Added v24.05.4 post and doc updates

diff --git a/content/blog/2024/security-release-v24-05-4.md b/content/blog/2024/security-release-v24-05-4.md
new file mode 100644 (file)
index 0000000..c9851c2
--- /dev/null
+++ b/content/blog/2024/security-release-v24-05-4.md
@@ -0,0 +1,45 @@
++++
+categories = ["Releases"]
+tags = ["Releases"]
+title = "BookStack Security Release v24.05.4"
+date = 2024-08-29T15:00:00Z
+author = "Dan Brown"
+image = "/images/blog-cover-images/cc-by-sa-4/fence-dietmar-rabich.jpg"
+slug = "bookstack-release-v24-05-4"
+draft = false
++++
+
+BookStack v24.05.4 has been released.
+
+This is a security release to address issues found in LDAP group syncing, where in certain scenarios a user could be matched to extra roles incorrectly, 
+and an issue with content visibility in "book-show" API responses would not have permissions applied properly.
+
+Upgrade is strongly advised for instances where LDAP authentication is used with group syncing, or where
+the REST API is used to fetch contents of books ("books-read" endpoint).
+
+Thanks to Linus Nagel and their team at WorkSimple GmbH for reporting this API vulnerability.
+
+* [Update instructions](https://www.bookstackapp.com/docs/admin/updates)
+* [GitHub release page](https://github.com/BookStackApp/BookStack/releases/tag/v24.05.4)
+
+### Full List of Changes
+
+* Updated API docs with consistent parameter types. ([#5183](https://github.com/BookStackApp/BookStack/issues/5183))
+* Updated default content iframe embed max-width to align with other content types. ([#5130](https://github.com/BookStackApp/BookStack/issues/5130))
+* Updated LDAP group sync to query via full DN.
+* Updated translations with latest Crowdin changes. ([#5118](https://github.com/BookStackApp/BookStack/pull/5118))
+* Fixed books read API response not applying visibility control to chapter contents.
+* Fixed API docs users response showing extra property. ([#5178](https://github.com/BookStackApp/BookStack/issues/5178))
+* Fixed database error thrown when using out dev docker setup. ([#5124](https://github.com/BookStackApp/BookStack/issues/5124))
+* Fixed RTL display issues with tasklist checkboxes. ([#5134](https://github.com/BookStackApp/BookStack/issues/5134))
+
+### For More Information
+
+If you have any questions or comments about this advisory:
+* Open an issue in [the BookStack GitHub repository](https://github.com/BookStackApp/BookStack/issues).
+* Ask on the [BookStack Discord chat](https://discord.gg/ztkBqR2).
+* Follow the [BookStack security policy](https://github.com/BookStackApp/BookStack/blob/development/.github/SECURITY.md) to contact someone privately.
+
+----
+
+<span style="font-size: 0.8em;opacity:0.9;">Header Image Credits: <span>Photo by <a href="https://commons.wikimedia.org/wiki/File:D%C3%BClmen,_Nonnenwall,_Zaun_--_2020_--_4007.jpg">Dietmar Rabich (CC-BY-SA 4.0)</a> - Image Modified</span></span>
\ No newline at end of file

diff --git a/content/docs/admin/ldap-auth.md b/content/docs/admin/ldap-auth.md
index d01fc809329bc3647b05aa7849254c0bb45ce7d2..e43b25f274459f831b9fc88274c580cd97d4779e 100644 (file)
--- a/content/docs/admin/ldap-auth.md
+++ b/content/docs/admin/ldap-auth.md
@@ -108,13 +108,16 @@ LDAP_THUMBNAIL_ATTRIBUTE=thumbnailPhoto
 
 ### LDAP Group Sync
 
 
 ### LDAP Group Sync
 

-BookStack has the ability to sync LDAP user groups with BookStack roles. By default this will match LDAP group names with the BookStack role display names with casing ignored.
+BookStack has the ability to sync LDAP user groups with BookStack roles. By default this will match LDAP group names (CN values) with the BookStack role display names with casing ignored.

 This can be overridden by via the 'External Authentication IDs' field which can be seen when editing a role while LDAP authentication is enabled. This field can be populated with common names (CNs) of accounts *or* groups. If filled, CNs in this field will be used and the role name will be ignored. You can match on multiple CNs by separating them with a comma.  Commas can be escaped with a backslash (`\,`) if you need to map to a CN using a literal comma character.
 
 When matching LDAP groups with role names or 'External Authentication IDs' values, BookStack will standardise the names of ldap groups to be lower-cased and spaces will be replaced with hyphens. For example, to match a LDAP group named "United Kingdom" an 'External Authentication IDs' value of "united-kingdom" could be used.
 
 This feature requires the LDAP server to be able to provide user groups when queried. This is enabled by default on ActiveDirectory via the 'memberOf' attribute but other LDAP systems may need to be configured to enable such functionality. Be aware that the 'memberOf' attribute does not include the user's primary group. If using OpenLDAP you'll need to setup the memberof overlay.
 
