Releases: pglombardo/PasswordPusher
v1.48.0: Login Security Improvements
7ceab94
pglombardo
Peter Giacomo Lombardo
This release improves the overall security of logins in Password Pusher. Details below.
With this release, all pre-existing login sessions will end and users will have to log in again.
The improvements are:
- "Remember me" now only remembers for 1 week
- Login password length increased to 10 to 128 characters (previously 6 to 128) (preexisting login passwords unaffected)
- Login sessions now expire after 2 hours of inactivity
- Cookie serialization is now done via JSON to fix https://github.com/pglombardo/PasswordPusher/security/code-scanning/1
Being a security product dealing with sensitive information, these changes are appropriate.
📝 What’s Changed
- Improved Login Security (#2731) @pglombardo
- Security: Use json for cookie serialization (#2720) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump rubocop-ast from 1.33.0 to 1.34.0 (#2730) @dependabot
- ⬆️ Bump date from 3.3.4 to 3.4.0 (#2729) @dependabot
- ⬆️ Bump aws-partitions from 1.1000.0 to 1.1001.0 (#2728) @dependabot
- ⬆️ Bump rackup from 2.1.0 to 2.2.0 (#2725) @dependabot
- ⬆️ Bump debase from 0.2.5.beta2 to 0.2.6 (#2724) @dependabot
- ⬆️ Bump oj from 3.16.6 to 3.16.7 (#2722) @dependabot
- ⬆️ Bump google-apis-iamcredentials_v1 from 0.21.0 to 0.22.0 (#2723) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.5..and go to http://localhost:5100
🔗 Useful Links
Contributors
Assets 2
v1.47.4: Framework, Dependency & Security Updates
d4dec75
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
⬆️ Dependencies updates
- ⬆️ Bump rubocop-ast from 1.32.3 to 1.33.0 (#2698) @dependabot
- ⬆️ Bump aws-partitions from 1.999.0 to 1.1000.0 (#2716) @dependabot
- ⬆️ Bump parser from 3.3.5.0 to 3.3.5.1 (#2718) @dependabot
- ⬆️ Bump overcommit from 0.64.0 to 0.64.1 (#2717) @dependabot
- ⬆️ Bump actionview from 7.2.1.2 to 7.2.2 (#2715) @dependabot
- ⬆️ Bump actioncable from 7.2.1.2 to 7.2.2 (#2714) @dependabot
- ⬆️ Bump activestorage from 7.2.1.2 to 7.2.2 (#2713) @dependabot
- ⬆️ Bump actiontext from 7.2.1.2 to 7.2.2 (#2712) @dependabot
- ⬆️ Bump activemodel from 7.2.1.2 to 7.2.2 (#2711) @dependabot
- ⬆️ Bump actionmailer from 7.2.1.2 to 7.2.2 (#2710) @dependabot
- ⬆️ Bump sqlite3 from 2.1.1 to 2.2.0 (#2705) @dependabot
- ⬆️ Bump actionpack from 7.2.1.2 to 7.2.2 (#2709) @dependabot
- ⬆️ Bump activesupport from 7.2.1.2 to 7.2.2 (#2707) @dependabot
- ⬆️ Bump aws-partitions from 1.998.0 to 1.999.0 (#2704) @dependabot
- ⬆️ Bump json from 2.7.4 to 2.7.5 (#2703) @dependabot
- ⬆️ Bump activerecord from 7.2.1.2 to 7.2.2 (#2700) @dependabot
- ⬆️ Bump aws-partitions from 1.997.0 to 1.998.0 (#2697) @dependabot
- ⬆️ Bump nio4r from 2.7.3 to 2.7.4 (#2696) @dependabot
- ⬆️ Bump rails-i18n from 7.0.9 to 7.0.10 (#2695) @dependabot
- ⬆️ Bump aws-partitions from 1.996.0 to 1.997.0 (#2694) @dependabot
- ⬆️ Bump aws-partitions from 1.995.0 to 1.996.0 (#2690) @dependabot
- ⬆️ Bump loofah from 2.23.0 to 2.23.1 (#2691) @dependabot
- ⬆️ Bump json from 2.7.3 to 2.7.4 (#2689) @dependabot
- ⬆️ Bump rubocop-rails from 2.26.2 to 2.27.0 (#2688) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.4..and go to http://localhost:5100
🔗 Useful Links
Contributors
Assets 2
v1.47.3: Throttling Fix & Brute Force Protections
e4e0bcf
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
This PR fixes a bug with throttling where if throttling values in settings.yml were commented out, it could cause a stack traces. Now, commenting out throttling values will disable throttling entirely.
