• The Docker Containers have been updated to run with a restricted user instead of the root users.
  • The new restricted users id and group id are 1000.
  • Host mounted volumes have to be updated to reflect the new user and group id manually.
  • Host mounted volumes mount points of the users home directory have to be updated from /root to /home/<username>. The <username> is determined using the whois command in the container
  • Additional information is available from our FAQ: https://faq.inetsoftware.de/t/upgrading-to-user-restricted-docker-container/277

General

• Added plugin to talk to ChatGPT using bot commands.

Changes

• Scrolling of the messages improved
• The user's online status is displayed at the messages and at the suggestions for mentions. Displaying the status on the individual messages can be deactivated in the settings.
• In the menu of a message the user and the time of the message are shown.
• It is possible to reply to messages. The user of the quoted message is automatically mentioned and gets a notification about the reply.
• Messages, channels and users for direct messages can be found via the global search bar
• Management of members of teams and channels has been changed:
  • Formerly public channels (with no members specified) now have the "All Users" group as a member by default.
  • Teams and channels without members are no longer accessible to all users, now they can be accessed by no one
  • Channels can now be explicitly set to inherit members from the team. Alternatively, a custom selection can be made.
  • Groups no longer need to have CoWork permission explicitly set to be set for memberships. All groups are selectable.
• Channels support uploading of custom icons
• Videos will be played inline in the channel.
• The color markers used to highlight new messages in channels can be set as follows: mentions only, all messages or completely disabled.
• Using the "Copy Text" action in the context menu, the selected text or the entire text of a message can be copied.
• In the "Emoji" dialog of the configuration interface, custom emoji can be added via SVG.
• An extra page with details of logged-in users and created messages has been added for the diagnostic application. Other CoWork plugins can add additional information.
• Automatic playback of gif animations and videos can be customized in the settings.
• Links to web pages in messages additionally generate a preview with title, description and image if the web page contains appropriate Open Graph or Twitter metatags.

• In the configuration you can set whether the audio and video connections are allowed to go through the public client connections or only through configured TURN servers.

Fixed Bugs

• The CoWork Calls WebAPI ignored the preview mode option that prevents accidental execution of destructive operations.

• The details like name, description and icon of meeting rooms can be changed by authorized users.
• Users with the "Create Meeting Rooms" permission can add additional members to a room via the member list.

• Triggers can be set to start after events as opposed to only before them.
• The calendar trigger automatically refreshes its events from the given calendar every 30 seconds.

Fixed Bugs

• Next task execution times filter out past potential execution times.

• Added separate backup and restore option for Embedded Websites.

• File results of a Task Planner task are optionally sent as an attachment with the CoWork message.

Fixed Bugs

• Added a helpful link instead of an error message in the task planner dialog in case an external server hadn't been set yet.

• Support for generating a Software-Bill-of-Materials JSON file using the server's ./well-known/sbom URL with an administrative user account.

• Added text area field for POST and PUT methods to allow directly sending JSON data with the request

• Support for S/MIME signature and encryption of email messages

Fixed Bugs

• Simple line breaks were incorrectly displayed in the browser version of MS Teams.

• Added magnifying glass icon in the search bar to increase the visibility of the search function.
• In the company info dialog of the configuration, it is possible to set to whom the installation hint for the application as a PWA is displayed. Guests and other special user accounts never get the hint displayed.

• When installing on a drive other than C:\ (Windows) then the program data directory can be changed during the setup.

• The event log backup job can optionally include previously archived event entries when using a file persistence.

General

• The bundled Eclipse Temurin was updated to version 17.0.6
• The services of RPM and DEB use the SystemD format instead of the outdated init.d format.
• The Docker Containers have been updated to run with a restricted user instead of the root users.

Changes

• Eventlog entries are also written in Recovery Manager.
• Configuration action in Login category added to reset authentication group members.

Security Fixes

• Security Update for CVE-2022-36033
  • jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks option is enabled, HTML including javascript: URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable SafeList.preserveRelativeLinks, which will rewrite input URLs as absolute URLs - ensure an appropriate Content Security Policy is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
• Security Update for CVE-2020-13946
  • In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.
• Security Update for CVE-2022-42003
  • In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
• Security Update for CVE-2022-31684
  • Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
• Security Update for CVE-2022-41946
  • pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either PreparedStatement.setText(int, InputStream) or PreparedStatemet.setBytea(int, InputStream) will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.
• Security Update for CVE-2021-37533
  • Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https:*issues.apache.org/jira/browse/NET-711.
• Security Update for CVE-2022-23494
  • tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user. This vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements. Users are advised to upgrade to either 5.10.7 or 6.3.1. Users unable to upgrade may ensure the the images_upload_handler returns a valid value as per the images_upload_handler documentation.
• Security Update for CVE-2022-41915
  • Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling DefaultHttpHeadesr.set with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the DefaultHttpHeaders.set(CharSequence, Iterator<?>) call, into a remove() call, and call add() in a loop over the iterator of values.
• Security Update for CVE-2023-22551
  • The FTP (aka "Implementation of a simple FTP client and server") project through 96c1a35 allows remote attackers to cause a denial of service (memory consumption) by engaging in client activity, such as establishing and then terminating a connection. This occurs because malloc is used but free is not.
• Security Update for CVE-2023-24998
  • Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
• Security Update for CVE-2022-45688
  • A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
• Security Update for CVE-2022-45688
  • Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.

• Adds the {initiator} placeholder to the server stop trigger, which contains the display name of the user who restarted the server.
• Tasks executed using the /api/taskplanner/execute endpoint are temporarily stored for the user, allowing them to access them later. If the tasks are not accessed again via the WebAPI within 60 seconds, they will be automatically removed.

Fixed Bugs

• In the task planner maintenance section, it was not possible to move tasks away from deactivated users.

Fixed Bugs

• Fixed spelling mistake in "Dark Forest" theme

• Added Web API Extension for Users and Groups, that allows to search for either user or groups and display detail information about them.