Releases: pglombardo/PasswordPusher
v1.48.0: Login Security Improvements
This release improves the overall security of logins in Password Pusher. Details below.
With this release, all pre-existing login sessions will end and users will have to log in again.
The improvements are:
- "Remember me" now only remembers for 1 week
- Login password length increased to 10 to 128 characters (previously 6 to 128) (preexisting login passwords unaffected)
- Login sessions now expire after 2 hours of inactivity
- Cookie serialization is now done via JSON to fix https://github.com/pglombardo/PasswordPusher/security/code-scanning/1
Being a security product dealing with sensitive information, these changes are appropriate.
📝 What’s Changed
- Improved Login Security (#2731) @pglombardo
- Security: Use json for cookie serialization (#2720) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump rubocop-ast from 1.33.0 to 1.34.0 (#2730) @dependabot
- ⬆️ Bump date from 3.3.4 to 3.4.0 (#2729) @dependabot
- ⬆️ Bump aws-partitions from 1.1000.0 to 1.1001.0 (#2728) @dependabot
- ⬆️ Bump rackup from 2.1.0 to 2.2.0 (#2725) @dependabot
- ⬆️ Bump debase from 0.2.5.beta2 to 0.2.6 (#2724) @dependabot
- ⬆️ Bump oj from 3.16.6 to 3.16.7 (#2722) @dependabot
- ⬆️ Bump google-apis-iamcredentials_v1 from 0.21.0 to 0.22.0 (#2723) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.5
..and go to http://localhost:5100
🔗 Useful Links
v1.47.4: Framework, Dependency & Security Updates
📝 What’s Changed
⬆️ Dependencies updates
- ⬆️ Bump rubocop-ast from 1.32.3 to 1.33.0 (#2698) @dependabot
- ⬆️ Bump aws-partitions from 1.999.0 to 1.1000.0 (#2716) @dependabot
- ⬆️ Bump parser from 3.3.5.0 to 3.3.5.1 (#2718) @dependabot
- ⬆️ Bump overcommit from 0.64.0 to 0.64.1 (#2717) @dependabot
- ⬆️ Bump actionview from 7.2.1.2 to 7.2.2 (#2715) @dependabot
- ⬆️ Bump actioncable from 7.2.1.2 to 7.2.2 (#2714) @dependabot
- ⬆️ Bump activestorage from 7.2.1.2 to 7.2.2 (#2713) @dependabot
- ⬆️ Bump actiontext from 7.2.1.2 to 7.2.2 (#2712) @dependabot
- ⬆️ Bump activemodel from 7.2.1.2 to 7.2.2 (#2711) @dependabot
- ⬆️ Bump actionmailer from 7.2.1.2 to 7.2.2 (#2710) @dependabot
- ⬆️ Bump sqlite3 from 2.1.1 to 2.2.0 (#2705) @dependabot
- ⬆️ Bump actionpack from 7.2.1.2 to 7.2.2 (#2709) @dependabot
- ⬆️ Bump activesupport from 7.2.1.2 to 7.2.2 (#2707) @dependabot
- ⬆️ Bump aws-partitions from 1.998.0 to 1.999.0 (#2704) @dependabot
- ⬆️ Bump json from 2.7.4 to 2.7.5 (#2703) @dependabot
- ⬆️ Bump activerecord from 7.2.1.2 to 7.2.2 (#2700) @dependabot
- ⬆️ Bump aws-partitions from 1.997.0 to 1.998.0 (#2697) @dependabot
- ⬆️ Bump nio4r from 2.7.3 to 2.7.4 (#2696) @dependabot
- ⬆️ Bump rails-i18n from 7.0.9 to 7.0.10 (#2695) @dependabot
- ⬆️ Bump aws-partitions from 1.996.0 to 1.997.0 (#2694) @dependabot
- ⬆️ Bump aws-partitions from 1.995.0 to 1.996.0 (#2690) @dependabot
- ⬆️ Bump loofah from 2.23.0 to 2.23.1 (#2691) @dependabot
- ⬆️ Bump json from 2.7.3 to 2.7.4 (#2689) @dependabot
- ⬆️ Bump rubocop-rails from 2.26.2 to 2.27.0 (#2688) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.4
..and go to http://localhost:5100
🔗 Useful Links
v1.47.3: Throttling Fix & Brute Force Protections
📝 What’s Changed
This PR fixes a bug with throttling where if throttling values in settings.yml
were commented out, it could cause a stack traces. Now, commenting out throttling values will disable throttling entirely.
Additionally, protections are now in place to rate limit login attempts to make brute force attacks more difficult.
