email protected] Password: ********* TLS: true

Sending email from: Passbolt [email protected] Sending email to: [email protected]

Trace [220] relay.mail.gandi.net ESMTP Postfix

EHLO localhost [250] relay9-d.mail.gandi.net [250] PIPELINING [250] SIZE 35651584 [250] VRFY [250] ETRN [250] STARTTLS [250] AUTH PLAIN LOGIN [250] ENHANCEDSTATUSCODES [250] 8BITMIME [250] DSN STARTTLS [220] 2.0.0 Ready to start TLS EHLO localhost [250] relay9-d.mail.gandi.net [250] PIPELINING [250] SIZE 35651584 [250] VRFY [250] ETRN [250] AUTH PLAIN LOGIN [250] ENHANCEDSTATUSCODES [250] 8BITMIME [250] DSN AUTH LOGIN [334] VXNlcm5hbWU6

[334] UGFzc3dvcmQ6

[235] 2.7.0 Authentication successful

MAIL FROM:<***> [250] 2.1.0 Ok RCPT TO:[email protected] [250] 2.1.5 Ok DATA [354] End data with . From: Passbolt <***> To: [email protected] Date: Sat, 29 Sep 2018 12:32:39 +0000 Message-ID: 470f591d488d47e2bfcdb9cfad8e8700@passbolt Subject: Passbolt test email MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit

Congratulations! If you receive this email, it means that your passbolt smtp configuration is working fine.

. [250] 2.0.0 Ok: queued as 4DF7BFF80B

QUIT

The message has been successfully sent! root@passbolt:/var/www/passbolt#`

Its ok, someone can help me please ?

Best regards.
opened by m333w 15

Can't pass login page (Firefox)

After setting up admin account successfully, I am not able to login using this account. After entering my password, I get redirected to the login page again, checking passbolt logs shows:

2017-08-10 16:08:41 Error: [ForbiddenException] You need to login to access this location
Request URL: /auth/checkSession.json
Stack Trace:
#0 /var/www/html/passbolt/lib/Cake/Controller/Component/AuthComponent.php(349): GpgAuthenticate->unauthenticated(Object(CakeRequest), Object(CakeResponse))
#1 /var/www/html/passbolt/lib/Cake/Controller/Component/AuthComponent.php(305): AuthComponent->_unauthenticated(Object(AuthController))
#2 /var/www/html/passbolt/lib/Cake/Utility/ObjectCollection.php(128): AuthComponent->startup(Object(AuthController))
#3 /var/www/html/passbolt/lib/Cake/Event/CakeEventManager.php(243): ObjectCollection->trigger('startup')
#4 /var/www/html/passbolt/lib/Cake/Controller/Controller.php(678): CakeEventManager->dispatch(Object(CakeEvent))
#5 /var/www/html/passbolt/lib/Cake/Routing/Dispatcher.php(189): Controller->startupProcess()
#6 /var/www/html/passbolt/lib/Cake/Routing/Dispatcher.php(167): Dispatcher->_invoke(Object(AuthController), Object(CakeRequest))
#7 /var/www/html/passbolt/app/webroot/index.php(110): Dispatcher->dispatch(Object(CakeRequest), Object(CakeResponse))
#8 {main}

Permission wise, I have set

chown nginx:nginx app/Config
chmod -R 777 app/tmp
chmod -R 777 app/webroot/img/public`

Health check shows no error:


 [PASS] PHP version 7.0.21
 [PASS] PCRE compiled with unicode support
 [PASS] The app/tmp directory is writable
 [PASS] The app/webroot/img/public directory is writable

 Config files

 [PASS] The core config file is present
 [PASS] The database config file is present
 [PASS] The email config file is present
 [PASS] The application config file is present

 Core config

 [FAIL] Debug mode is on.
  [HELP] Set Configure::write('debug', 0); in app/Config/core.php
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Unique value set for security.cipherSeed
 [PASS] Full base url is set to https://passbolt.localdomain.com
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [WARN] Using a self-signed certificate

 Database

 [PASS] Configured to use a supported database backend
 [PASS] The application is able to connect to the database
 [PASS] Not using a prefix for database tables
 [PASS] 20 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded
 [PASS] The server gpg key is not the default one
 [PASS] The environment variable GNUPGHOME is set to /opt/passbolt/.gnupg
 [PASS] The directory containing the keyring is writable by root.

 Application configuration

 [PASS] Using latest passbolt version (1.6.1)
 [PASS] Passbolt is configured to force SSL use
 [PASS] App.fullBaseUrl is set to HTTPS
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app

 Development Tools (optional)

 [PASS] Phpunit is installed
 [PASS] Phpunit version is 3.7.38

  1 error(s) found. Hang in there!

I also have SELinux set to Permissive. Am I missing something? or there is any other logs to help debug this issue? Thanksget

bug

opened by tmidi 15

The server was unable to respect the authentication protocol! (Centos7 / PHP7)

Hi got following problem with new Setup on nginx/1.13.4, PHP 7.0.21

The server was unable to respect the authentication protocol! There was a problem when trying to communicate with the server (HTTP Code:500)

passbolt

2017-08-09 13:18:02 Error: [Exception] encrypt-sign failed
Request URL: /auth/login.json
Stack Trace:
#0 /var/www/html/passbolt/app/Controller/Component/Auth/GpgAuthenticate.php(109): gnupg->encryptsign('gpgauthv1.3.0|3...')
#1 /var/www/html/passbolt/lib/Cake/Controller/Component/AuthComponent.php(770): GpgAuthenticate->authenticate(Object(CakeRequest), Object(CakeResponse))
#2 /var/www/html/passbolt/lib/Cake/Controller/Component/AuthComponent.php(611): AuthComponent->identify(Object(CakeRequest), Object(CakeResponse))
#3 /var/www/html/passbolt/app/Controller/AuthController.php(35): AuthComponent->login()
#4 [internal function]: AuthController->login()
#5 /var/www/html/passbolt/lib/Cake/Controller/Controller.php(491): ReflectionMethod->invokeArgs(Object(AuthController), Array)
#6 /var/www/html/passbolt/lib/Cake/Routing/Dispatcher.php(193): Controller->invokeAction(Object(CakeRequest))
#7 /var/www/html/passbolt/lib/Cake/Routing/Dispatcher.php(167): Dispatcher->_invoke(Object(AuthController), Object(CakeRequest))
#8 /var/www/html/passbolt/app/webroot/index.php(110): Dispatcher->dispatch(Object(CakeRequest), Object(CakeResponse))
#9 {main}

regards

Sascha

passbolt_headers

bug can not reproduce

opened by eraxor 15

Installation no Connection to MySQL
Distro: Debian 8 SQL DB: MariaDB 10.2 PHP: 5 HTTP Server: Apache (v2)

The error I get:

https://hastebin.com/idevoxocaj.scala

database.php file (this is on a dummy server so not worried about credentials)

https://hastebin.com/focamefuhu.php

PHP Packages I installed:

php5-common

libapache2-mod-php5

php5-cli

php5-common

php5-gd

php5-mcrypt

php5-dev

php-pear

php5-fpm

php5-mysql

php5-gnupg

The files have cloned into the /var/www/html directory

So what am I doing wrong?
installation issue
opened by c0fe 15
The private key cannot be used to decrypt a message

I'm trying to install Passbolt and I ran into a few issues so far. The first issue was that the Fingerprint apparently didn't match the fingerprint in the app.php. However, after generating a new key this works.

