Merge branch 'v24-02'

diff --git a/content/blog/2024/security-release-v23-12-3.md b/content/blog/2024/security-release-v23-12-3.md
new file mode 100644 (file)
index 0000000..f0072f6
--- /dev/null
+++ b/content/blog/2024/security-release-v23-12-3.md
@@ -0,0 +1,35 @@
++++
+categories = ["Releases"]
+tags = ["Releases"]
+title = "BookStack Security Release v23.12.3"
+date = 2024-02-26T12:00:00Z
+author = "Dan Brown"
+image = "/images/blog-cover-images/unsplash/fence-duong-chung.jpg"
+slug = "bookstack-release-v23-12-3"
+draft = false
++++
+
+BookStack v23.12.3 has been released.
+This is a security release that addresses a vulnerability in PDF generation
+that could be exploited to perform blind server-side-request forgery.
+
+Upgrade is advised where untrusted users have permission to create/edit/update page
+content in your instance.
+
+* [Update instructions](https://www.bookstackapp.com/docs/admin/updates)
+* [GitHub release page](https://github.com/BookStackApp/BookStack/releases/tag/v23.12.3)
+
+### Full List of Changes
+
+* Updated PHP dependencies, primarily to update php-svg-lib package.
+
+### For More Information
+
+If you have any questions or comments about this advisory:
+* Open an issue in [the BookStack GitHub repository](https://github.com/BookStackApp/BookStack/issues).
+* Ask on the [BookStack Discord chat](https://discord.gg/ztkBqR2).
+* Follow the [BookStack security policy](https://github.com/BookStackApp/BookStack/blob/development/.github/SECURITY.md) to contact someone privately.
+
+----
+
+<span style="font-size: 0.8em;opacity:0.9;">Header Image Credits: <span>Photo by <a href="https://unsplash.com/@chungharu?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash">duong chung</a> on <a href="https://unsplash.com/photos/selective-focus-photography-of-wooden-fence-3QDe3kGZjXY?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash">Unsplash</a></span></span>
\ No newline at end of file

diff --git a/content/docs/admin/updates.md b/content/docs/admin/updates.md
index e096e803ecdc337305b7c2ea8145dc85d5e083c0..ba26840e9e43ea13d53a929c026c7407ac1a1c43 100644 (file)
--- a/content/docs/admin/updates.md
+++ b/content/docs/admin/updates.md
@@ -49,6 +49,10 @@ the [GitHub releases page](https://github.com/BookStackApp/BookStack/releases).
 
 **OIDC Authentication** - Proof Key for Code Exchange (PKCE) support has been added to BookStack OIDC authentication. This should not affect existing OIDC use but you may want to enforce PKCE to be required for BookStack on your authentication system, if supported, for extra security.
 
+#### Updating to v23.12.3 or higher
+
+**Security** - v23.12.3 addresses a vulnerability in PDF generation that could be exploited, by users with the ability to create/edit/update page content, to perform blind server-side-request forgery.
+
 #### Updating to v23.12 or higher
 
 **Page Includes** - The way page include content is fetched & merged has changed significantly in this release, which in some cases may alter how included content appears on the page.

diff --git a/static/images/blog-cover-images/unsplash/fence-duong-chung.jpg b/static/images/blog-cover-images/unsplash/fence-duong-chung.jpg
new file mode 100644 (file)
index 0000000..33437f4
--- /dev/null
+++ b/static/images/blog-cover-images/unsplash/fence-duong-chung.jpg
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:61a45be805ab601b45be5f3840c2c5902712b3485b9f04ce3e8a05daaa19d0a6
+size 396761