- Throttling fix & Add protection against login brute forcing (#2685) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump aws-partitions from 1.994.0 to 1.995.0 (#2683) @dependabot
- ⬆️ Bump pg from 1.5.8 to 1.5.9 (#2682) @dependabot
- ⬆️ Bump loofah from 2.22.0 to 2.23.0 (#2681) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.3
..and go to http://localhost:5100
🔗 Useful Links
v1.47.2: New Admin Menu Item, Dependency & Security Updates
📝 What’s Changed
🚀 Features
- Framework Update in 9b9f4e6
- Admin: Add admin dashboard to account menu (#2661) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump aws-partitions from 1.993.0 to 1.994.0 (#2676) @dependabot
- ⬆️ Bump googleauth from 1.11.1 to 1.11.2 (#2677) @dependabot
- ⬆️ Bump execjs from 2.9.1 to 2.10.0 (#2668) @dependabot
- ⬆️ Bump sqlite3 from 2.1.0 to 2.1.1 (#2663) @dependabot
- ⬆️ Bump aws-partitions from 1.992.0 to 1.993.0 (#2662) @dependabot
- ⬆️ Bump aws-sdk-core from 3.210.0 to 3.211.0 (#2660) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.168.0 to 1.169.0 (#2653) @dependabot
- ⬆️ Bump aws-sdk-kms from 1.94.0 to 1.95.0 (#2655) @dependabot
- ⬆️ Bump brakeman from 6.2.1 to 6.2.2 (#2657) @dependabot
- ⬆️ Bump zeitwerk from 2.7.0 to 2.7.1 (#2654) @dependabot
- ⬆️ Bump aws-partitions from 1.991.0 to 1.992.0 (#2652) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.2
..and go to http://localhost:5100
🔗 Useful Links
v1.47.1: Disable Secret URL Prefetch & Increased Security Logins
This release improves the security of logins. Details in #2651.
Thanks the security firm who pointed out these potential issues.
If I get permission, I'll post their details once all the fixes out. (There are more on the way)
📝 What’s Changed
- Disable prefetch on secret URLs (#2650) @pglombardo
🚀 Features
- Enable increased login security (#2651) @pglombardo
👥 List of contributors
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.1
..and go to http://localhost:5100
🔗 Useful Links
v1.47.0: New Background Worker Dashboard (Admin)
📝 What’s Changed
This release bundles a new dashboard for background job monitoring for those running the pglombardo/pwpush-worker
container. (Still in Beta).
Available from /admin
and directly at /admin/jobs
- New Background worker Dashboard (Admin) (#2638) @pglombardo
- Add missing translation keys (#2649) @pglombardo
🚀 Features
- Latest Language Strings (#2648) @pglombardo
- Remove the Feedback Form (#2640) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump standard from 1.41.0 to 1.41.1 (#2645) @dependabot
- ⬆️ Bump erb_lint from 0.6.0 to 0.7.0 (#2641) @dependabot
- ⬆️ Bump net-imap from 0.4.17 to 0.5.0 (#2643) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.167.0 to 1.168.0 (#2642) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.46.4
..and go to http://localhost:5100
🔗 Useful Links
v1.46.3: Framework Security Patch
📝 What’s Changed
- Framework Security Patch (#2639) @pglombardo
👥 List of contributors
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.46.3
..and go to http://localhost:5100
🔗 Useful Links
v1.46.2: Translations Updates & Fixes
📝 What’s Changed
- Fix Missing Translations (#2637) Thanks @ecoutinho!
🚀 Features
- CI: Update tests to use Ruby 3.3 (#2619) @pglombardo
- Latest Language String (#2618) @pglombardo
- Tests: Add test to validate file upload limits (#2612) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump aws-partitions from 1.990.0 to 1.991.0 (#2636) @dependabot
- ⬆️ Bump turbo-rails from 2.0.10 to 2.0.11 (#2624) @dependabot
- ⬆️ Bump aws-partitions from 1.989.0 to 1.990.0 (#2620) @dependabot
- ⬆️ Bump rack from 3.1.7 to 3.1.8 (#2615) @dependabot
- ⬆️ Bump zeitwerk from 2.6.18 to 2.7.0 (#2616) @dependabot
- ⬆️ Bump google-apis-storage_v1 from 0.46.0 to 0.47.0 (#2614) @dependabot
- ⬆️ Bump net-imap from 0.4.16 to 0.4.17 (#2613) @dependabot
- ⬆️ Bump debase-ruby_core_source from 3.3.5 to 3.3.6 (#2610) @dependabot
- ⬆️ Bump aws-partitions from 1.988.0 to 1.989.0 (#2609) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.46.2
..and go to http://localhost:5100
🔗 Useful Links
v1.46.1: Worker Container Fix
📝 What’s Changed
- Fix
pwpush-worker
Docker container entry point - Update Docker compose files
⬆️ Dependencies updates
- ⬆️ Bump aws-partitions from 1.987.0 to 1.988.0 (#2607) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.46.1
..and go to http://localhost:5100
🔗 Useful Links
v1.46.0: New worker container
The worker container is being added for future functionality. Currently it runs the background cleanup tasks. It is not required to run the application.
📝 What’s Changed
- New pwpush-worker Docker container (#2601) @pglombardo
🚀 Features
- Ruby: >=3.2 (#2598) @pglombardo
- Simplify Secret URL bar (#2597) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump aws-partitions from 1.987.0 to 1.988.0 (#2607) @dependabot
- ⬆️ Bump rubocop-performance from 1.21.1 to 1.22.1 (#2606) @dependabot
- ⬆️ Bump aws-partitions from 1.986.0 to 1.987.0 (#2602) @dependabot
- ⬆️ Bump standard from 1.40.1 to 1.41.0 (#2603) @dependabot
- ⬆️ Bump terser from 1.2.3 to 1.2.4 (#2596) @dependabot
- ⬆️ Bump aws-partitions from 1.985.0 to 1.986.0 (#2593) @dependabot
- ⬆️ Bump googleauth from 1.11.0 to 1.11.1 (#2591) @dependabot
- ⬆️ Bump google-cloud-env from 2.2.0 to 2.2.1 (#2590) @dependabot
- ⬆️ Bump aws-partitions from 1.984.0 to 1.985.0 (#2589) @dependabot
- ⬆️ Bump msgpack from 1.7.2 to 1.7.3 (#2588) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.45.12
..and go to http://localhost:5100