The issue I'm getting now is that the private key can't be used to decrypt a message. Also when I try to access the site I only see a cake php file (front-controller?).

Here is my healthcheck:

Healthcheck shell

Environment

[PASS] PHP version 7.0.22-0ubuntu0.16.04.1 [PASS] PCRE compiled with unicode support [PASS] The temporary directory and its content are writable [PASS] The public image directory and its content are writable

Config files

[PASS] The core config file is present [PASS] The database config file is present [PASS] The email config file is present [PASS] The application config file is present

Core config

[PASS] Debug mode is off. [PASS] Cache is working. [PASS] Unique value set for security.salt [PASS] Unique value set for security.cipherSeed [PASS] Full base url is set to https://my.domain.com [PASS] App.fullBaseUrl validation OK. [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl [HELP] Check that the domain name is correct in app/Config/core.php [HELP] Check the network settings

SSL Certificate

[FAIL] SSL peer certificate does not validate [FAIL] Hostname does not match when validating certificates. [WARN] Using a self-signed certificate

Database

[PASS] Configured to use a supported database backend [PASS] The application is able to connect to the database [PASS] Not using a prefix for database tables [FAIL] No table found [HELP] Run the install script to install the database tables [HELP] sudo su -s /bin/bash -c "/var/www/passbolt/app/Console/cake install" www-data [FAIL] No default content found [HELP] Run the install script to set the default content such as roles and permission types [HELP] sudo su -s /bin/bash -c "/var/www/passbolt/app/Console/cake install" www-data [PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded [PASS] The server gpg key is not the default one [PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg [PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the user the webserver is running as. [PASS] The public key file is defined in app/config.php and readable. [PASS] The private key file is defined in app/config.php and readable. [PASS] The server key fingerprint matches the one defined in app/config.php. [PASS] The server key defined in the app/Config.php is in the keyring. [PASS] There is a valid email id defined for the server key. [PASS] The public key can be used to encrypt and sign a message. [FAIL] The private key cannot be used to decrypt a message [HELP] Make sure that the server private key is valid and that there is no passphrase.

Application configuration

[PASS] Using latest passbolt version (1.6.5) [PASS] Passbolt is configured to force SSL use [PASS] App.fullBaseUrl is set to HTTPS [PASS] Selenium API endpoints are disabled. [PASS] Search engine robots are told not to index content. [PASS] Registration is closed, only administrators can add users. [PASS] Serving the compiled version of the javascript app [PASS] All email notifications will be sent.

Development Tools (optional)

[PASS] Phpunit is installed [PASS] Phpunit version is 3.7.38

6 error(s) found. Hang in there!

I hope you can help me I'm really stuck with this one.
bug installation issue

opened by jaypi95 14
We should be able to know if the email configuration cease to work
We should be able to know if the email configuration cease to work

Passbolt Version: 3.8.3

Platform and Target: -- Operating system: Debian 11 -- PHP: 7.4.33 -- Web server: Nginx 1.18.0 -- Database server: MariaDB 10.5.18

What you did

I created a new account, and had a confirmation that an invitation e-mail had been sent, which wasn’t true.

What happened

I did forget that my mail provider had asked me to renew my password, so my credentials weren’t up to date in Passbolt

What you expected to happen

I would expect an error message, letting me know that my credentials are not recognized anymore.
enhancement
opened by altairis-noe 7
HostGator login site - password field has mixed behaviors
HostGator login site - password field has mixed behaviors

Passbolt Version: 3.8.3/3.82

Platform and Target: -- Operating system: Ubuntu 20 -- PHP: 8.1 -- Web server: NGINX -- Database server: MariaDB 10.6

What you did

Navigate to https://portal.hostgator.com/login

Email Address field shows in-form passbolt icon, and clicking the icon-then-resource populates the field correctly

Click Next, which opens up the password field

The password field is showing the in-form passbolt icon, but when clicking the icon-then-resource populates the field with a password that does not work (not sure what is pasted because it's hidden)

If I open the extension and click Use on this page - it also does not work.

However, if I copy the password and paste manually, it works.

What happened

At some point the following error was registered in the extension:

There was also an extension message on one attempt to reproduce that said to paste and that the password could not be used on the page. I could not get the message to show again.

What you expected to happen

I guess if the icon shows, that it would work.

Also, I am noticing the icon does not show in the fields unless I hover over the fields - is that correct behavior?
opened by garrettboone 2
Settings" buttons disabled but no reason given">
"Email server > Settings" buttons disabled but no reason given
"Email server > Settings" buttons disabled but no reason given

Passbolt Version: 3.8.3

Platform and Target: -- Operating system: Ubuntu 20 -- PHP: 8.1 -- Web server: NGINX -- Database server: mysql

What you did

Installed via source, provided SMTP info via install script, went to send a test email.

What happened

"Send test email" button was disabled. No errors.

What you expected to happen

A note similar to the one that shows when any fields are modified. The note says: Warning: These are the settings provided by a configuration file. If you save it, will ignore the settings on file and use the ones from the database.

A note with similiar might be able to always show. Something like Warning: These settings are provided by a configuration file. If any changes are made on this screen, passbolt will ignore the settings in the file and add them to encrypted organization settings in the database.

I actually checked for errors as a first step as it wasn't clear why it was disabled.
opened by garrettboone 1
account creation fails with umlaut (diacritic) in security token
tested with Docker image passbolt/passbolt:3.7.3-1-ce and passbolt/passbolt:3.8.1-1-ce

steps to reproduce:

create a new user

set passphrase

save key file

for the security token:

pick any color

input 3 charcaters withe at least one Umlaut (äöüÄÖÜß)

results in the error message:

Could not validate entity Account.

{ "security_token": { "required": "The security_token is required." } }
bug
opened by Reise-Reise 0
Locale en-UK common.json apostrophe character error

In the en-UK local common.json file, several strings contain converted ascii/bin code for a smart apostrophe, probably imported from working on WORD or another program...

Should change to "it will"

"Once the comment is deleted, itâ€™ll be removed permanently and will not be recoverable.": "Once the comment is deleted, itâ€™ll be removed permanently and will not be recoverable.", "Once the password is deleted, itâ€™ll be removed permanently and will not be recoverable.": "Once the password is deleted, itâ€™ll be removed permanently and will not be recoverable.", "Once the tag is deleted, itâ€™ll be removed permanently and will not be recoverable.": "Once the tag is deleted, itâ€™ll be removed permanently and will not be recoverable.",
groomed

opened by cordeosdev 1
Fix some french typo

Dear passbolt team, In french, we've some distinct typographics rules: Interrogation / Exclamation marks expect to have a space before and after the mark. Source : https://www.thoughtco.com/french-exclamations-1368844

Best regards, Gaël

opened by Nainterceptor 3

Releases(v3.8.3)

v3.8.3(Dec 6, 2022)
Song: https://youtu.be/BNe7OrleTlg

This release is a small maintenance release of the API only fixing issues reported by the community relative to the latest introduced SMTP settings feature. It also adds additional information to try to improve the debug process when dealing with Gnupg integration issues.

A big thank you to the community members who are reporting issues and help us investigate them.

