Our Home

Song: https://youtu.be/eCwWbEhFftw

Make sure you follow the update documentation to roll out this new version.

The team is pleased to announce the immediate availability of Passbolt version 3. As you may have noticed with the earlier
release in January and automatic rollout of the v3 webextension, this version contains a major redesign of the login
and setup screens. The goal of this redesign was to simplify the process and improve the usability. This version
also concludes our migration to React technology on the front end side, you can learn more about it in the
dedicated blog post.

Most notably, this release also introduces the concept of resource types. We will write more about it in a dedicated
blog post, but long story short, the goal of this change is to allow storing different types of secrets, other than a password.
The first example of a new resource type is the “password with encrypted description” which has now become the default. This change is transparent and backward compatible.

As you may know, data in passbolt is divided into two parts: the searchable non encrypted metadata called “resource”,
and the encrypted part containing, for example the password called “secret”. With resource types the solution will
support the encapsulation of structured data in the “secret” part in the form of a JSON object, following a JSON schema
defined as part of the resource type. In the future we want to allow administrators to be able to define their own
resource types, on top of the ones that are supported by default. In the meantime if you have suggestions for new
default resource types, and the formats you would like to see (for instance credit cards, ssh keys, etc...), please share your ideas on the community forum.

We encountered some issues during the release of the webextension v3, which have been summarized on this dedicated
incident page. The most prominent bugs encountered in the last release were
related to older installations where some database entries became incompatible with the new stricter validation rules on
the front-end side. These issues have now been resolved, but we sincerely apologize for any inconvenience caused, and have learnt a lot during the process.

Server side Passbolt API v3 is also a major release with the deprecation of PHP v7.2 and composer v1. Please make sure you have
the right dependencies installed on your server prior to upgrade. You can learn more about the update/upgrade procedures
on the dedicated page.
Feel free to report bugs on github if you encounter any new issues, or to get in
touch using the regular support channels.

On the artifacts side, we have published an ubuntu package and also all of our artifacts (vm, digital ocean, aws ami and docker image)
are using debian package. Using debian package introduces new changes on the installation paths of passbolt. Please read the following
documents for deprecation notices and changes:

• Release notes for docker image.
• Migrate from ubuntu installation scripts to Ubuntu package.

For our next release(s) the team will focus on an upgrade to Cakephp v4, as well as small UX/UI improvements that
have been pending for a very long time, including the ability to translate the interface. And yes we also are
actively working on the Mobile apps, as well as other much demanded features such as Escrow.

A big thank you for people who have reported and documented bugs on github and the community forum including:
@DistrantThunder, @kyxyes, @chyff, @drzraf, @Alien-Richman, @VFS, @wnhre2ur8cxx8 (that’s a mouthful), @rctgamers3,
@norbertmm, @runderwo, @AnswerKAS, @raphhaselback, @PeanutStick, @JosephGarrone and many more.

Thank you for your continued support.

[3.0.0] - 2021-02-22

Deprecated

• Drop support for API format v1, api-version parameter is deprecated
• Remove title from API response envelope format
• Drop support for PHP < v7.3, application require PHP v7.3 by default
• Drop support for Composer < v2, application requires Composer v2 by default

Added

• Add dark theme to the community edition
• Add new system check utilities in ./bin, for example ./bin/status-report
• Add web installer automatically populates mysql credentials (VM / Debian Package)
• Add support for multiple resource types
• Add resource with encrypted description as resource type
• Add generic cron job task in ./bin/cron
• Add support for untracked personal shell scripts under ./bin/my
• Add support for configurable footer link in config
• Add permissions filters on resource view and index
• Add permissions contain options on resource view

Chores

• Update OpenPGP-PHP dependencies to provide PHP 7.4 compatibility
• Remove unmaintained user agent parser library
• Fix PHP 7.4 warnings

Improvements

• Improve testsuite execution times
• Refactor testsuite to not install data model from fixtures but use migrations instead
• Refactor testsuite to remove unused fixtures
• Migrate administration and mfa settings screen to React
• Add placeholder application skeleton when webextension is still loading
• Redesign of login and recover screens
• Add Mysql 8 support

