Skip to content

1.10.1

Latest
Latest
Compare
Choose a tag to compare
@foosel foosel released this 14 May 09:52
1.10.1
e185475

Click here if you want to help with OctoPrint's funding!

✋ Heads-ups

The heads-ups from 1.10.0 still apply, please read this release's release notes as well for a full picture of what you should be aware of and what changed!

These heads-ups were added:

🔒 If you use autologin and have additional reverse proxies in front of OctoPrint, make sure they are configured correctly

If you have autologin enabled (which means OctoPrint will log you in automatically if you are accessing it from a local address), it is of utmost importance to properly configure any reverse proxies in front of OctoPrint so that the client IP can be determined correctly.

If you are accessing OctoPrint through haproxy as shipped on OctoPi, or behind a reverse proxy configured following one of the reverse proxy example configurations, there should be no issue. However, if you yourself have added any additional reverse proxies in front of OctoPrint, make sure those are configured correctly.

Please read more about this in the FAQ.

⛈ Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

♻ Changes

🔒 Security fixes

  • Severity High (7.1): It was possible for an unauthenticated attacker to completely bypass the authentication if the autologinLocal option was enabled within the Access Control configuration, even if they came from networks that were not configured as localNetworks, by spoofing their IP via the X-Forwarded-For header.

    Please note that this does not affect you unless you've enabled the autologinLocal feature (it ships as disabled by default and requires adjusting the config.yaml file to enable, or the installation of a third party plugin that does this for you). It likely also doesn't affect you if you have enabled said feature but have OctoPrint only accessible on a trusted network.

    If you have autologinLocal enabled and your OctoPrint instance is reachable from a hostile network like the internet, e.g. through a port forward, this does affect you and you need to update ASAP. Until you are able to update, it is strongly recommended to disable the autologin feature and/or make your instance inaccessible from potentially hostile networks.

    See also the GitHub Security Advisory and CVE-2024-32977.

✨ Features & improvements

Core

  • #4975: Reserved temperature identifiers not confirmed as supported but still sent by the printer's firmware will now only cause a warning log entry in octoprint.log on their first occurrence during a connection, not every time a temperature report is received. This is to combat log spam in case of firmware bugs and misconfiguration.
  • #5003: Make the ticks on the temperature graph's timeline automatically scale with the cutoff to keep the graph readable even with several hours of history.
  • Revert back to the netifaces dependency. While netifaces2 as used in 1.10.0 works well, it is sadly causing some build issues in the field. In the interest of giving as many people as possible access to any bug and especially security fixes, we are thus reverting to the (unmaintained) netifaces for now and keeping an eye on the wheel availability and compatibility of netifaces2 for a future rollout.

Achievements Plugin

  • #5007: Clarify the requirement to properly configure the timezone and allow to reset all or only the time based achievements.
  • Clarify that the Achievements Plugin is a plugin that can be disabled, if one doesn't want to have achievements.

🐛 Bug fixes

Core

  • #4952: Uploading multiple files through the web interface will now also work if printer side SD support has been disabled (see also PR#4953).
  • #4993: Fix resource consumption and server performance issues caused by a busy loop in the GCODE analysis.
  • PR#4996: Fix screenreader role on tabs to enable keyboard navigation
  • #5004: Fix drag'n'drop file uploading in Safari.
  • #5005: Fix netmask & external address detection.

Achievements Plugin

  • Fix the quote of the "One small step for (a) man" achievement to match NASA's official transcript.
  • Use configured timezone for internal stats as well.

Application Keys Plugin

  • #5001: Fix regular user's (non-admins) not being able to revoke application keys.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this bugfix release, especially to @cp2004 and @dawidpieper for their PRs!

Also a big thank you to @jacopotediosi for responsibly disclosing the security vulnerability fixed in this release.

🔗 More information

  • Commits
  • Release candidates:
    • As this is a bugfix release, there were no release candidates

Contributors

dawidpieper, jacopotediosi, and cp2004
Assets 6