[3.8.3] - 2022-12-01

Fixed

PB-21631 Ensure the OpenPGP server key is in the keyring prior to sending any emails

Source code(tar.gz)
Source code(zip)
v3.8.1(Nov 18, 2022)
Song: https://youtu.be/SEJz7PthmAw

This release is a small maintenance release fixing issues reported by the community relative to the just introduced SMTP settings feature. This version should support more authentication use cases and be more flexible while editing an existing configuration.

Thanks to the community members who reported issues and helped us fix them.

[3.8.1] - 2022-11-17

Fixed

PB-21478 As an administrator, I should be able to edit SMTP settings having a sender email not being a valid email

PB-21438 As an administrator using docker, I should be able to access the SMTP settings of my organization

PB-21486 As an administrator, I can define the SMTP authentication method via the SMTP admin workspace

PB-21481 As an administrator, I want emails to be sent with the sender settings defined in database, if defined in the database

Source code(tar.gz)
Source code(zip)
v3.8.0(Nov 14, 2022)
Song: https://youtu.be/37JidTgav2g

The team is pleased to announce the v3.8 immediate availability.

This release ships with two new themes, a light and dark Solarized themes. Along with the redesign that occurred earlier this year, these themes served as a foundation to propose additional look and feel, but also welcome your contributions. If you wish to build a new theme, checkout the blog article: How to create a custom passbolt theme with the UI Kit.

In a continuous effort to make passbolt more customizable, administrators will be pleased to find a new administration settings screen that will allow them to update the SMTP settings of their organization. More administration screens are in the works and will be released very soon. Spoiler alert, Multi Factor Authentication is on its way to be released in the community edition.

We wish to thank all the community members for:

The help with the internationalization;

The bugs reports and the pull requests on github;

The help provided to other members on the community forum.

[3.8.0] - 2022-11-09

Added

PB-19192: As an administrator, I want to manage SMTP settings in the administration workspace

PB-19151: As a user, I want to use passbolt with the Solarized light theme

PB-19151: As a user, I want to use passbolt with the Solarized dark theme

Improved

PB-16948: As group manager, I should be able to add users to groups without getting timeout errors

PB-19035: TOTP is now deactivated by default and should be activated by an administrator

PB-19200: GpgAuthenticator now asserts the message is a valid OpenPGP message prior to decryption on stage 0

Fixed

PB-19312: As a logged-in user, I want to see my first name and last name correctly displayed in email headers

PB-18718: As a logged-in user, I want my locale not to be overwritten by the server config on pages served by the server

PB-19261: As a logged-in user, I should not get an internal error if no filter is passed to the get resource.json entry point

PB-19035: As a logged-in user, I should not get a not found error on MFA authentication if an administrator deactivated MFA

PB-18515: As a user, I want to see User Agent and IP in account recovery emails

Security

PB-19204: Sanitize MFA redirection by forbidding redirection to external URI

PB-19090: Protect forms from spell-jacking attack

Maintenance

PB-19235: Migrate comments controllers logic into services

PB-19603: Cover additional “add user to group” case: As group manager I can add a user to a group which have no resources shared with

PB-6081: Move enterprise plugins into plugins/PassboltEe

PB-6081: Move community plugins into plugins/PassboltCe

PB-19621: Stop changing folders permissions in installation tests

PB-19255 As an administrator I can trigger 500 errors on demand to test my logs

Source code(tar.gz)
Source code(zip)
v3.7.3(Sep 28, 2022)
Song: https://youtu.be/xF5PzY4b3eQ

This release is a security release fixing a spell-jacking security flaw discovered by otto-js.

You can learn more about this flaw on the dedicated security incident page.

[3.7.3] - 2022-09-27

Security

PB-19090 Protect forms from spell-jacking attack

Source code(tar.gz)
Source code(zip)
v3.7.2(Sep 21, 2022)
Song: https://youtu.be/ZcC3vVh3cOE

This is a small maintenance release which ships with a bug fix reported by the community and few changes that aim to improve the continuous integration pipelines.

[3.7.2] - 2022-09-21

Fixed

PB-18380 Let passbolt-configure script setup certbot for RHEL9 support

PB-16983 Handles the lack of permissions on image directory when deleting

PB-16898 Redesign download a supported browser to get started

Improved

PB-18650 Add a check on mysql status in order to run mysql commands only when it's ready in unit tests

PB-18664 Add retry logic to Gitlab CI jobs

Source code(tar.gz)
Source code(zip)
v3.7.1(Aug 12, 2022)
Song: https://youtu.be/Gm4ElZUzLOo

[3.7.1] - 2022-08-10

PB-18381 Fix source language typos

PB-18397 Fix as an admin I can generate a server key with the webinstaller within an instance over http

PB-17096 Fix resouce_types name and slug postgresql compatibility

PB-18372 Bump styleguide version to 3.7.1

Source code(tar.gz)
Source code(zip)
v3.6.0(May 30, 2022)
Song: https://youtu.be/FvR9HAKNdic

The team is pleased to announce the v3.6 immediate availability which, as you may already have seen, includes a design refresh of the application.

On top of that, this release ships with some more improvements and fixes.

Performance boost on the client cryptographic operations;

Additional key validations on setup for better error reporting;

Experimental support for ECC keys.

More performance fixes.

We wish to thank the contributors who participated:

Alpha testers who helped us test the pre-release;

All the community members who helped with the internationalization;

Next up? We’ll go through a maintenance cycle where we’ll be fixing issues reported in terms of performance (e.g. adding users to a group), as well as preparing for the migration to Manifest v3, and support for PHP 8.1.

[3.6.0] - 2022-05-26

Added

PB-15026 As a user I should see the new design on the administration workspace

PB-14675 As a user I should see the new design on the authentication screens

PB-9739 As AN performing a setup, I can import ECC keys [experimental]

Improved

PB-9739 OpenPGP key and message validation refactoring

PB-14141 Enhanced public/private key validation rules

PB-13685 Enhanced secret validation rules

PB-14138 Refactor setup and recover related controllers with dependency injection

PB-14510 Three trivial endpoints, such as GET on login are not logged anymore

Security

PB-14400 Upgrade firebase/php-jwt to 6.1

Fixed

PB-14369 Fixes email settings issues in the test suite

PB-15046 Handle user lost-passphrase scenarios with API <= v3.5

Maintenance

PB-14812 Upgrade cakephp/cakephp to 4.3

Source code(tar.gz)
Source code(zip)
v3.5.0(Jan 19, 2022)
Song: https://youtu.be/BC2dRkm8ATU

The team is pleased to announce the v3.5 immediate availability which includes the most awaited launch of the iOS and Android Mobile applications for all passbolt editions.

Watch the mobile apps video announcement to get a quick glimpse of what’s in it. And let us know what you think in the dedicated community forum thread.

You’ll be pleased to know that both the mobile apps have been entirely audited by Cure 53 prior public release. The audit reports are available here.

What else is in v3.5? Well, a bunch of other nice things:

New languages: Japanese, Dutch and Polish.

Postgresql support (experimental). The documentation on how to enable it will follow in the next few days.

A brand new CLI, written in GO (and audited too): this CLI is a contribution by Samuel Lorch and supports all API entry points including share operations.

On top of that, this release ships with some more improvements and fixes.

Due to popular demand, the size of the resource.name and resource.username fields have been increased to 255 characters (previously 64).

The In-Form menu positioning has been improved to appear where it should be with more accuracy.

