BookStack Blog

BookStack v21.11.3 has been released. This is a security release that helps prevent potential discovery and harvesting of user details including name and email address.

BookStack v21.11.2 has been released. This is a security release that address a couple of vulnerabilities relating to API access and page draft related content visibility:

Today we release BookStack v21.11 which focuses on a couple of areas that have gone untouched for a while; Those areas being tags and the site-wide search system. These changes sit upon more substantial framework upgrade work that has occurred this release cycle.

BookStack v21.10.3 has been released. This is a security release that address a couple of vulnerabilities within the attachment and image serving mechanisms. The attachment vulnerability could result in users uploading content to be served in a way that can be utilized for phishing. The image serving vulnerability could result in unintended file access within your BookStack storage folder.

BookStack v21.10.2 has been released. This is a security release that builds upon changes in v21.10.1 which covers a vulnerability which would allow malicious users, who have permission to update or create pages, to upload content that could then be utilized for phishing or other general malicious intent.

BookStack v21.10.1 has been released. This is a security release that covers a vulnerability which would allow malicious users, who have permission to update or create pages, to upload content that could then be utilized for phishing or other general malicious intent.

October brings us BookStack v21.10. This release is primarily intended to wrap up a few loose ends before we make more substantial framework changes, but it does bring with it a new authentication option in addition to some new API endpoints. In the below we’ll dive into many of the new features and improvements added since v21.08.

Now that I’ve got a bit more time to work on BookStack, I thought it’d be good to do something a little different on the blog and pay tribute to the services we use to help manage the project. Keep in mind that this is not a complete listing of projects that we use within BookStack itself, but instead a listing of the services and projects that we use from a project & code management point of view.

BookStack v21.08.5 has been released. This is a security release that covers a vulnerability which would allow malicious users, who have permission to update or create pages, to load content from files stored within the storage/ or public/ directories (Such as application logs) via the page HTML export system.

BookStack v21.08.2 has been released. This security release is intended to cover a couple of XSS vulnerabilities, where a malicious user with page edit access could enter script that would execute upon page view. You should update as soon as possible if you allow untrusted users to edit content in your instance.

Today we release BookStack v21.08, which brings along multi-factor authentication support in addition to a number of other nice features. Within this post we’ll dive into some of the biggest new changes since the v21.05 release.

Well there goes another year, A year of worldwide lock-downs and uncertainty but BookStack development has pushed on and now we’re at 6 years since the original commit on the 12th of July 2015. To mark the milestone we’ll look at the figures, go into some upcoming plans and distribute some thanks.

BookStack v21.05 has now been released which brings along new user interface features & enhancements including a favourites system and easier in-book navigation.

Today is the launch of BookStack v21.04 which is our next feature release after Beta v0.31. For this release we’re dropping the beta and changing our version scheme as detailed below. This release has no single major feature but is instead focused on a range of fixes, improvements and community contributions.

BookStack v0.31.5 has been released. As with the previous release (v0.31.4) this updates the Laravel framework version used to help avoid a potential vulnerability when requests were crafted in a certain manner. While it is not known if such a case exists in BookStack, this release updates the framework as a pre-emptive measure.

BookStack v0.31.4 has been released. This security release updates the Laravel framework version, due to a vulnerability that could occur if request data was crafted and then used in a certain way. While it is not known if such a case exists in BookStack, this release updates the framework as a pre-emptive measure.

On this BookStack site I have been using Google Analytics to track visitor metrics. While not crucial to know, it’s generally useful to have an idea of the target audience, current popularity and be aware of any visitor spikes. For the email updates and email security alerts I’ve been using Mailchimp. This post explains the move to more privacy aware alternatives.

We kick of this optimistic year with BookStack v0.31 which includes some great additions & updates to existing functionality including a new recycle bin system, controllable item ownership, audit log changes, page API endpoints and much more.

In continuation of the patches in v0.30.6, BookStack v0.30.7 has been released to address an issue that could lead to restricted page content being made visible in exports. As with the last release, You should upgrade to this released as soon as possible if you make use of page-level permissions at all. Apologies for the frequency of security releases.

BookStack v0.30.6 has been released to address an issue that could lead to restricted page content being visible in certain circumstances. You should upgrade to this released as soon as possible if you make use of page-level permissions at all.

Phishing and and server-side request forgery vulnerabilities have been found within BookStack. Release v0.30.5 will remove this server-side request forgery issue while bringing updated wording and advisories to prevent the potential phishing vulnerability.

XSS and user-injected auto-redirect vulnerabilities have been found within the page content & attachment components of BookStack which BookStack v0.30.4 looks to address. These are primarily a concern if untrusted users can edit content on your BookStack instance.

Although intended to be a quick release cycle, v0.30 is now here 5 months after the last major release. Sketchy personal health, a poorly pet & a busy day-job workload, combined with constant working-from-home, have reduced the amount of time I could afford to spare working on the project but with normality somewhat returning I present BookStack v0.30 which includes an assortment of enhancements.

With a first commit dated Sunday the 12th of July 2015, BookStack is now over 5 years old. Looking back, those 5 years have appeared to fly by but within that time there’s been a lot of growth, both for me as a maintainer and in regards to the project itself.

