Cloudron Forum

[4.6.7] Update PeerTube to 8.1.6 Full Changelog Follow v8.1.0 IMPORTANT NOTES if you upgrade from PeerTube <= v8.0.2 Fix SQL injection coming from actor inbox URL when updating actor follow scores. Thanks to Nagarajan Selvaraj Paulmony for reporting this vulnerability Reject JSON-LD objects with special properties. Thanks to Mastodon security team for reporting this vulnerability Restricts role assignment to administrators only Prevent external auth token replay Prevent SSRF on import and channel sync Stricter rate limit to ask password reset

[1.28.1] Update mattermost to 11.7.1 Full Changelog

[0.14.1] Update rustfs to 1.0.0-beta.4 Full Changelog test(ecstore): cover managed sse range reads by @marshawcoco in #2962 bucket policy notify & pba by @GatewayJ in #2968 fix(sftp): preserve OPEN-time client attrs as object metadata by @simon-escapecode in #2913 fix(admin): surface access key policy errors by @marshawcoco in #2970 fix: handle Windows paths in pre-commit tests by @marshawcoco in #2974 fix(security): harden proxy auth and default credentials by @overtrue in #2981 fix: stabilize rebalance start and listing by @weisd in #2961 feat(internode): add transport observability by @marshawcoco in #3007 feat(obs): expose key S3 usecase spans at info by @houseme in #3013 feat(ecstore): add internode transport boundary and TCP baseline runner by @marshawcoco in #3010

[2.51.0] Update kimai to 2.57.0 Full Changelog New API endpoints for comment (list, create, delete, pin) for projects and customers New configuration to define the theme for non-authenticated requests like login page (#5929) Export naming: only name the default renderer "default" (#5929) Fix: new weekly-hours could not be added in weeks with exported timesheets (#5642) Fix: some dashboard widget links were invisible in dark mode (#5940) Prevent querying arbitrary user timesheets (#5929) Prevent changing favorites of arbitrary users (#5929) Prevent regular users from turning their account into a systemAccount (#5929) Prevent cross entity rate manipulation (#5929) Fix checking for correct formatter in durationDecimal (#5943)

[2.9.7] Update formbricks to 4.9.7 Full Changelog fix: [Backport] backports dns pinning fix by @pandeymangg in #8108

[1.16.2] Update pocketbase to 0.38.2 Full Changelog Added RealtimeConnectRequestEvent.MaxTimeout field to specify the absolute max duration a realtime connection can remain open (default to 30mins). Added extra checks for the connected user IP in the realtime APIs to prevent bruteforce guest subscription update attempts and to serve as an extra protection for the "all-in-one" OAuth2 realtime handler. Don't reset the records list pagination on record update (#7694). Updated all golang.org/x/ packages to cover the recent security fixes (none of them should be a critical issue in PocketBase but nonetheless it is advised to update).

[1.5.0] Update seaweedfs to 4.28 Full Changelog fix(s3/audit): populate requester for GET/HEAD/IAM operations by @chrislusf in #9581 fix(s3): sync IAM policies to advanced IAM Manager policy engine by @Mmx233 in #9577 fix(s3): keep server-side copy data in the bucket collection by @chrislusf in #9607 fix(s3): list empty directories as directory markers by @chrislusf in #9615 fix(shell): volumeServer.evacuate no longer panics on a nil volume by @chrislusf in #9587 fix(filer.sync): keep sync_offset fresh while the source is read-only by @chrislusf in #9589 fix(ec): pack EC shards onto fewer disks instead of refusing the task by @chrislusf in #9588 fix(filer): don't disable the SQL idle connection pool when unconfigured by @chrislusf in #9591 feat(fix): rebuild lost EC index (.ecx) and .vif from local shards by @chrislusf in #9596 feat(helm): add volume.rust toggle to run the Rust volume server by @chrislusf in #9618