Wekan - Package Updates
-
[4.88.0]
- Update wekan to 8.16
- Full Changelog
- Fix SECURITY ISSUE 1: File Attachments enables stored XSS (High) Thanks to Siam Thanat Hack (STH) and xet7.
- Fix SECURITY ISSUE 2: Access to boards of any Orgs/Teams, and avatar permissions Thanks to Siam Thanat Hack (STH) and xet7.
- Fix SECURITY ISSUE 3: Unauthenticated (or any) user can update board sort Thanks to Siam Thanat Hack (STH) and xet7.
- Fix SECURITY ISSUE 4: Members can forge others votes (Low). Bonus: Similar fixes to planning poker too done by xet7 Thanks to Siam Thanat Hack (STH) and xet7.
- Fix SECURITY ISSUE 5: Attachment API uses bearer value as userId and DoS (Low) Thanks to Siam Thanat Hack (STH) and xet7.
- List menu / More / Delete duplicate lists that do not have any cards Thanks to xet7.
- Disabled migrations that happen when opening board. Defaulting to per-swimlane lists and drag drop list to same or different swimlane Thanks to xet7.
- Fix changing swimlane color to not reload webpage Thanks to xet7.
-
[4.89.0]
- Update wekan to 8.17
- Full Changelog
- Feature: Workspaces, at All Boards page. Thanks to xet7.
- Fix 8.16: Switching Board View fails with 403 error. Thanks to xet7.
- Moved migrations from opening board to right sidebar / Migrations. Thanks to xet7.
- Fix 8.16 Lists with no items are deleted every time when board is opened. Moved migrations to right sidebar. Thanks to xet7.
- Remove old translations and code not in use anymore. Thanks to xet7.
- Fixed sidebar migrations to be per-board, not global. Clarified translations. Thanks to xet7.
- Fix star board. Thanks to xet7.
- Fix Card emoji issues. Thanks to xet7.
- Try to fix Edit Custom Fields button not working. Removed duplicate option from Boards Settings. Thanks to xet7.
- Fix Regression - calendar popup to set due date has gone. Thanks to xet7.
-
having installed 8.08, update to 4.85.0 is not working; I don't get displayed any newer version. any other persons having these issues?
-
[4.90.0]
- Update wekan to 8.18
- Full Changelog
- Gantt chart view to one board view menu Swimlanes/Lists/Calendar/Gantt.
- Number of cards per list and sum of custom number field in list head.
- New Board Permissions: NormalAssignedOnly, CommentAssignedOnly, ReadOnly, ReadAssignedOnly.
- More translations. Added support page to Admin Panel / Settings / Layout.
- Right top User Settings / Grey Icons. Also fixed Change Language popup.
- Collapse Swimlane, List, Opened Card. Opened Card window X and Y position can be moved freely from drag handle. Fix some dragging not possible. Fix iPhone Safari.
- Per-User and Board-level data save fixes. Per-User is collapse, width, height. Per-Board is Swimlanes, Lists, Cards etc.
- Fix Broken Strikethroughs in Markdown to HTML conversion.
- Fix checklist delete action (issue #6020), link-card popup defaults, and stabilize due-cards ordering.
-
[4.91.0]
- Update wekan to 8.19
- Full Changelog
- Security Fix 1: IDOR in setCreateTranslation. Non-admin could change Custom Translation
- Security Fix 2: Private-only board setting can be bypassed
- Security Fix 3: Card comment author spoofing (IDOR) via API
- Security Fix 4: Cross-board card move without destination authorization
- Security Fix 5: Read-only roles can still update cards
- Security Fix 6: Checklist delete IDOR: checklist not verified against board/card
- Security Fix 7: Checklist create IDOR: cardId not verified against boardId
- Security Fix 8: Attachments publication leaks metadata without auth
- Security Fix 9: Attachment upload not scoped to card/board relationship
- Security Fix 10: LDAP filter injection in LDAP auth
-
[4.93.0]
- Update wekan to 8.21
- Full Changelog
- Security Fix 2: OrgsTeamsBleed
- Security Fix 3: ChecklistRESTBleed
- Security Fix 4: MigrationsBleed2
- Security Fix 5: PositionHistoryBleed
- Security Fix 6: SyncLDAPBleed
- Security Fix 7: AttachmentMigrationBleed
- Security Fix 8: MoveStorageBleed
- Security Fix 9: ListWIPBleed
- Security Fix 10: BoardTitleRESTBleed
- Security Fix 11: CardPubSubBleed
-
[4.93.1]
- Update wekan to 8.22
- Full Changelog
- Fixed Add member and @mentions
-
[4.95.0]
- Update wekan to 8.24
- Full Changelog
- Secure Sandbox for VSCode at Debian 13 amd64. Part 1, Part 2. Thanks to xet7.
- Updated build scripts and docs to Meteor 2.16. Thanks to xet7.
- Replace mquandalle:collection-mutations with collection helpers. Thanks to harryadel.
- Replace ongoworks:speakingurl with limax. Thanks to harryadel.
- Migrate createIndex to createIndexAsync. Thanks to harryadel.
- Remove idmontie:migrations. Thanks to harryadel.
- Remove mquandalle:autofocus. Part 1, Part 2. Thanks to harryadel.
-
[4.96.0]
- Update wekan to 8.25
- Full Changelog
- This release fixes the following CRITICAL SECURITY ISSUES of Floppybleed:
- Fix Filebleed of Floppybleed.
- Updated code counts.
- Updated FerretDB 2 / PostgreSQL docs location.
- Most Unicode Icons back to Font Awesome 4.7 for better accessibility. Less always visible buttons, More at Mnu.
- Updated to MongoDB 7.0.29 at Snap Candidate.
- Updated to MongoDB 7.0.29 at Helm Charts.
- Fix autofocus.
-
[4.97.0]
- Update wekan to 8.27
- Full Changelog
- Updated MongoDB to 7.0.29 at Windows install docs
- Fix async/await in copy/move card operations
- Migrate wekan-accounts-lockout to async API for Meteor 3.0
- Added Docs: Spreadsheet vs Kanban
- Updated dependencies
- Reduce visual overflow in Member Settings menu by extending container height
- Fix Card copy menu is not displayed
- Fix Bug: Rules view translation not is not shown correctly