The overall performance of the api has been improved, primarily due to the optimization of the permissions table which is at the center of many operations.

We wish to thank the contributors who participated:

Jesper Schmitz Mouridsen (@jsm222), for his much awaited PostgreSQL implementation.

Samuel Lorch (@speatzle), for his amazing GO SDK and CLI, making it the first fully functional CLI for passbolt since the other nodejs CLI does not currently support all the operations.

All the community members who reported bugs and submitted pull requests (@weebl2000, @garrettboone) and helped on the community forum to debug issues with mobile.

[3.5.0] - 2021-01-18

Added

PB-13161 As LU I should be able to use passbolt with my Android mobile

PB-13161 As LU I should be able to use passbolt with my IOS mobile

PB-5967 As AD I can use passbolt with a PostgreSQL database provider [experimental]

PB-5967 As AD I can migrate an existing instance to PostgreSQL with the help of the command line [experimental] and MySQL to Postgres migration tools, e.g. as described here: https://pgloader.readthedocs.io and here: https://pgloader.io/.

PB-8513 As LU I can request gpg keys using pagination

PB-13321 As a user I can use passbolt in Dutch

PB-13321 As a user I can use passbolt in Japanese

PB-13321 As a user I can use passbolt in Polish

Improved

PB-12817 As LU I can import avatars having a jpeg extension

PB-12943 As AD I should be able to see log when a user tries to sign-in with an invalid bearer token

PB-12888 Improve performances of the operations requiring permissions accesses by replacing the single index on type by a combined index involving the requested columns

PB-13177 As AD I should be able to see any gpg keys errors from the healthcheck

PB-13183 As LU I should be able create resource having a name or a username of 255 characters long

PB-13265 As AD I can create a JWT key pair even if the database is not set

PB-13164 As AD I can cleanup duplicate entries in the favorites tables, groups_users and permissions

Security

PB-13217 PBL-06-011 Fix ACL on mobile transfer view controller

Fixed

PB-9887 Fix as AD I can send email digest from the /bin/cron script

PB-12957 Fix multiple language issues reported by community

PB-12914 Fix as a group manager I should not get multiple notifications when a group is updated

PB-13158 As AD I should see a tip with proper directory permissions when the JWT assets healthcheck fails

Maintenance

PB-12835 Move users setup/recover/register controllers logic into services to welcome the upcoming account recovery feature

Source code(tar.gz)
Source code(zip)
v3.4.0(Dec 8, 2021)
Song: https://youtu.be/BjnjfVLLuOA

The team is pleased to announce the v3.4 immediate availability which includes new features as well as some fixes requested by the community.

In a few words, fresh from the oven:

A native support of the Edge browser, Safari in the works!

A better integration of the dark theme

A fine tuned in-form integration for a better browsing experience

A fresh RPM package in beta test

Mobile apps in final beta test

Checkout the v3.4 blog article to get all the details about this release.

We wish to thank the contributors who participated:

All the community members who reported bugs and submitted pull requests (reederda, fgietzen, garrettboone, Ecentrix, zdenak11, jsm222 and many others).

All the community members who are participating in the mobile app beta testing effort and who are reporting issues with tidy logs (jskribek, g0dsCookie, okami, dlist, solaire, and many others).

[3.4.0] - 2021-12-07

Added

PB-9826 As a user I want to use passbolt natively on Edge

PB-8371 As LU I want to see the authentication screens in dark mode

Improvement

PB-9730 As AD I should be able to check avatars read issues from the healthcheck

Fixed

PB-9286 Fix as LU I should see the locale dropdown field of the setup/recover screen well positioned

PB-9397 Fix as AD I shouldn't see an error on the healthcheck if the JWT auth is disabled and I never configured it

PB-9114 Fix as lu I should be able to upload a transparent avatar in .png format.

PB-9750 Fix spelling mistakes reported by the community

PB-9762 Fix requesting /auth/login.json should not trigger an unexpected error

PB-9888 Fix MFA & JWT refresh token issue, remove Bearer from the hashed session identifier

Security

PB-7374 As soft deleted but logged in user I should be forbidden to request the API

PB-9340 Fix email queue data should be stored and deserialized as json and not php

Maintenance

PB-9311 Refactor JWT and MFA plugins for better code maintainability.

PB-8320 Implement the tests that are marked as incomplete for cleaner continuous integration test reports

PB-8211 Psalm set to level 4

PB-9726 Fix do not load cleanup tasks unless in CLI mode

PB-9753 Improve table fields validation tests, do not save entity when testing the validation of properties

PB-9310 Move avatar file_storage logic into AvatarsTable

PB-9785 Update JWT healthcheck help messages

PB-9656 Migrate fields from utf8mb4 to a more performant encoding when possible

Source code(tar.gz)
Source code(zip)
v3.3.1(Nov 24, 2021)
[3.3.0] - 2021-11-24

As part of the audit of the mobile application, security researcher Johannes Dahse, from Cure53 team, found that the Passbolt API v3.3 is prone to a key confusion attack. The JWT Authentication is currently in beta, and the plugin is disabled by default. This issue however affects users that have enabled the plugin to test the Mobile apps they should either disable it or update now.

More info

Security fix

PBL-06-008 Fix JWT key confusion leads to authentication bypass (High) (BETA)

Source code(tar.gz)
Source code(zip)
v3.3.0(Oct 27, 2021)
Song: https://youtu.be/SWMaa6qvX5U

The team is pleased to announce the much awaited v3.3 which includes new features as well as some fixes requested by the community. It’s been a while since the last release, but as you’ll see, we’ve been busy!

While browsing the internet, passbolt users don’t always know how to use the quick access menu in the toolbar to create or use credentials on a given page. The anticipated autofill and autosave improvements, which we call “in-form integration”, has finally arrived. You’ll be able to perform actions faster within web forms, and be able to quickly generate passwords and save credentials.

We’ve also optimized the original quick access flow to provide better accessibility, with more complete contextual feedback and a reduced number of steps (for example, when inserting a password in a page).

This release also contains a revamped password generator, which allows for the customization of the password parameters and introduces support for passphrase generation. The new passphrase generator produces 9 words using the diceware method. By default, the words aren’t separated, but the user has the option to define a set of characters (e.g. “ ” or “_”) that’ll be used to separate them. The password generator has also been improved, and now generates passwords of 18 characters in length. Also, it’s now possible to exclude look alike characters, like Homoglyphs, and even include emojis 😏.

In our continuous effort to make the application accessible by all, in their mother tongue, this release ships with German and Swedish translations. Other languages, such as Dutch, Polish and Spanish, are in the works and scheduled for the end of the year.

Both the password generator and in-form quick access functionalities have been reviewed as part of an independent security audit by Cure53. So, they should be safe for everyone to use! We also completed another series of audits for the API code and cloud infrastructure. We’ll share the results with you soon in a dedicated blog post (spoiler alert: no critical issue found).

We’ve also successfully completed our SOC2 Type I audit. Our SOC 2 Type II is also well underway and will be available by Q1 2022. These audits are just another step in our on-going compliance and security efforts.

Ok, now for the final reveal. It's been almost a year that we’ve been working on the passbolt mobile application (Android and IOS). This v3.3 release is shipping with its experimental support, which you can optionally enable to test! We’re currently waiting for the app’s reviews on the different web stores and we'll publish a blog article to explain how to test the mobile app. The app will be available for general use and enabled by default once an independent security audit is completed by the end of November. Stay tuned!