Fixed

• Fix allow overriding rememberMe options in passbolt.php configuration file
• Fix all target blank link should contain rel noopener noreferrer
• Fix email sender, email subject should not exceed 255 characters.
• Fix secret access log on resource view with contain secret
• GITHUB-376 Fix missing route prefix on the recovery button
• GITHUB-373 Fix API format for create group (previously v1 instead of v2 format)
• GITHUB-372 Fix after modifying passwd, the modification time should be changed
• GITHUB-370 Fix metadata should be deleted for deleted resources
• GITHUB-369 Fix Notification Emails Have Wrong Tense In Subject/Body
• GITHUB-368 Clarify PHP extension requirements
• GITHUB-362 Fix wrong filename on healthcheck HELP message for assertConfigFiles
• GITHUB-356 As a user I shouldn't be able to export folders if export plugin is disabled
• GITHUB-350 Fix no mails are sent when providers offer AUTH PLAIN authentication only
• GITHUB-339 Fix web installer urls do not work when passbolt is installed in a directory
• Fix performance issues on resource / folder activity log

Stomp (Remix)

This is a small maintenance release. It ships with a few bug fixes reported by the community.

Changelog

[2.13.5] 2020-07-29

Fixed

• Fix display a validation error when db password contains a quote or db name contain a dash
• Fix email notification settings bootstrap messes up non persistent database connection in wizard
• Bump dependencies versions

Stomp

Song: https://youtu.be/tPBDMihPRJA

This is a small maintenance release. It fixes a bug introduced with the latest release.

Thank you to everyone who helped us test and iron out the last kinks!

In other news, we just published an article on the blog to explain why passbolt requires an extension.

Changelog

API

Fixed

• PB-1372 Fix user setup completed admin email notification

Hammer to Fall

Song: https://www.youtube.com/watch?v=JU5LMG3WFBw

The team is pleased to announce the availability of Passbolt CE v2.13. This release includes new functionalities,
most notably the email digest functionality.

Email digest

The email digest functionality will help you combine email notifications of the same
kind into one single message. So, it will group similar emails for a given user, for a given time period
(the frequency of passbolt email cronjob) or when a volume limit is reached. This will help reduce the
email notifications, especially when you import/share a lot of passwords at once.

You can enable this feature by switching the following line in your server crontab:.
/var/www/passbolt/bin/cake EmailQueue.sender

To
/var/www/passbolt/bin/cake Passbolt/emailDigest.sender

You can also test the feature by calling it directly in the command line on your server.

Server key rotation

It is now possible to extend an expired server key and have the user accept the new server key without
performing an account recovery. When the key change, the user will be prompted to accept the new one.

Migration to react

Part of the work done with this release includes some major refactoring of the front end code
as part of the migration process to React. So, you will see some other visual changes for example,
when loading the share dialog.

You can expect more visual changes in the upcoming releases.

Breaking changes

Another notable change: as part of this release we upgraded the OpenPGP.js. This may be a breaking
change if you are using old OpenPGP keys with unsecure 2-byte hash. If you use such a key we advise
you to try to re-export your private key from Gnupg to produce a more secure hash and perform an account recovery.

Changelog

API

Added

• PB-1168 Add baseline code and tests for Debian package build
• PB-1067 As a user I can receive digest emails when creating a lot of resources
• PB-1067 As a user I can receive digest emails when added/removed from a lot of groups
• PB-1284 Add tasks and services to re-validate existing data

Improved

• Pro Styleguide version bump v2.13.13
• Appjs version bump v2.13.7
• PB-1046 Adapt Cleanup test runner to take in account cleanup that are adding records
• PB-1046 Adapt Cleanup shell task to allow external sources to add cleanup tasks
• PB-1046 Remove empty EmailTraits files
• Delete unused default keys (cleanup)
• Update to latest passbolt_test_data version.
• Misc refactoring for email notifications
• Misc refactoring to split model logic into services
• Clear plugins in tearDown of application test cases

Fixed

• GITHUB-350 No mails are sent when providers offer AUTH PLAIN authentication only
• Fix appjs plugin requestUntilSuccess bug
• Fix load webinstaller plugin manually in plugin tests
• Fix composer php version.
• Fix misc checkstyle issues
• PB-980: Fix "secret access logging in password activity log should not display other resources secret access after a multiple share"

Never Gonna Give You Up

Release song
Full release notes

This release contains a security fix, please update your server as soon as possible. Make sure you follow the minor update documentation to roll out this new version.

