Releases: linuxserver/docker-bookstack
v25.12.5-ls246
CI Report:
N/A
LinuxServer Changes:
No changes
Remote Changes:
This release specifically addresses folder permission issues (often showing as an error when attempting to access content) which could occur from changes introduced in v25.12.4.
Links
Full List of Changes
This release contains the following fixes and changes:
- Updated filter caching folder handling to avoid server filesystem permission issues. (#6023)
v25.12.4-ls246
CI Report:
N/A
LinuxServer Changes:
Full Changelog: v25.12.4-ls245...v25.12.4-ls246
Remote Changes:
Security Release
BookStack v25.12.4 has been released.
This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area, opening up risk of potential phishing and/or tracking by bad page editors.
We advise that you update your instance if you allow untrusted users to create or edit pages.
Thanks to SeongYun Moon (@Moonster8282 on GitHub) for their responsible discovery and reporting of this issue.
Additional Update Notices
- Page Content - As of this release, extra layers of filtering have been applied to page content. While we have tried to ensure this has minimal impact on content, it's possible this will lead to extra elements being filtered.
- Option Change - The
ALLOW_CONTENT_SCRIPTSenv option is now considered deprecated. It's advised to use theAPP_CONTENT_FILTERINGoption, as documented here, instead if needed.
If you experience issues with your page content being over-filtered feel free to raise an issue on GitHub where we can check if the behaviour is intentional or something which needs to be patched.
You can use the new page content filtering option, with a value of jhf which should match the prior version filtering, but this will remove a layer of content filtering security so is not recommend.
Full List of Changes
- Added new option for more granular page filter control.
- Updated page content filtering to detect extra cases, and to apply a more aggressive allow-list style filter.
- Updated application PHP dependencies.
Contributors
Assets 2
v25.12.4-ls245
08e43ed
LinuxServer-CI
LinuxServer.io CI
CI Report:
N/A
LinuxServer Changes:
Full Changelog: v25.12.3-ls244...v25.12.4-ls245
Remote Changes:
Security Release
BookStack v25.12.4 has been released.
This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area, opening up risk of potential phishing and/or tracking by bad page editors.
We advise that you update your instance if you allow untrusted users to create or edit pages.
Thanks to SeongYun Moon (@Moonster8282 on GitHub) for their responsible discovery and reporting of this issue.
Additional Update Notices
- Page Content - As of this release, extra layers of filtering have been applied to page content. While we have tried to ensure this has minimal impact on content, it's possible this will lead to extra elements being filtered.
- Option Change - The
ALLOW_CONTENT_SCRIPTSenv option is now considered deprecated. It's advised to use theAPP_CONTENT_FILTERINGoption, as documented here, instead if needed.
If you experience issues with your page content being over-filtered feel free to raise an issue on GitHub where we can check if the behaviour is intentional or something which needs to be patched.
You can use the new page content filtering option, with a value of jhf which should match the prior version filtering, but this will remove a layer of content filtering security so is not recommend.
Full List of Changes
- Added new option for more granular page filter control.
- Updated page content filtering to detect extra cases, and to apply a more aggressive allow-list style filter.
- Updated application PHP dependencies.
v25.12.3-ls244
14da2a0
LinuxServer-CI
LinuxServer.io CI
CI Report:
N/A
LinuxServer Changes:
Full Changelog: v25.12.3-ls243...v25.12.3-ls244
Remote Changes:
Security Release
BookStack v25.12.3 has been released.
This is a security release to address a vulnerability where form elements in page content could be used to trick more privileged users into making API requests.
We strongly advise that you update your instance if you allow untrusted users to create or edit pages.
Thanks to Joud Zakharia of zentrust partners GmbH for the discovery of this vulnerability, and thanks to Sven Faßbender of zentrust partners GmbH for their responsible disclosure and great communication of this issue.
Additional Update Notices
- Page Content - As of this release, most types of form content are now removed from page content on render. If you applied customizations which made use of in-page form content, you may now need to find alternative methods.
Full List of Changes
- Updated application PHP dependencies.
- Updated session-based API authentication to only be active for GET requests.
- Updated page content filtering to remove many common form elements & attributes.
- Updated translations with latest Crowdin changes. (#5997)
v25.12.3-ls243
6bf9340
LinuxServer-CI
LinuxServer.io CI
CI Report:
N/A
LinuxServer Changes:
Full Changelog: v25.12.3-ls242...v25.12.3-ls243
Remote Changes:
Security Release
BookStack v25.12.3 has been released.