Additionally, protections are now in place to rate limit login attempts to make brute force attacks more difficult.
- Throttling fix & Add protection against login brute forcing (#2685) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump aws-partitions from 1.994.0 to 1.995.0 (#2683) @dependabot
- ⬆️ Bump pg from 1.5.8 to 1.5.9 (#2682) @dependabot
- ⬆️ Bump loofah from 2.22.0 to 2.23.0 (#2681) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.3..and go to http://localhost:5100
🔗 Useful Links
Contributors
Assets 2
v1.47.2: New Admin Menu Item, Dependency & Security Updates
2a99e73
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
🚀 Features
- Framework Update in 9b9f4e6
- Admin: Add admin dashboard to account menu (#2661) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump aws-partitions from 1.993.0 to 1.994.0 (#2676) @dependabot
- ⬆️ Bump googleauth from 1.11.1 to 1.11.2 (#2677) @dependabot
- ⬆️ Bump execjs from 2.9.1 to 2.10.0 (#2668) @dependabot
- ⬆️ Bump sqlite3 from 2.1.0 to 2.1.1 (#2663) @dependabot
- ⬆️ Bump aws-partitions from 1.992.0 to 1.993.0 (#2662) @dependabot
- ⬆️ Bump aws-sdk-core from 3.210.0 to 3.211.0 (#2660) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.168.0 to 1.169.0 (#2653) @dependabot
- ⬆️ Bump aws-sdk-kms from 1.94.0 to 1.95.0 (#2655) @dependabot
- ⬆️ Bump brakeman from 6.2.1 to 6.2.2 (#2657) @dependabot
- ⬆️ Bump zeitwerk from 2.7.0 to 2.7.1 (#2654) @dependabot
- ⬆️ Bump aws-partitions from 1.991.0 to 1.992.0 (#2652) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.2..and go to http://localhost:5100
🔗 Useful Links
Contributors
Assets 2
v1.47.1: Disable Secret URL Prefetch & Increased Security Logins
2513a0f
pglombardo
Peter Giacomo Lombardo
This release improves the security of logins. Details in #2651.
Thanks the security firm who pointed out these potential issues.
If I get permission, I'll post their details once all the fixes out. (There are more on the way)
📝 What’s Changed
- Disable prefetch on secret URLs (#2650) @pglombardo
🚀 Features
- Enable increased login security (#2651) @pglombardo
👥 List of contributors
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.47.1..and go to http://localhost:5100
🔗 Useful Links
Contributors
Assets 2
v1.47.0: New Background Worker Dashboard (Admin)
2504e53
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
This release bundles a new dashboard for background job monitoring for those running the pglombardo/pwpush-worker container. (Still in Beta).
Available from /admin and directly at /admin/jobs
- New Background worker Dashboard (Admin) (#2638) @pglombardo
- Add missing translation keys (#2649) @pglombardo
🚀 Features
- Latest Language Strings (#2648) @pglombardo
- Remove the Feedback Form (#2640) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump standard from 1.41.0 to 1.41.1 (#2645) @dependabot
- ⬆️ Bump erb_lint from 0.6.0 to 0.7.0 (#2641) @dependabot
- ⬆️ Bump net-imap from 0.4.17 to 0.5.0 (#2643) @dependabot
- ⬆️ Bump aws-sdk-s3 from 1.167.0 to 1.168.0 (#2642) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.46.4..and go to http://localhost:5100
🔗 Useful Links
Contributors
Assets 2
v1.46.3: Framework Security Patch
e0efeeb
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
- Framework Security Patch (#2639) @pglombardo
👥 List of contributors
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.46.3..and go to http://localhost:5100
🔗 Useful Links
Contributors
Assets 2
v1.46.2: Translations Updates & Fixes
be61968
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
- Fix Missing Translations (#2637) Thanks @ecoutinho!