A big thank you to the people who reported and documented bugs on github and the community forum, provided your feedback on the account recovery specifications. Thank you for your continued support.

[3.3.0] - 2021-10-25

Added

PB-7815 As a server administrator I should be able to enable / disable the in-form menu feature, enabled by default

PB-6072 As a server administrator I should be able to enable / disable the password generator feature, enabled by default

PB-8189 As a user I should be able to use the application in German or Swedish

PB-7847 As AN I should be able to authenticate to passbolt via JWT access and refresh tokens [experimental][disabled by default]

PB-6034 As LU I should be able to configure my mobile app [experimental][disabled by default]

Improvement

PB-8908 As a user I should see the footer of the passbolt emails translated with my locale

PB-8364 As a user I should see the subject of the passbolt emails translated with my locale

PB-6032 As API user I shouldn’t see the _joinData properties in the resource entry points responses

PB-8281 Add Debian 11 bullseye support

PB-7750 As AD I should be notified by the healthcheck when a tmp files is executable

PB-7760 Increase PHPStan level to 6

PB-8081 As AD I should be able to configure passbolt over IPv6 while installing a passbolt package

PB-5866 As AD I should be able to detect avatar data discrepancies using the passbolt cleanup command

PB-7605 As a developer I should be able to enable/disable a plugin easily

Fixed

PB-5457 Fix as LU importing a batch of passwords I should not get an internal errors because of database deadlock

PB-7840 Fix as AD I can install/reconfigure the passbolt package if ssl certificates are already present

Security

PB-8047 Fix PBL-02-002 As LU I should logout by posting to the API and the entry point should should be protected by CSRF

PB-7751 Updates FlySystem dependency to v2.1.1

SEC-181 Fix information disclosure: recover endpoint should not return user role and name.

Maintenance

PB-8488 Remove user agent unnecessary check associated with MFA token

PB-8336 Clean phpunit.xml file

PB-8448 Hashes the session ID prior to passord_hash

PB-8210 Replaces PHPSESSID with session_name()

Source code(tar.gz)
Source code(zip)
v3.2.1(Jun 8, 2021)
This is a maintenance release with fixes for issues reported by the community.

Fixed

GITHUB-402 Fix API v3 regression, login must accept JSON data

Source code(tar.gz)
Source code(zip)
v3.2.0(Jun 8, 2021)
The team is pleased to announce that the much awaited “Internationalisation” feature is available to Passbolt Pro, Passbolt Cloud (in progress) as well as Passbolt CE subscribers as part of this release. It is the beginning of continuous effort to provide passbolt in the favorite language of our users. This release ships with the French translation, but other languages such as German and Spanish are in the works.

More languages will come as we go and we are of course counting on the community contributions to keep proposing new ones and make Passbolt available to everyone. If you’d like to contribute and understand how you can translate passbolt in your favorite language, check out the documentation. We have tried our best to make the translation process fairly easy and accessible to everyone.

Another aspect of this release is the upgrade of the passbolt API code base to CakePHP v4. This upgrade was necessary and sets the foundations of the new avatars management system, where the users’ avatars are now stored primarily in the database rather than in the file system. This long planned improvement has several benefits among which is a simpler backup workflow as well as the ability to deploy passbolt in high availability.

Finally, the team is proud to share with the community the results of the annual security audit part II performed by Cure53 with a focus on the webextensions. The positive results validate the continuous efforts of the team.

"The Passbolt extension stands strong and the audit and pentest did not manage to unveil any serious severity bugs, whereas the overall number of problems is also limited to just two minor flaws."

To know more about this audit, checkout the blog article.

A big thank you to Crowdin for providing us with their amazing translation platform for free. Huge thanks also to the people who have reported and documented bugs on github and the community forum including: @noinlj, @flifloo, @svenseeberg, @Kassouma and many more.

Added

PB-5054 French internationalisation

PB-5171 As logged-in user, I can paginate the result of the users and resources index controllers

PB-5854 As logged-in user I can save the locale of a user as an account setting

PB-5854 As admin I can save the locale the organisation as organisation setting

Fixed

PB-5523 Fix as system administrator I should see the healthcheck errors colored in red

PB-5860 Fix password max length should be set to 4096 in resource type definitions

PB-6031 Fix as LU I shouldn't get a fatal error when using a scalar instead of an array for some filters values

PB-6131 Fix healthcheck error messages display

Improved

PB-5975 Test code with PHPStan - level 4

PB-7576 Avatar table should use created and modified for timestamp and not created_at and modified_at

PB-5527 Move avatar in database

Maintenance

PB-5527 Migration to CakePHP4

Security

Remove X-XSS-Protection as per Cure53 audit result and recommendations

Source code(tar.gz)
Source code(zip)
v3.1.0(Mar 30, 2021)
3.1.0 - 2021-03-17

Added

Add preview password plugin feature flag

Source code(tar.gz)
Source code(zip)
v3.0.2(Mar 11, 2021)
This is a maintenance release with fixes for issues reported by the community.

Fixed

GITHUB-378 Fix healthcheck ssl fullBaseUrl check

Fix email digest email preview should accept empty (null) template

Fix send test email command should accept undefined username and password

Source code(tar.gz)
Source code(zip)
v3.0.1(Feb 24, 2021)
This is a small maintenance release. It ships with a few bug fixes reported by the community.

[3.0.1] - 2021-02-24

Fixed

Fix resources population of resource_type_id field migration

Source code(tar.gz)
Source code(zip)
v3.0.0(Feb 24, 2021)
Song: https://youtu.be/eCwWbEhFftw

Make sure you follow the update documentation to roll out this new version.

The team is pleased to announce the immediate availability of Passbolt version 3. As you may have noticed with the earlier release in January and automatic rollout of the v3 webextension, this version contains a major redesign of the login and setup screens. The goal of this redesign was to simplify the process and improve the usability. This version also concludes our migration to React technology on the front end side, you can learn more about it in the dedicated blog post.

Most notably, this release also introduces the concept of resource types. We will write more about it in a dedicated blog post, but long story short, the goal of this change is to allow storing different types of secrets, other than a password. The first example of a new resource type is the “password with encrypted description” which has now become the default. This change is transparent and backward compatible.

As you may know, data in passbolt is divided into two parts: the searchable non encrypted metadata called “resource”, and the encrypted part containing, for example the password called “secret”. With resource types the solution will support the encapsulation of structured data in the “secret” part in the form of a JSON object, following a JSON schema defined as part of the resource type. In the future we want to allow administrators to be able to define their own resource types, on top of the ones that are supported by default. In the meantime if you have suggestions for new default resource types, and the formats you would like to see (for instance credit cards, ssh keys, etc...), please share your ideas on the community forum.

We encountered some issues during the release of the webextension v3, which have been summarized on this dedicated incident page. The most prominent bugs encountered in the last release were related to older installations where some database entries became incompatible with the new stricter validation rules on the front-end side. These issues have now been resolved, but we sincerely apologize for any inconvenience caused, and have learnt a lot during the process.

Server side Passbolt API v3 is also a major release with the deprecation of PHP v7.2 and composer v1. Please make sure you have the right dependencies installed on your server prior to upgrade. You can learn more about the update/upgrade procedures on the dedicated page. Feel free to report bugs on github if you encounter any new issues, or to get in touch using the regular support channels.