This is a security release to address a vulnerability where form elements in page content could be used to trick more privileged users into making API requests.
We strongly advise that you update your instance if you allow untrusted users to create or edit pages.
Thanks to Joud Zakharia of zentrust partners GmbH for the discovery of this vulnerability, and thanks to Sven Faßbender of zentrust partners GmbH for their responsible disclosure and great communication of this issue.
Additional Update Notices
- Page Content - As of this release, most types of form content are now removed from page content on render. If you applied customizations which made use of in-page form content, you may now need to find alternative methods.
Full List of Changes
- Updated application PHP dependencies.
- Updated session-based API authentication to only be active for GET requests.
- Updated page content filtering to remove many common form elements & attributes.
- Updated translations with latest Crowdin changes. (#5997)
v25.12.3-ls242
37c2e60
LinuxServer-CI
LinuxServer.io CI
CI Report:
N/A
LinuxServer Changes:
Full Changelog: v25.12.2-ls241...v25.12.3-ls242
Remote Changes:
Security Release
BookStack v25.12.3 has been released.
This is a security release to address a vulnerability where form elements in page content could be used to trick more privileged users into making API requests.
We strongly advise that you update your instance if you allow untrusted users to create or edit pages.
Thanks to Joud Zakharia of zentrust partners GmbH for the discovery of this vulnerability, and thanks to Sven Faßbender of zentrust partners GmbH for their responsible disclosure and great communication of this issue.
Additional Update Notices
- Page Content - As of this release, most types of form content are now removed from page content on render. If you applied customizations which made use of in-page form content, you may now need to find alternative methods.
Full List of Changes
- Updated application PHP dependencies.
- Updated session-based API authentication to only be active for GET requests.
- Updated page content filtering to remove many common form elements & attributes.
- Updated translations with latest Crowdin changes. (#5997)
v25.12.2-ls241
6d24518
LinuxServer-CI
LinuxServer.io CI
CI Report:
N/A
LinuxServer Changes:
Full Changelog: v25.12.1-ls240...v25.12.2-ls241
Remote Changes:
Links
Full List of Changes
This release contains the following fixes and changes:
- Updated translations with latest Crowdin changes. (#5970)
- Updated PHP dependency versions.
v25.12.1-ls240
c36bdfb
LinuxServer-CI
LinuxServer.io CI
CI Report:
N/A
LinuxServer Changes:
Full Changelog: v25.12.1-ls239...v25.12.1-ls240
Remote Changes:
Security Release
BookStack v25.12.1 has been released.
This is a security release which adds limits to search operations, and adds size checks to ZIP import files before they are extracted.
These changes help prevent potential abuse to host disk space usage and/or service availability.
We recommended to update your instance if untrusted users have ZIP import permissions, or if untrusted users can perform searches.
Thanks to Jeong Woo Lee (@eclipse07077-ljw) and Gabriel Rodrigues (aka TEXUGO) for reporting these vulnerabilities.
Full List of Changes
v25.12.1-ls239
CI Report:
N/A
LinuxServer Changes:
New Contributors
Full Changelog: v25.12.1-ls238...v25.12.1-ls239
Remote Changes:
Security Release
BookStack v25.12.1 has been released.
This is a security release which adds limits to search operations, and adds size checks to ZIP import files before they are extracted.
These changes help prevent potential abuse to host disk space usage and/or service availability.
We recommended to update your instance if untrusted users have ZIP import permissions, or if untrusted users can perform searches.
Thanks to Jeong Woo Lee (@eclipse07077-ljw) and Gabriel Rodrigues (aka TEXUGO) for reporting these vulnerabilities.
Full List of Changes
Contributors
Assets 2
v25.12.1-ls238
c5d0fd7
LinuxServer-CI
LinuxServer.io CI
CI Report:
N/A
LinuxServer Changes:
Full Changelog: v25.12-ls237...v25.12.1-ls238
Remote Changes:
Security Release
BookStack v25.12.1 has been released.
This is a security release which adds limits to search operations, and adds size checks to ZIP import files before they are extracted.
These changes help prevent potential abuse to host disk space usage and/or service availability.
We recommended to update your instance if untrusted users have ZIP import permissions, or if untrusted users can perform searches.
Thanks to Jeong Woo Lee (@eclipse07077-ljw) and Gabriel Rodrigues (aka TEXUGO) for reporting these vulnerabilities.