From a87d0f294398814129a00b4c3813d33f87230c14 Mon Sep 17 00:00:00 2001 From: ansuz Date: Fri, 23 Oct 2020 12:35:44 +0530 Subject: [PATCH] update changelog and version string for 3.23.2 (XerusDaamsi reloaded) --- CHANGELOG.md | 33 +++++++++++++++++++++++++++++++++ customize.dist/pages.js | 2 +- package-lock.json | 2 +- package.json | 2 +- 4 files changed, 36 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 30661d523..9f649883d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,36 @@ +# XerusDaamsi reloaded (3.23.2) + +A number of instance administrators reported issues following our 3.23.1 release. We suspect the issues were caused by applying the recommended update steps out of order which would result in the incorrect HTTP header values getting cached for the most recent version of a file. Since the most recently updated headers modified some security settings, this caused a catastrophic error on clients receiving the incorrect headers which caused them to fail to load under certain circumstances. + +Regardless of the reasons behind this, we want CryptPad to be resilient against misconfiguration. This minor release includes a number of measures to override the unruly caching mechanisms employed internally by two of our most stubborn dependencies (CKEditor and OnlyOffice). Deploying 3.23.2 should force these editors to load the most recent versions of these dependencies according to the same policies as the rest of CryptPad and instruct clients to ignore any incorrect server responses they might have cached over the last few updates. + +This release also includes a number of bug fixes which had been tested in the meantime. + +Other bug fixes + +* We removed a hardcoded translation pertaining to the recently introduced "snapshot" functionality. +* Inspection of our server logs revealed a number of rare race conditions and type errors that have since been addressed. These included: + * multiple invocations of a callback when iterating over the list of all encrypted blobs + * a type error when recovering from the crash of one of the database worker processes + * premature closure of filesystem read-streams due to a timeout when the server was under heavy load +* A thorough review of our teams functionality revealed the possibility of some similarly rare issues that have since been corrected: + * it was possible to click the buttons on the "team invitation response dialog" multiple times before the first action completed. In some cases this could result in attempting to join a single team multiple times. + * it was also possible to activate trigger several actions that would modify your access rights for a team when the team had not fully synchronized with the server. Some of the time this was recoverable, but it could occasionally result in your team membership getting stuck in a bad state. + +We've implemented some measures to correct any team data that might have become corrupted due to the issues described above. Access rights from duplicated teams should be merged back into one set of cryptographic keys wherever possible. In cases where this isn't possible your role in the team will be automatically downgraded to the rank conferred by the keys you still have. For instance, somebody listed as an administrator who only has the keys required to view the team will downgrade themself to be a viewer. Subsequent promotions back to your previous team role should restore your possession of the required keys. + +To update to 3.23.2 from 3.23.0 or 3.23.1: + +Perform the same upgrade steps listed for 3.23.0 including the most recent configuration changes listed in `cryptpad/docs/example.nginx.conf... + +1. Modify your server's NGINX config file (but don't apply its changes until step 6) +2. Stop CryptPad's nodejs server +3. Get the latest platform code with git +4. Install client-side dependencies with `bower update` +5. Install server-side dependencies with `npm install` +6. Reload NGINX with `service nginx reload` to apply its config changes +7. Restart the CryptPad API server + # XerusDaamsi's revenge (3.23.1) We discovered a number of minor bugs after deploying 3.23.0. This minor release addresses them. diff --git a/customize.dist/pages.js b/customize.dist/pages.js index 2bd67b906..1db764bcc 100644 --- a/customize.dist/pages.js +++ b/customize.dist/pages.js @@ -62,7 +62,7 @@ define([ var imprintUrl = AppConfig.imprint && (typeof(AppConfig.imprint) === "boolean" ? '/imprint.html' : AppConfig.imprint); - Pages.versionString = "CryptPad v3.23.1 (XerusDaamsi's revenge)"; + Pages.versionString = "CryptPad v3.23.2 (XerusDaamsi reloaded)"; // used for the about menu Pages.imprintLink = AppConfig.imprint ? footLink(imprintUrl, 'imprint') : undefined; diff --git a/package-lock.json b/package-lock.json index 40d00411f..a9ee6e5e7 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "cryptpad", - "version": "3.23.1", + "version": "3.23.2", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/package.json b/package.json index 6f4fa275e..a849b2c2d 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "cryptpad", "description": "realtime collaborative visual editor with zero knowlege server", - "version": "3.23.1", + "version": "3.23.2", "license": "AGPL-3.0+", "repository": { "type": "git",