On the artifacts side, we have published an ubuntu package and also all of our artifacts (vm, digital ocean, aws ami and docker image) are using debian package. Using debian package introduces new changes on the installation paths of passbolt. Please read the following documents for deprecation notices and changes:

Release notes for docker image.

Migrate from ubuntu installation scripts to Ubuntu package.

For our next release(s) the team will focus on an upgrade to Cakephp v4, as well as small UX/UI improvements that have been pending for a very long time, including the ability to translate the interface. And yes we also are actively working on the Mobile apps, as well as other much demanded features such as Escrow.

A big thank you for people who have reported and documented bugs on github and the community forum including: @DistrantThunder, @kyxyes, @chyff, @drzraf, @Alien-Richman, @VFS, @wnhre2ur8cxx8 (that’s a mouthful), @rctgamers3, @norbertmm, @runderwo, @AnswerKAS, @raphhaselback, @PeanutStick, @JosephGarrone and many more.

Thank you for your continued support.

[3.0.0] - 2021-02-22

Deprecated

Drop support for API format v1, api-version parameter is deprecated

Remove title from API response envelope format

Drop support for PHP < v7.3, application require PHP v7.3 by default

Drop support for Composer < v2, application requires Composer v2 by default

Added

Add dark theme to the community edition

Add new system check utilities in ./bin, for example ./bin/status-report

Add web installer automatically populates mysql credentials (VM / Debian Package)

Add support for multiple resource types

Add resource with encrypted description as resource type

Add generic cron job task in ./bin/cron

Add support for untracked personal shell scripts under ./bin/my

Add support for configurable footer link in config

Add permissions filters on resource view and index

Add permissions contain options on resource view

Chores

Update OpenPGP-PHP dependencies to provide PHP 7.4 compatibility

Remove unmaintained user agent parser library

Fix PHP 7.4 warnings

Improvements

Improve testsuite execution times

Refactor testsuite to not install data model from fixtures but use migrations instead

Refactor testsuite to remove unused fixtures

Migrate administration and mfa settings screen to React

Add placeholder application skeleton when webextension is still loading

Redesign of login and recover screens

Add Mysql 8 support

Fixed

Fix allow overriding rememberMe options in passbolt.php configuration file

Fix all target blank link should contain rel noopener noreferrer

Fix email sender, email subject should not exceed 255 characters.

Fix secret access log on resource view with contain secret

GITHUB-376 Fix missing route prefix on the recovery button

GITHUB-373 Fix API format for create group (previously v1 instead of v2 format)

GITHUB-372 Fix after modifying passwd, the modification time should be changed

GITHUB-370 Fix metadata should be deleted for deleted resources

GITHUB-369 Fix Notification Emails Have Wrong Tense In Subject/Body

GITHUB-368 Clarify PHP extension requirements

GITHUB-362 Fix wrong filename on healthcheck HELP message for assertConfigFiles

GITHUB-356 As a user I shouldn't be able to export folders if export plugin is disabled

GITHUB-350 Fix no mails are sent when providers offer AUTH PLAIN authentication only

GITHUB-339 Fix web installer urls do not work when passbolt is installed in a directory

Fix performance issues on resource / folder activity log

Source code(tar.gz)
Source code(zip)
v2.13.5(Jul 30, 2020)
This is a small maintenance release. It ships with a few bug fixes reported by the community.

Changelog

[2.13.5] 2020-07-29

Fixed

Fix display a validation error when db password contains a quote or db name contain a dash

Fix email notification settings bootstrap messes up non persistent database connection in wizard

Bump dependencies versions

Source code(tar.gz)
Source code(zip)
v2.13.1(Jul 9, 2020)
Song: https://youtu.be/tPBDMihPRJA

This is a small maintenance release. It fixes a bug introduced with the latest release.

Thank you to everyone who helped us test and iron out the last kinks!

In other news, we just published an article on the blog to explain why passbolt requires an extension.

Changelog

API

Fixed

PB-1372 Fix user setup completed admin email notification

Source code(tar.gz)
Source code(zip)
v2.13.0(Jun 25, 2020)
Song: https://www.youtube.com/watch?v=JU5LMG3WFBw

The team is pleased to announce the availability of Passbolt CE v2.13. This release includes new functionalities, most notably the email digest functionality.

Email digest

The email digest functionality will help you combine email notifications of the same kind into one single message. So, it will group similar emails for a given user, for a given time period (the frequency of passbolt email cronjob) or when a volume limit is reached. This will help reduce the email notifications, especially when you import/share a lot of passwords at once.

You can enable this feature by switching the following line in your server crontab:. /var/www/passbolt/bin/cake EmailQueue.sender

To /var/www/passbolt/bin/cake Passbolt/emailDigest.sender

You can also test the feature by calling it directly in the command line on your server.

Server key rotation

It is now possible to extend an expired server key and have the user accept the new server key without performing an account recovery. When the key change, the user will be prompted to accept the new one.

Migration to react

Part of the work done with this release includes some major refactoring of the front end code as part of the migration process to React. So, you will see some other visual changes for example, when loading the share dialog.

You can expect more visual changes in the upcoming releases.

Breaking changes

Another notable change: as part of this release we upgraded the OpenPGP.js. This may be a breaking change if you are using old OpenPGP keys with unsecure 2-byte hash. If you use such a key we advise you to try to re-export your private key from Gnupg to produce a more secure hash and perform an account recovery.

Changelog

API

Added

PB-1168 Add baseline code and tests for Debian package build

PB-1067 As a user I can receive digest emails when creating a lot of resources

PB-1067 As a user I can receive digest emails when added/removed from a lot of groups

PB-1284 Add tasks and services to re-validate existing data

Improved

Pro Styleguide version bump v2.13.13

Appjs version bump v2.13.7

PB-1046 Adapt Cleanup test runner to take in account cleanup that are adding records

PB-1046 Adapt Cleanup shell task to allow external sources to add cleanup tasks

PB-1046 Remove empty EmailTraits files

Delete unused default keys (cleanup)

Update to latest passbolt_test_data version.

Misc refactoring for email notifications

Misc refactoring to split model logic into services

Clear plugins in tearDown of application test cases

Fixed

GITHUB-350 No mails are sent when providers offer AUTH PLAIN authentication only

Fix appjs plugin requestUntilSuccess bug

Fix load webinstaller plugin manually in plugin tests

Fix composer php version.

Fix misc checkstyle issues

PB-980: Fix "secret access logging in password activity log should not display other resources secret access after a multiple share"

Source code(tar.gz)
Source code(zip)
v2.12.1(Apr 15, 2020)
Release song Full release notes

This release contains a security fix, please update your server as soon as possible. Make sure you follow the minor update documentation to roll out this new version.

This is a small maintenance release in order to update to jQuery v3.5. The library released an important security fix that could potentially result to an XSS in certain Passbolt setups where Content Security Policy (CSP) was disabled by the user. You can learn more about the issue here.

Passbolt team is currently busy finalizing a release candidate with some new major features. You can learn more about it in our last blog post.

We hope you are safe.

Fixed

PB-1209: Update client dependencies

Source code(tar.gz)
Source code(zip)
v2.12.0(Dec 10, 2019)
Release song Full release notes

This release is mainly a maintenance release. It ships with several fixes, mainly regarding the web extension. The previously published extension version contained some security fix for an issue in the quick access suggestion system reported by security researcher Rene Kroka. You can learn more about it on the incident page.