 This can be overridden by via the 'External Authentication IDs' field which can be seen when editing a role while LDAP authentication is enabled. This field can be populated with common names (CNs) of accounts *or* groups. If filled, CNs in this field will be used and the role name will be ignored. You can match on multiple CNs by separating them with a comma.  Commas can be escaped with a backslash (`\,`) if you need to map to a CN using a literal comma character.
 
 When matching LDAP groups with role names or 'External Authentication IDs' values, BookStack will standardise the names of ldap groups to be lower-cased and spaces will be replaced with hyphens. For example, to match a LDAP group named "United Kingdom" an 'External Authentication IDs' value of "united-kingdom" could be used.
 
 This feature requires the LDAP server to be able to provide user groups when queried. This is enabled by default on ActiveDirectory via the 'memberOf' attribute but other LDAP systems may need to be configured to enable such functionality. Be aware that the 'memberOf' attribute does not include the user's primary group. If using OpenLDAP you'll need to setup the memberof overlay.
 

+As part of its LDAP group sync functionality, BookStack will also recursively consider the full hierarchy membership of groups.
+For example, A user can be a member "Group A", and "Group A" can be a member of "Group B", in which case both "Group A" and "Group B" will be considered for a match to BookStack roles during group sync for that user.
+

 Here are the settings required to be added to your `.env` file to enable group syncing:
 
 ```bash
 Here are the settings required to be added to your `.env` file to enable group syncing:
 
 ```bash

diff --git a/content/docs/admin/updates.md b/content/docs/admin/updates.md
index 251d5ba5bd2545704b6b1d59691ff0fa52b29b2f..31b70bb43748bf1c65e19664856bb2c479256884 100644 (file)
--- a/content/docs/admin/updates.md
+++ b/content/docs/admin/updates.md
@@ -41,6 +41,12 @@ This is primarily a list of breaking changes & security notices.
 Details of updates can be found on [our blog](https://www.bookstackapp.com/blog/) or via 
 the [GitHub releases page](https://github.com/BookStackApp/BookStack/releases).
 
 Details of updates can be found on [our blog](https://www.bookstackapp.com/blog/) or via 
 the [GitHub releases page](https://github.com/BookStackApp/BookStack/releases).
 

+#### Updating to v24.05.4 or higher
+
+**Security - LDAP** - v24.05.4 address an issue found in LDAP group syncing which could mean in certain scenarios a user could be matched to extra roles incorrectly.
+
+**Security - API** - v24.05.4 address an issue where pages in "book-show" API responses would not have permissions applied properly.
+

 #### Updating to v24.05.1 or higher
 
 **Security** - v24.05.1 adds extra rate-limiting to some forms that are accessible without authentication, while also implementing changes to prevent methods that could be used to indicate if specific user emails exist in the system.
 #### Updating to v24.05.1 or higher
 
 **Security** - v24.05.1 adds extra rate-limiting to some forms that are accessible without authentication, while also implementing changes to prevent methods that could be used to indicate if specific user emails exist in the system.

diff --git a/static/images/blog-cover-images/cc-by-sa-4/attribution.txt b/static/images/blog-cover-images/cc-by-sa-4/attribution.txt
index 958fcde83c57213ebcc52dbe1587983cdbdbe19f..ca7e78cb6e6b08f3bd4793f4138f9abd24311544 100644 (file)
--- a/static/images/blog-cover-images/cc-by-sa-4/attribution.txt
+++ b/static/images/blog-cover-images/cc-by-sa-4/attribution.txt
@@ -11,4 +11,9 @@ Image modified in usage (Cropped and resized).
 padlocks-dietmar-rabich.jpg
 Copyright Dietmar Rabich
 Source: https://commons.wikimedia.org/wiki/File:San_Francisco_(CA,_USA),_Fisherman%27s_Wharf,_Liebesschl%C3%B6sser_--_2022_--_2873.jpg
 padlocks-dietmar-rabich.jpg
 Copyright Dietmar Rabich
 Source: https://commons.wikimedia.org/wiki/File:San_Francisco_(CA,_USA),_Fisherman%27s_Wharf,_Liebesschl%C3%B6sser_--_2022_--_2873.jpg

-Image modified in usage (Cropped and resized).
\ No newline at end of file
+Image modified in usage (Cropped and resized).
+---
+fence-dietmar-rabich.jpg
+Copyright Dietmar Rabich
+Source: https://commons.wikimedia.org/wiki/File:D%C3%BClmen,_Nonnenwall,_Zaun_--_2020_--_4007.jpg
+Image modified in usage (Cropped, resized, sharpened).
\ No newline at end of file

diff --git a/static/images/blog-cover-images/cc-by-sa-4/fence-dietmar-rabich.jpg b/static/images/blog-cover-images/cc-by-sa-4/fence-dietmar-rabich.jpg
new file mode 100644 (file)
index 0000000..39c7d16
--- /dev/null
+++ b/static/images/blog-cover-images/cc-by-sa-4/fence-dietmar-rabich.jpg
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dcd975c3143b138d1172433b2fd3b6350ff0afe7156139c4f97019d6383cde61
+size 384728