This release improves the safety of the SVG attachment preview, adds Google Cloud Storage and Oracle database support, and new translations.
This minor release addresses a security issue with the SVG attachment preview, adds support for Google Cloud Storage (GCS) and Oracle databases, adds four new languages to the translations and includes updated libraries.
The storage system got reworked as part of the new Google Cloud Storage class and when not using the default file storage, the server salt and purge and traffic limiter items are now stored as part of the selected storage backend. It is now possible to run PrivateBin with database or GCS backend without requiring any write access to the data directory - automatic migrations run the first time any of these get accessed and found to be still present in the filesystem.
Benefits of switching to the new release
We recommend to upgrade 1.3.x instances to improve the resolved security issues. At the very minimum, please update your CSP headers in the configuration file to our currently recommended settings. You can check the headers of your instance via our new instance check service.
Update procedure
As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.
We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.
Changes since version 1.3.5
- ADDED: Translations for Corsican, Estonian, Finnish and Lojban
- ADDED: new HTTP headers improving security (#765)
- ADDED: Download button for paste text (#774)
- ADDED: Opt-out of federated learning of cohorts (FLoC) (#776)
- ADDED: Configuration option to exempt IPs from the rate-limiter (#787)
- ADDED: Google Cloud Storage backend support (#795)
- ADDED: Oracle database support (#868)
- ADDED: Configuration option to limit paste creation and commenting to certain IPs (#883)
- ADDED: Set CSP also as meta tag, to deal with misconfigured webservers mangling the HTTP header
- ADDED: Sanitize SVG preview, preventing script execution in instance context
- CHANGED: Language selection cookie only transmitted over HTTPS (#472)
- CHANGED: Upgrading libraries to: base-x 4.0.0, bootstrap 3.4.1 (JS), DOMpurify 2.3.6, ip-lib 1.18.0, jQuery 3.6.0, random_compat 2.0.21, Showdown 2.0.3 & zlib 1.2.12
- CHANGED: Removed automatic
.ini
configuration file migration (#808) - CHANGED: Removed configurable
dir
fortraffic
&purge
limiters (#419) - CHANGED: Server salt, traffic and purge limiter now stored in the storage backend (#419)
- CHANGED: Drop support for attachment download in IE
- FIXED: Error when attachments are disabled, but paste with attachment gets displayed
Help wanted & greatly appreciated
Apart from the large tasks that require deeper insight and time, there are also smaller issues were help is wanted, topics open to debate and of course many languages that still remain to be translated. We are also still looking for additional long term maintainers among our frequent issue helpers.
If you are interested in helping with any of these points, we have prepared a development guide including design goals, code structure and tools that should get you started.
Plans for future releases
The next regular release will focus on user interface improvements.