Cloudron Forum

[5.6.1] Update server to 32.0.1 Full Changelog

[2.19.3] Update espocrm to 9.2.4 Full Changelog Hyphen in link middle table name breaks database rebuilding #3500 Lead conversion: Duplicate created before duplicate conflict #3499 OAuth refresh token issue #3498

[1.26.0] Update dokuwiki-plugin-oauth to 2025-10-23

[1.8.2] Update Kavita to 0.8.8.3 Full Changelog Changed: Kavita will now filter out unsupported scopes before requesting them from your OIDC provider Changed: OIDC providers are now required to use tls (https) Fixed: Fixed a bug where announcements with images would scale weird Fixed: Fixed some OPDS feeds not including next markers (pagination) for certain total sizes. Fixed: Fixed OIDC not working when a custom base URL is set Fixed: Fixed admin users having age restrictions applied when created with default permissions via OIDC Fixed: Fixed not being able to set default age restriction to Not Applicable once changed Fixed: Fixed a race condition when changing both metadata and cover image of an entity, where one of the changes could be lost Fixed: Fixed OPDS not working correctly when a base URL is set

[1.9.0] Update pocketbase to 0.31.0 Full Changelog Visualize presentable multiple relation fields (#​7260). Support Ed25519 in the optional OIDC id_token signature validation (#​7252; thanks @​shynome). Added ApiScenario.DisableTestAppCleanup optional field to skip the auto test app cleanup and leave it up to the developers to do the cleanup manually (#​7267). Added FileDownloadRequestEvent.ThumbError field that is populated in case of a thumb generation failure (e.g. unsupported format, timing out, etc.), allowing developers to reject the thumb fallback and/or supply their own custom thumb generation (#​7268). Disallow client-side filtering and sorting of relations where the collection of the last targeted relation field has superusers-only List/Search API rule to further minimize the risk of eventual side-channel attack.

[1.4.2] Update keycloak to 26.4.2 Full Changelog #43351 Make pending email verification attribute removable by admin user-profile #43650 SPIFFE should support OIDC JWK endpoint #30939 Vulnerability in brute force detection settings authentication #43022 Incorrect Basic Auth encoding for OIDC IDentity Provider when Client ID contains colon identity-brokering #43244 UI crash on admin /users/add-user since 26.4.0 admin/ui #43561 Server does not shutdown gracefully when started with --optimized core

[1.3.0] Update sftpgo to 2.7.0 Full Changelog SFTPD: Added support for Post-Quantum Traditional Hybrid Key Exchange through the newly added algorithm mlkem768x25519-sha256. JWT: replace jwtauth/jwx with lightweight wrapper around go-jose. Implementing our own wrapper simplifies the codebase and improves maintainability. Moreover, go-jose depends only on the standard library, resulting in a leaner dependency that still meets all our requirements. WebUI: add French and German translations. Public shares: show disclaimer on login page. Enable setting password change requirements in user templates. DataProvider: preserve the initial sort order for related resources (such as folders and groups), improving compatibility and predictability when managing them with Terraform. OIDC: allow login if the password method is disabled. OIDC: ensure token username adheres to configured naming conventions. Removed Git support. Hosting Git repositories over SSH falls outside the intended scope of a file transfer solution, and the use of external commands introduces unnecessary security risks by increasing the attack surface. For example, a user could upload a Git repository containing custom hooks to their SFTPGo folder; when they push to the repository, a Git pre-receive hook shell script would be executed with the privileges of the sftpgo user. Thanks to @hyperreality for the detailed report. Removed rsync support. In the previous versions, rsync was executed as an external command, which means we have no insight into or control over what it actually does. From a security perspective, this is far from ideal. To be clear, there's nothing inherently wrong with rsync itself. However, if we were to support it properly within SFTPGo, we would need to implement the low-level protocol internally rather than relying on launching an external process. This would ensure it works seamlessly with any storage backend, just as SFTP does, for example. We recommend using one of the many alternatives that rely on the SFTP protocol, such as rclone.