🚀 Features
- CI: Update tests to use Ruby 3.3 (#2619) @pglombardo
- Latest Language String (#2618) @pglombardo
- Tests: Add test to validate file upload limits (#2612) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump aws-partitions from 1.990.0 to 1.991.0 (#2636) @dependabot
- ⬆️ Bump turbo-rails from 2.0.10 to 2.0.11 (#2624) @dependabot
- ⬆️ Bump aws-partitions from 1.989.0 to 1.990.0 (#2620) @dependabot
- ⬆️ Bump rack from 3.1.7 to 3.1.8 (#2615) @dependabot
- ⬆️ Bump zeitwerk from 2.6.18 to 2.7.0 (#2616) @dependabot
- ⬆️ Bump google-apis-storage_v1 from 0.46.0 to 0.47.0 (#2614) @dependabot
- ⬆️ Bump net-imap from 0.4.16 to 0.4.17 (#2613) @dependabot
- ⬆️ Bump debase-ruby_core_source from 3.3.5 to 3.3.6 (#2610) @dependabot
- ⬆️ Bump aws-partitions from 1.988.0 to 1.989.0 (#2609) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.46.2..and go to http://localhost:5100
🔗 Useful Links
Contributors
Assets 2
v1.46.1: Worker Container Fix
8120447
pglombardo
Peter Giacomo Lombardo
📝 What’s Changed
- Fix
pwpush-workerDocker container entry point - Update Docker compose files
⬆️ Dependencies updates
- ⬆️ Bump aws-partitions from 1.987.0 to 1.988.0 (#2607) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.46.1..and go to http://localhost:5100
🔗 Useful Links
Contributors
Assets 2
v1.46.0: New worker container
f3fb8ab
pglombardo
Peter Giacomo Lombardo
The worker container is being added for future functionality. Currently it runs the background cleanup tasks. It is not required to run the application.
📝 What’s Changed
- New pwpush-worker Docker container (#2601) @pglombardo
🚀 Features
- Ruby: >=3.2 (#2598) @pglombardo
- Simplify Secret URL bar (#2597) @pglombardo
⬆️ Dependencies updates
- ⬆️ Bump aws-partitions from 1.987.0 to 1.988.0 (#2607) @dependabot
- ⬆️ Bump rubocop-performance from 1.21.1 to 1.22.1 (#2606) @dependabot
- ⬆️ Bump aws-partitions from 1.986.0 to 1.987.0 (#2602) @dependabot
- ⬆️ Bump standard from 1.40.1 to 1.41.0 (#2603) @dependabot
- ⬆️ Bump terser from 1.2.3 to 1.2.4 (#2596) @dependabot
- ⬆️ Bump aws-partitions from 1.985.0 to 1.986.0 (#2593) @dependabot
- ⬆️ Bump googleauth from 1.11.0 to 1.11.1 (#2591) @dependabot
- ⬆️ Bump google-cloud-env from 2.2.0 to 2.2.1 (#2590) @dependabot
- ⬆️ Bump aws-partitions from 1.984.0 to 1.985.0 (#2589) @dependabot
- ⬆️ Bump msgpack from 1.7.2 to 1.7.3 (#2588) @dependabot
👥 List of contributors
@dependabot, @dependabot[bot] and @pglombardo
🛥️ Docker Images
Available on Docker Hub:
https://hub.docker.com/r/pglombardo/pwpush
🏃♂️ Run This Version
docker run -d -p 5100:5100 pglombardo/pwpush:1.45.12..and go to http://localhost:5100