From 646a2bc12d56752990109bc5749a0b21b84114ac Mon Sep 17 00:00:00 2001 From: ildyria Date: Wed, 24 Jun 2026 20:03:10 +0200 Subject: [PATCH 1/2] Version 7.6.3 --- docs/releases.md | 21 +++++++++++++++++++++ src/pages/roadmap.astro | 1 + 2 files changed, 22 insertions(+) diff --git a/docs/releases.md b/docs/releases.md index 673873b..5b5da92 100644 --- a/docs/releases.md +++ b/docs/releases.md @@ -35,6 +35,27 @@ ## What's Changed +### v7.6.3 + +Released on June 24th, 2026 + +#### Fixes major vulnerability on album passwords + +I cannot believe that this went undetected for so long. The zip endpoint was checking if the album was set as downloadable, but it was not checking if the album was accessible or not. As a consequence, if you knew the id of an album, you could download it without knowing the password. + +If you are protecting your albums by password, please update to this version as soon as possible. This is a critical vulnerability and should be fixed immediately. +If you are using the stronger approach, namely "public + hidden", then you are entirely safe. The album id are cryptographically generated and cannot be guessed, as opposed to password which are weak against dictionary attacks. + +* `fix` #4459 : Fix download bypass on password protected albums by @ildyria. +* `fix` #4462 : Do not display errors when feature is disabled by @ildyria. + > Just a convience fix. We are working on some secret features for v8. ;) +* `fix` #4458 : Hardcode sqlite migration key-drop fix by @ildyria. + > An old fix, but if you are using sqlite and migrating from version before 7.4.0, you might have a crash, at migration requiring you to modify the database by hand. + > This is now fixed. + +Thanks to @5ud0er for reporting the zip password bypass vulnerability. + + ### v7.6.2 Released on June 22nd, 2026 diff --git a/src/pages/roadmap.astro b/src/pages/roadmap.astro index e808b3e..bed68be 100644 --- a/src/pages/roadmap.astro +++ b/src/pages/roadmap.astro @@ -8,6 +8,7 @@ const metadata = { // Release data extracted from releases.md export const releases = [ + { version: 'v7.6.3', date: 'Jun 22, 2026', title: 'Hotfix', type: 'security', highlights: ['Fixes major vulnerability', 'minor fixes'] }, { version: 'v7.6.2', date: 'Jun 22, 2026', title: 'Hotfix', type: 'bugfix', highlights: ['Revert change to avoid breaking docker installs.'] }, { version: 'v7.6.1', date: 'Jun 22, 2026', title: 'Hotfix', type: 'security', highlights: ['🌟 License key auto-rotations', 'Fix brute force attack on unlock'] }, { version: 'v7.6.0', date: 'Jun 17, 2026', title: 'Moderation, Custom print sizes and more', type: 'major', highlights: ['Chunked download', 'Moderation features', 'folder upload', '🌟 Custom print sizes (SE)', '🌟 White-label (SE)'] }, From da4bd5216eb1a892c712d414480686b3363397eb Mon Sep 17 00:00:00 2001 From: ildyria Date: Wed, 24 Jun 2026 20:08:17 +0200 Subject: [PATCH 2/2] Fix roadmap --- src/pages/roadmap.astro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/roadmap.astro b/src/pages/roadmap.astro index bed68be..e0bff43 100644 --- a/src/pages/roadmap.astro +++ b/src/pages/roadmap.astro @@ -8,7 +8,7 @@ const metadata = { // Release data extracted from releases.md export const releases = [ - { version: 'v7.6.3', date: 'Jun 22, 2026', title: 'Hotfix', type: 'security', highlights: ['Fixes major vulnerability', 'minor fixes'] }, + { version: 'v7.6.3', date: 'Jun 24, 2026', title: 'Hotfix', type: 'security', highlights: ['Fixes major vulnerability', 'minor fixes'] }, { version: 'v7.6.2', date: 'Jun 22, 2026', title: 'Hotfix', type: 'bugfix', highlights: ['Revert change to avoid breaking docker installs.'] }, { version: 'v7.6.1', date: 'Jun 22, 2026', title: 'Hotfix', type: 'security', highlights: ['🌟 License key auto-rotations', 'Fix brute force attack on unlock'] }, { version: 'v7.6.0', date: 'Jun 17, 2026', title: 'Moderation, Custom print sizes and more', type: 'major', highlights: ['Chunked download', 'Moderation features', 'folder upload', '🌟 Custom print sizes (SE)', '🌟 White-label (SE)'] },