This is a small maintenance release in order to update to jQuery v3.5. The library released an important security fix that could potentially result to an XSS in certain Passbolt setups where Content Security Policy (CSP) was disabled by the user. You can learn more about the issue here.

Passbolt team is currently busy finalizing a release candidate with some new major features. You can learn more about it in our last blog post.

We hope you are safe.

Fixed

• PB-1209: Update client dependencies

Call Me

Release song
Full release notes

This release is mainly a maintenance release. It ships with several fixes, mainly regarding the web extension.
The previously published extension version contained some security fix for an issue in the quick access suggestion system reported by security researcher Rene Kroka.
You can learn more about it on the incident page.

It also ships with a much demanded improvement: the possibility to resend a new invitation to a user.

We hope you’ll enjoy this update!

What next? The team focus is currently on the upcoming folders feature.
It is taking a substantial amount of energy to implement but the result should be matching your expectations.
It is now a matter of weeks before the feature is available. If you are interested to know how it will work, you can have a look at the specifications (feedback is welcome).
The screenshot below will give you a glimpse of its look and feel:

The team wishes you great end-of-year celebrations, merry christmas & happy new year in advance, and good holidays if you are lucky enough to take some!

API

Added

• PB-687: As an admin I can resend an invitation for a user that didn't complete the setup

Improved

• PB-893: Update CakePHP to v3.8.6

Fixed

• PB-771: Added purify subject for the email subscribers
• PB-856: Added migration fix to remove unused tables
• GITHUB-84: Fix gc_maxlifetime versus Session.timeout units

Web extension

Improved

• PB-878: Update OpenPGP.js to v4.7
• PB-649: The quickaccess passphrase field text and background colors should remain as default when the field is not focused.

Fixed

• PB-883: The quickaccess should filter passwords by uri protocol and port if provided.
• PB-766: Fix 414 server issues for features that work with batch of resources. Reduce the size of the batches.

Don't You (Forget about me)

Passbolt v2.11 is maintenance release containing security fixes. Extension update will be rolled out
automatically to your users like usual, but as an administrator you will need to update your server.

The security issues were discovered by security researcher René Kroka as part of the Bug Bounty program
organized in collaboration with YesWeHack. You can find more information about
the vulnerabilities found during this audit, on the dedicated incident page. You can also learn more about passbolt security in our recently published Security White Paper.

This release also includes some requested fixes by the community. The autofill functionality is now a
bit more robust and will work on more websites, including for example when the login form is located
in an iframe (on the same domain than the current page). Feel free to report any issues you encounter
with the autofill on websites you use via github issues. Another long awaited fix relates to the passphrase remember me and the auto logout functionalities.

The installation script now also supports the new Debian 10 (stable). Because of this we will soon
deprecate support for 7.0 (which was still the default on Debian 9). Make sure you upgrade your web
server to use at least 7.2 in the coming weeks.

If you want to receive an invitation for Passbolt Cloud, feel free to complete this form or send us an
email at [email protected]. Or you can wait for the public launch in September!

The team wish you happy holidays, if you are lucky enough to take some!