@tronical personally I do this process : fork the repo make changes docker build etc. docker push etc cloudron install etc. Maybe I should learn cloudron build but I am an old dog with limited brain space My build script (usually in folder above the app dev folder) : #!/bin/bash if [ "$#" -lt 1 ]; then echo "Usage: $0 <image-name> [cache|nocache] <appname.yourdomain.tld>" exit 1 fi # Get the directory from which the script was called BUILD_DIR="$(pwd)" if [ "$2" = "cache" ]; then echo "Building with cache ..." docker build --platform linux/amd64 -t $1 "$BUILD_DIR" else echo "Building with no cache ..." docker build --no-cache --platform linux/amd64 -t $1 "$BUILD_DIR" fi docker push $1 cloudron install --image $1 --location $3 e.g. ../cld.sh dockerregistry.yourdomain.tld/appname:version cache appname.yourdomain.tld

[1.12.0] Update cryptpad to 2025.9.0 Full Changelog Update icons #1987 Make client compatible with new server #2059 Guard against misconfiguration of fileHost setting #2017 @ansuz Add a checkup page test for /upload-blob #1995 @ansuz Add forceRedirect to SSO #1868 @avinash-0007 SSO login redirect #2057 Make sure OnlyOffice user index does not change #2066 Office documents corruption on server issues #2064 Fix disappearing sheets #1991 Hardcoded values in PDF export metadata #2015

[1.6.8] Update v2 to 2.2.14 Full Changelog Go Client: Allow passing a custom http.Client and add context support to API methods. UI: Redirect users back to the original page after logging in. Template: Improved Content Security Policy: extracted CSP generation into a function, added systematic nonces, and changed default-src to 'none' for stronger security. Integrations: Added tags option for the Karakeep integration. Integrations: Added new Archive.org integration. Rewrite Rules: Added remove_img_blur_params rule. Rewrite Rules: Added add_image_title rule for explainxkcd.com. Fixed CSS layout overflow when external links are too long. Fixed JSON Feed parser to fallback to external_url when url is missing. Updated scraper rule for Dark Reading.

[1.25.3] Update Trilium to 0.99.3 Full Changelog Issues with the ribbon and some about dialogs when formatting locale is set to Chinese Incorrect date format for Chinese. Development locale appearing in production. Split reverted on right-to-left languages Fixes for the Flatpak installation method: Flatpak Data Access Issue on install/update : permission issue flatpak doesn't launch after install, needs no-sandbox Icon missing in Flatpak shortcut. Trilium does not unlock after autolock Note color not taken into consideration for reference links

[1.82.0] Update vault to 1.21.0 Full Changelog auth/ldap: fix MFA/TOTP enforcement bypass when username_as_alias is enabled. activity: Renamed timestamp in export API response to token_creation_time. http: Add JSON configurable limits to HTTP handling for JSON payloads: max_json_depth, max_json_string_value_length, max_json_object_entry_count, max_json_array_element_count. AES-CBC in Transit (Enterprise): Add support for encryption and decryption with AES-CBC in the Transit Secrets Engine. KV v2 Version Attribution: Vault now includes attribution metadata for versioned KV secrets. This allows lookup of attribution information for each version of KV v2 secrets from CLI and API. Login MFA TOTP Self-Enrollment (Enterprise): Simplify creation of login MFA TOTP credentials for users, allowing them to self-enroll MFA TOTP using a QR code (TOTP secret) generated during login. The new functionality is configurable on the TOTP login MFA method configuration screen and via the enable_self_enrollment parameter in the API. activity (enterprise): Fix development_cluster setting being overwritten on performance secondaries upon cluster reload. auth/cert: Recover from partially populated caches of trusted certificates if one or more certificates fails to load. auth/spiffe: Address an issue updating a role with overlapping workload_id_pattern values it previously contained. core: Role based quotas now work for cert auth