It also ships with a much demanded improvement: the possibility to resend a new invitation to a user.

We hope you’ll enjoy this update!

What next? The team focus is currently on the upcoming folders feature. It is taking a substantial amount of energy to implement but the result should be matching your expectations. It is now a matter of weeks before the feature is available. If you are interested to know how it will work, you can have a look at the specifications (feedback is welcome). The screenshot below will give you a glimpse of its look and feel:

The team wishes you great end-of-year celebrations, merry christmas & happy new year in advance, and good holidays if you are lucky enough to take some!

API

Added

PB-687: As an admin I can resend an invitation for a user that didn't complete the setup

Improved

PB-893: Update CakePHP to v3.8.6

Fixed

PB-771: Added purify subject for the email subscribers

PB-856: Added migration fix to remove unused tables

GITHUB-84: Fix gc_maxlifetime versus Session.timeout units

Web extension

Improved

PB-878: Update OpenPGP.js to v4.7

PB-649: The quickaccess passphrase field text and background colors should remain as default when the field is not focused.

Fixed

PB-883: The quickaccess should filter passwords by uri protocol and port if provided.

PB-766: Fix 414 server issues for features that work with batch of resources. Reduce the size of the batches.

Source code(tar.gz)
Source code(zip)
v2.11.0(Aug 12, 2019)
Passbolt v2.11 is maintenance release containing security fixes. Extension update will be rolled out automatically to your users like usual, but as an administrator you will need to update your server.

The security issues were discovered by security researcher René Kroka as part of the Bug Bounty program organized in collaboration with YesWeHack. You can find more information about the vulnerabilities found during this audit, on the dedicated incident page. You can also learn more about passbolt security in our recently published Security White Paper.

This release also includes some requested fixes by the community. The autofill functionality is now a bit more robust and will work on more websites, including for example when the login form is located in an iframe (on the same domain than the current page). Feel free to report any issues you encounter with the autofill on websites you use via github issues. Another long awaited fix relates to the passphrase remember me and the auto logout functionalities.

The installation script now also supports the new Debian 10 (stable). Because of this we will soon deprecate support for 7.0 (which was still the default on Debian 9). Make sure you upgrade your web server to use at least 7.2 in the coming weeks.

If you want to receive an invitation for Passbolt Cloud, feel free to complete this form or send us an email at [email protected]. Or you can wait for the public launch in September!

The team wish you happy holidays, if you are lucky enough to take some!

API

Security fixes

PB-661: Fix tab nabbing when clicking on "open in a new tab" in password grid

PB-607: Fix XSS on first name or last name during setup

Improvements

PB-587: Add baseline support for multiple openpgp backends

PB-391: Display the name and email of the user an admin is going to delete in the delete dialog

PB-396: Display the label of the password a user is going to delete in the delete dialog

PB-397: Display a relevant feedback in the user details group section if the user is not member of any group

PB-533: Add a new session check endpoint that does not extend the session expiry

PB-607: Add option for an administrator to configure CSP using environment variable

PB-242: Improve the passwords grid (passwords fetch peformance, search reactivity, selectbox area enlarged)

Fixes

PB-349: Fix health check fails if using custom GNUPGHOME env set by application

PB-330: Fix migration issue from CE to PRO in v2.10

PB-567: Fix appjs auto logout

PB-601: Fix some incomplete unit tests

PB-427: Fix email sender shell task and organization settings table unnecessary coupling

PB-349: Fix OpenPGP results health checks

Maintenance

PB-505: Upgrade cake 3.8

PB-504: Upgrade Javascript dependencies

PB-472: Cleanup test dependencies

Web extension

Improved

PB-242: Add local storage resources capabilities to manipulate the resources (add, delete, update)

GITHUB-79: Improve autofill compatibility, trigger an input event instead of a change event while filling forms

GITHUB-61: Improve autofill compatibility, support Docker and AWS forms

PB-432: Improve autofill compatibility, support reddit.com

PB-433: Improve autofill compatibility, support Zoho CRM

GITHUB-78: Improve autofill compatibility, fill only username if no password field present

PB-494: Improve autofill compatibility, ignore hidden fields

PB-514: Improve autofill compatibility, fill iframe forms fields

PB-609: Update library used for CSV export

Fixed

PB-544: Fix login passphrase remember me and quickaccess

PB-533: Fix session expired management

PB-515: Autofill should not fill if the url in the tab have changed between the time the user clicked on the button to fill and the data is sent to the page.

PB-503: Fix math.random() when generating first security token/color

Source code(tar.gz)
Source code(zip)
v2.10.0(May 17, 2019)
Release song Full release notes

This release ships with some nice improvements, notably the apparition of the administration dashboard for the Community Edition. This dashboard only contains one section for now: email notification settings. However, some more sections will appear in the next releases as the idea is to remove completely the pain point of configuration through files.

Another improvement is the possibility to browse passwords using filters in the browser extension “quick access”. The filters that were already accessible through the web UI are now available in the “quick access”: Favorites, Items I own, Recently modified, Shared with me or even Groups. Check it out.

We hope you’ll enjoy this update!

What next? Our current focus for Passbolt Community Edition is the implementation of more administration sections, forms auto-save (to save passwords directly from a web form) and improvements on the setup and login screen. Stay tuned!

Passbolt API

Added

PB-165: As AD I should be able to change my organization email notification settings via an administration screen.

Fixed

PB-276: Merge organization settings code into CE. Ground work for administration features.

Passbolt Browser extension

Added

PB-189: Quickaccess: As LU I can browse my passwords with the quickaccess using filters

Fixed

PB-40: Quickaccess: Don't hide not sanitized uri in the resource view screen

Source code(tar.gz)
Source code(zip)
v2.9.0(Apr 24, 2019)
Fixed

PB-220: Upgrade to CakePHP 3.7.7 fix for CVE-2019-11458.

Source code(tar.gz)
Source code(zip)
v2.8.4(Apr 24, 2019)
[2.8.4] - 2019-04-17

Improved

PB-48: Improve the performance by removing the creator/modifier from the passwords workspace grid query

PB-159: Remove the usage of canjs connect-hydrate module

Fixed

GITHUB-315: The permalink of password don't work anymore

PB-147: Update appjs steal dependencies

PB-152: The webinstaller should work with Firefox ESR

GITHUB-299: The passwords are shown twice in passwords workspace grid

GITHUB-10: Selecting a group on the users workspace should not reset the grid "Last Logged In" column to "Never"

GITHUB-62: Sorting the users on the users workspace should not break the infinite scroll

PB-160: Update appjs jquery dependencies

PB-163: Update jquery dependency

PB-171: Fix entities history trait should not trigger internal error if user action is undefined

PB-102: Fix install process should not create shema dump lock file

PB-204: Escape shell variables of the passbolt mysql export shell command

Source code(tar.gz)
Source code(zip)
v2.8.3(Apr 2, 2019)
Release song Full release notes

This release introduces some new dependencies and database changes. Make sure you follow the minor update documentation to roll out this new version.

This release ships with the much awaited “quick access” and “auto-fill” features. It is now possible to access your passwords directly from the browser extension, and have your forms auto-filled in a click.