API

Security fixes

• PB-661: Fix tab nabbing when clicking on "open in a new tab" in password grid
• PB-607: Fix XSS on first name or last name during setup

Improvements

• PB-587: Add baseline support for multiple openpgp backends
• PB-391: Display the name and email of the user an admin is going to delete in the delete dialog
• PB-396: Display the label of the password a user is going to delete in the delete dialog
• PB-397: Display a relevant feedback in the user details group section if the user is not member of any group
• PB-533: Add a new session check endpoint that does not extend the session expiry
• PB-607: Add option for an administrator to configure CSP using environment variable
• PB-242: Improve the passwords grid (passwords fetch peformance, search reactivity, selectbox area enlarged)

Fixes

• PB-349: Fix health check fails if using custom GNUPGHOME env set by application
• PB-330: Fix migration issue from CE to PRO in v2.10
• PB-567: Fix appjs auto logout
• PB-601: Fix some incomplete unit tests
• PB-427: Fix email sender shell task and organization settings table unnecessary coupling
• PB-349: Fix OpenPGP results health checks

Maintenance

• PB-505: Upgrade cake 3.8
• PB-504: Upgrade Javascript dependencies
• PB-472: Cleanup test dependencies

Web extension

Improved

• PB-242: Add local storage resources capabilities to manipulate the resources (add, delete, update)
• GITHUB-79: Improve autofill compatibility, trigger an input event instead of a change event while filling forms
• GITHUB-61: Improve autofill compatibility, support Docker and AWS forms
• PB-432: Improve autofill compatibility, support reddit.com
• PB-433: Improve autofill compatibility, support Zoho CRM
• GITHUB-78: Improve autofill compatibility, fill only username if no password field present
• PB-494: Improve autofill compatibility, ignore hidden fields
• PB-514: Improve autofill compatibility, fill iframe forms fields
• PB-609: Update library used for CSV export

Fixed

• PB-544: Fix login passphrase remember me and quickaccess
• PB-533: Fix session expired management
• PB-515: Autofill should not fill if the url in the tab have changed between the time the user clicked on the button to fill and the data is sent to the page.
• PB-503: Fix math.random() when generating first security token/color

Owner of a Lonely Heart

Release song
Full release notes

This release ships with some nice improvements, notably the apparition of the administration dashboard for the Community Edition. This dashboard only contains one section for now: email notification settings. However, some more sections will appear in the next releases as the idea is to remove completely the pain point of configuration through files.

Another improvement is the possibility to browse passwords using filters in the browser extension “quick access”. The filters that were already accessible through the web UI are now available in the “quick access”: Favorites, Items I own, Recently modified, Shared with me or even Groups. Check it out.

We hope you’ll enjoy this update!

What next? Our current focus for Passbolt Community Edition is the implementation of more administration sections, forms auto-save (to save passwords directly from a web form) and improvements on the setup and login screen. Stay tuned!

Passbolt API

Added

• PB-165: As AD I should be able to change my organization email notification settings via an administration screen.

Fixed

• PB-276: Merge organization settings code into CE. Ground work for administration features.

Passbolt Browser extension

Added

• PB-189: Quickaccess: As LU I can browse my passwords with the quickaccess using filters

Fixed

• PB-40: Quickaccess: Don't hide not sanitized uri in the resource view screen

Paint it black

Fixed

• PB-220: Upgrade to CakePHP 3.7.7 fix for CVE-2019-11458.

Where is my mind

[2.8.4] - 2019-04-17

Improved

• PB-48: Improve the performance by removing the creator/modifier from the passwords workspace grid query
• PB-159: Remove the usage of canjs connect-hydrate module

Fixed

• GITHUB-315: The permalink of password don't work anymore
• PB-147: Update appjs steal dependencies
• PB-152: The webinstaller should work with Firefox ESR
• GITHUB-299: The passwords are shown twice in passwords workspace grid
• GITHUB-10: Selecting a group on the users workspace should not reset the grid "Last Logged In" column to "Never"
• GITHUB-62: Sorting the users on the users workspace should not break the infinite scroll
• PB-160: Update appjs jquery dependencies
• PB-163: Update jquery dependency
• PB-171: Fix entities history trait should not trigger internal error if user action is undefined
• PB-102: Fix install process should not create shema dump lock file
• PB-204: Escape shell variables of the passbolt mysql export shell command