BookStack v0.29.3 has been released to address an issue that could expose the names of private/restricted books.

• Update instructions
• GitHub release page

Impact

The name of a restricted book could be viewed by non-authorised users when the book was on a shelf, and the shelves were viewed in “List View”. This could expose book names to those that did not have permission to see them, when part of a shelf.

Over the last few days some vulnerabilities in the comment system have been identified, which BookStack v0.29.2 looks to address.

After the recent release of v0.29 comes this patch update to fix some bugs while introducing some nice user experience enhancements. On this post we’ll go through a couple of them.

This Easter BookStack release welcomes a range of user-experience improvements, with features such as dark mode and improved right-to-left text support, in addition to a bunch of fixes and enhancements.

Following on from the release of v0.28, we’ve had a series of patch releases to apply a range of fixes & enhancements in addition to some translation updates. There’s nothing urgent or security related in these but they collectively include quite a few fixes so it’s still worth updating.

Our first 2020 release arrives with some great new features such as an initial API implementation and SAML2 authentication alongside further new customisation options.

BookStack v0.27 is now available which adds page templates, a new user invitation flow, a more accessible interface and a bunch of under-the-hood changes to provide a better user & developer experience.

After a long development cycle BookStack v0.26 is finally here, bringing a refreshed design that includes new functionality while providing a much better mobile experience.

Over the last week some security issues have been raised regarding file uploads. BookStack v0.25.3, v0.25.4 & v0.25.5 have been released to cover these issues, in addition to bringing some translation updates.

We have another patch release for BookStack v0.25 to fix bugs, update translations & to add some new configuration options. We now also have a project roadmap to provide some visibility of where the BookStack is going.

Soon after the v0.25 release last weekend we have the v0.25.1 patch release to fix some bugs, add support for s3 compatible services and to prepare for the upcoming removal of the Google Plus API.

2019 is here and to kick it off we have BookStack v0.25. This release does not contain any major new features but instead is focused on making improvements to existing systems within BookStack.

Need a way to categorise your Books? Well BookStack v0.24 is the release for you bringing Bookshelves along with a host of other notable features such as revision removals, social authentication auto-registration and Arabic support.

Quicker editing, better LDAP integration and Discord login are now here with BookStack v0.23 along with a good set of fixes and improvements. I must admit this release comes a little later than expected due to an unusually warm English summer making working conditions in my home office exhausting but luckily we’ve had a good number of code contributions to keep things moving.

BookStack v0.22 is here with a much requested homepage option in addition to changes to the drawing system and improvements. Let’s get into it:

A new version of BookStack is here. Version 0.21 improves upon a number of existing features in addition to bringing its own new capabilities to BookStack. If you are updating to this release from v0.20.0 or before it’s also worth reviewing the hefty update v0.20.1 which included a good number of fixes and improvements itself.

Today we release BookStack v0.20.1. Although this update does not include any major new features it bundles up some big behind-the-scenes changes along with a great deal of fixes and updates.

Here we have the first release of 2018 and it’s a chunky one! Not only do we have draw.io integration but thanks to a range of contributors we have extra languages and authentication options. Additionally, In this release we are testing options for theming as well as authenticated image access.

Before 2017 is up we have managed to hit 1000 stars on GitHub! This reflects the continued growing momentum that the project has experienced over time considering the 500 star milestone was only passed in March of this year.

Security Release v0.18.5

This release fixes the following security issue:

• Fixed issue where email confirmation was not forced when domain restriction was enabled. (#573)

This issue meant that if you have domain restriction enabled on sign-up, and you did not enable email confirmation, a user could sign up via email (Using an approved email domain) but then login right away without confirming they own the email.

We’re now over two years into the life of BookStack and to celebrate we have a new release, v0.18. This release unexpectedly grew in scope during development but it brings a good bunch of highly-requested features along with the biggest design change since October 2015.

Since the v0.17 feature release at the start of the month a good bunch of fixes and feature tweaks have made their way into BookStack. After 4 bugfix release we’re now at version v0.17.4. Here are some details on the changes made over the last month:

After a few quiet months I’m happy to announce BookStack v0.17 is now ready for release. This release focuses mainly on the code editing experience throughout BookStack. Here are the handy quick-links:

Just a quick update on some bugfix point releases. Last month v0.16.2 was released. This fixes issues in the permission system when using the non-native php-mysql driver. More information can be found in the issue thread here.

One week after v0.16.0 we have our first v0.16 Bugfix release. This contains the following changes and fixes:

• Fixed permission updates on large books failing due to MySQL placeholder count (#374)
• Added functionality to check ‘Accept-Language’ header to provide translations when not logged in. (#375)
• Added HTML support back into the Markdown editor. (#378)
• Refactored permission system for general speedups.

• Update instructions
• GitHub release page

Header Image Credits: Timo Vijn

Another BookStack release is upon us. Since the last release work has been put into spring-cleaning the search system which is detailed below. Community contributions have gained some momentum bringing in some fantastic new features and fixes.