“Quick access” will keep evolving in the coming weeks with some improvements on the “auto-fill” part, or the possibility to add / edit a password directly from it.

You will also be pleased to see that both Import and Export functionalities, previously Pro Edition exclusives, are now available in the Community Edition. All major password managers templates are supported, such as the Keepass or 1Password file format.

Beware: after this update, the import and export functionality will be available to all the users (not only admins). To disable, follow the documentation.

This release also includes an upgrade to the latest cakephp version : 3.7, which means that passbolt is now compatible for most parts with PHP 7.3. We will keep supporting 7.0 until the next Debian stable release, but we invite you to switch to 7.2 as soon as possible.

Finally the Passbolt OpenAPI specification is also available. You can find the API specifications in a swagger compatible format on this new repository. It will be updated soon with a more detailed documentation, including code examples, to ease the learning curve.

Passbolt Web Extension

Added

PB-3: Quickaccess: Simplified app to access passwords from the browser extension

Passbolt API

Improved

PB-2: Upgrade to CakePHP 3.7

PB-60: Performance - Add index on tags table

PB-95: Implement Import / Export enable switch

Fixed

PASSBOLT-2121: Fix passbolt should run in a subdirectory

Source code(tar.gz)
Source code(zip)
v2.7.0(Feb 12, 2019)
Release song Full release notes

The main focus of this release was to improve the performances and reactivity of the application, as well as address some minor security issues.

The only feature that was added is a better support for url sharing, e.g. if you look at the sidebar when clicking on a resource you will be presented with a link. You can use it to send the url to a given resource to a colleague: if they have access to this resource they will be able to navigate directly to it. Similarly links in emails pointing to a resource will take you directly to the corresponding record.

The team also worked hard to speed up the performances of the application, most notably by starting to load OpenPGP secrets asynchronously (instead of within the resource index calls). This strategy allows to reduce the loading time of the homepage from 12 to 2 seconds, in our tests with a database containing 2000 passwords shared over 400 users. This ground work was also necessary in order to be able to trace accesses to secrets and provide a more granular audit log coming up in the next release.

This release also includes 3 fixes found during an independent security audit conducted by french security researcher Jose-Alexandre Mayan. You can learn more about these fixes on the dedicated security incident page.

Passbolt Web Extension

Improvement

PASSBOLT-3347: When the extension requires the users to enter their master password, the popup should be displayed with no delay

PASSBOLT-3313: As GM adding a user to a group I should see the loading popup when the extension is processing/requesting the API

PASSBOLT-3312: As GM adding a user to a group I should see a relevant feedback in case of network/proxy errors

PASSBOLT-3316: As LU Sharing a password I should see a loading feedback when the extension is requesting the API

PASSBOLT-3318: As LU I should retrieve a secret when I’m copying it

PASSBOLT-3319: As LU I should retrieve a secret when I’m editing it

PASSBOLT-3403: As LU I should retrieve secrets when I’m exporting the associated passwords

Passbolt API

Added

PASSBOLT-2995: As LU I should be able to copy the permalink of a password

Improved

PASSBOLT-3403: As LU I should export only selected passwords

PASSBOLT-3397: Remove the list of secrets from the API request while loading the list of passwords

PASSBOLT-3319: As LU I should retrieve a secret when I’m editing it

PASSBOLT-3318: As LU I should retrieve a secret when I’m copying it

PASSBOLT-3317: Display significant information as soon as possible while opening the application

PASSBOLT-3312: As GM adding a user to a group I should see a relevant feedback in case of network/proxy errors

PASSBOLT-3314: Improve the performance of the application by adding missing indexes

PASSBOLT-2974: As LU I should be able to follow links targeting passwords from my emails

Fixed

PASSBOLT-3363: Fix the web installer should not use the exec php primitive to create/import the gpg server key

PASSBOLT-3370: Fix auth verify error should not leak data

PASSBOLT-3368: Fix html injection in email

Source code(tar.gz)
Source code(zip)
v2.5.0(Nov 15, 2018)
Release song

This release greatly simplifies the passbolt installation process. It ships with automated scripts for your favorite distributions (Debian 9, CentOS 7 and Ubuntu 18.04) that will perform the heavy lifting of the server configuration for you. These scripts will configure a vanilla operating system to be ready for a passbolt install.

They take care of setting up the web server (Nginx), database (MariaDb), PHP, SSL and yes, for real, also the GPG keyring configuration. In addition to the install scripts, passbolt can now be configured in a few clicks thanks to the presence of a web installer. Overall, the new installation process takes no more than 10 minutes!

Passbolt API (All)

Added

PASSBOLT-2694: As a server administrator I can install Passbolt CE in a few clicks using a web installer.

PASSBOLT-3093: As LU I can select all passwords to perform a bulk operation

Improved

PASSBOLT-3166: Add PHP 7.3 job on travis

PASSBOLT-3119: The Web Installer should control the route with a middleware

PASSBOLT-3153: The Web Installer health checks should ensure the config files can be written before continuing

PASSBOLT-3120: Improve the Web Installer code coverage

PASSBOLT-3127: The Web Installer should change the config folder permissions after the installation is completed

PASSBOLT-3152: As AN completing the registration process, if I'm following the link to download the browser extension I cannot go back easily to the registration process

PASSBOLT-3189: As AD migrating passbolt to the latest version I would like the CakePHP cache to be cleared with the same operation

Fixed

PASSBOLT-3150: I should not see duplicates rows when I filter my passwords by keywords

GITHUB-290: A user who have not completed the setup should be allowed to request a new token using recover

PASSBOLT-3188: As LU the UI shouldn't crash if the uri of a password cannot be parsed

Source code(tar.gz)
Source code(zip)
v2.4(Oct 12, 2018)
This release introduce the ability for users to select multiple passwords and perform a bulk action such as delete or share. The “remember me” feature that was available in the Pro Edition is now available to everybody.

Added

PASSBOLT-2972: As LU I should be able to delete multiple passwords in bulk

PASSBOLT-2951: Merge the remember me on CE

PASSBOLT-2329: As an administrator deleting a group which is sole owner of one or several passwords, I should be requested to select a new owner for these passwords

PASSBOLT-2972: As LU I should be able to select multiple passwords with standard keyboard interactions (command and shift keys)

Improved

GITHUB#275: Adding SSL configuration environment variables for cake mysql driver

PASSBOLT-2534: As LU I should not be able to copy to clipboard empty login/url

PASSBOLT-2017: As LU when I save a password (create/edit) the dialog shouldn't persist until the request is processed by the API

PASSBOLT-3073: As LU I should get a visual feedback directly after filtering the passwords or the users workspace

PASSBOLT-3009 Add types to authentication tokens

Fixed

PASSBOLT-2966: As LU I can't see passwords shared with me clicking on the "shared with me" shortcut filter

GITHUB#246: Fix healthcheck tips relative to tmp folder

PASSBOLT-3063: Fix appjs base url and subfolder

PASSBOLT-3074: As a logged in user selecting a "remember me" duration the checkbox should be selected automatically

PASSBOLT-2976: Fix API requests issues when the user is going to another workspace

PASSBOLT-3082: ezyang/htmlpurifier cache should be stored in the application cache directory

PASSBOLT-2982: Fix session expired check

PASSBOLT-3086: As LU when I have 100+ passwords I cannot see the passwords after the 100th more than once

Source code(tar.gz)
Source code(zip)