Releases: alfio-event/alf.io
2.0-M4-2402-3
Alf.io 2.0-M4-2402-3 (2024-02-26)
This is a bugfix release for regressions/bugs introduced with 2.0-M4-2402
Bugs fixed
- #1337 cannot change name of view column "tai_additional_info" to "e_version" (thanks to @daedric7 for reporting it)
Full Changelog: 2.0-M4-2402-1...2.0-M4-2402-2
2.0-M4-2402-1
Alf.io 2.0-M4-2402-1 (2024-02-24)
This is a bugfix release for regressions/bugs introduced with 2.0-M4-2402
Bugs fixed
- #1334 Can't create Organizations (thanks to @titi1125 for reporting it)
- #1335 Additional Items do not handle discount properly
- #1336 Cannot update additional item policy
Full Changelog: 2.0-M4-2402...2.0-M4-2402-1
Alf.io 2.0-M4-2402
Security Fixes
- CVE-2024-25635: IDOR Vulnerability: Allowing Organization Owner to view the other Organizations API KEY and USERS - reported by @rac-fckscty
- CVE-2024-25634: IDOR make user can read e-mail log sent by other events - reported by @lujiefsi
- CVE-2024-25628: User sessions are not properly terminated - reported by @lujiefsi
- CVE-2024-25627: Cross-Site Scripting (XSS) via File Upload - reported by @PinkDraconian
What's Changed
- Build published on Docker for arm64
- Fix spring-session <-> spring security integration + session removal on user deletion/disable by @syjer in #1214
- Google Wallet integration by @cbellone and @yanaga in #1215
- case insensitive qr code by @cbellone in #1218
- Payments list by @cbellone in #1240
- Configuration API by @cbellone in #1249
- Purchase context level config by @cbellone in #1251
- #1269 Resolved the bug to show correct {{eventName}} on compose message page by @ved-asole in #1275
- Manage additional service quantity by @cbellone in #1308
- unify access resource check in a service by @syjer in #1310
- Date of birth field + additional fields for subscriptions by @cbellone in #1312
New Contributors
- @ved-asole made their first contribution in #1275
- @yanaga made their first contribution in #1215
Full Changelog: 2.0-M4-2304...2.0-M4-2402
Alf.io 2.0-M4-2304
Alf.io 2.0-M4-2304 (2023-04-24)
Security fixes
- CVE-2023-2258 - CSV Injection (High Severity)
- CVE-2023-2259 - Admin Self-inflicted Server-side template injection (High Severity)
- CVE-2023-2260, reset password, disable users, update organization - Multiple IDOR vulnerabilities (High Severity)
please note that all security fixes are related to the Backoffice application. Some of them impact only multi-tenant deployments.
The "public" application was not impacted.
thanks to @huntr-helper contributors: @lujiefsi and @yelprofessor !
Improvements
- create Subscription reservation via API #1183 (sponsored by Eventplane)
- API to retrieve check-in log #1188 (sponsored by Eventplane)
- Refactor payment confirmation #1202 (sponsored by Eventplane)
- Resize images #1209 (sponsored by Eventplane)
- Preload Language #1192
- Custom VAT Application #1193
- Implement Reservation Export #1194
- Manage multiple sponsors scan #1205
Bug fixed
- Fix user admin check #1206
Alf.io 2.0-M4-2301
Alf.io 2.0-M4-2301 (2023-01-14)
Security fixes
- CVE-2023-0300 (low severity) - Self-inflicted XSS
- CVE-2023-0301 (low severity) - Prevent organizers to insert dangerous link within their event description
please note that both security fixes are related to the Backoffice application. The "public" application was not impacted.
thanks to @huntr-helper contributors!
Improvements
- Organization APIs at system level #1083 (sponsored by Eventplane)
- API for linking Subscriptions to an Event #1087 (sponsored by Eventplane)
Bug fixed
- Cannot search reservation by invoice number #1090
- Remove button should not be displayed for checked-in tickets #1093
- Various errors when selecting / deselecting the payment method #1100
- Error on "Confirmed" items on the Additional services page #1108
- Stripe API not working as expected #1159 (thanks to @icougil for reporting it and for helping us debugging it)
Alf.io 2.0-M4-2204
Alf.io 2.0-M4-2204 (2022-04-05)
Security fixes
This release contains a fix for CVE-2022-22965 a.k.a. "Spring Shell". Although we should not be impacted directly (we use jetty instead of tomcat as web server), we advise you to update your instance.
Improvements
- Accessibility improvements on the public reservation process
Bug fixed
- #1054 Error after trying to login to the demo instance (thanks to @PaulGoldschmidt for reporting it)
Alf.io 2.0-M4
Alf.io 2.0-M4 (2022-01-31)
This is the fourth milestone on our way to Alf.io v2. See Roadmap and full Changelog
New Features
- Support Hybrid Events #949 (@cbellone)
- Introduce Subscriptions #987 - Sponsored by Eventplane (@syjer)
- Introduce Extension Capabilities #993 - Sponsored by Eventplane
- Custom Join Links for Online tickets #1017
- OpenID support for end customers #1006
- Enable reverse charge for a specific ticket type #1026
- Define a new API for creating reservations #1035 - sponsored by Eventplane
- Generate tickets automatically for subscriptions owners #1036 - sponsored by Eventplane
- Add additional info to check-in extension #1038
BREAKING CHANGES
this release includes some breaking changes in the database schema, making it incompatible with older versions of alf.io.
It is strongly recommended to perform a full backup of your database before installing it, so that if anything goes wrong you can rollback to the latest 2.0-M3
Fixed Bugs
- Entering organisation or event stripe "Payment Webhook signing secret" may not override system value. #1019
- No way to view "additional options" or "donations" purchased so far. #1012
- Import existing attendees #998
- Transferring events between organisations breaks things #1046
- Cannot edit categories after changing event format #1024
Tech-related changes
Alf.io 2.0-M3-2112-2
Alf.io 2.0-M3-2112-2 (2021-12-18)
This release contains a security fix for the following CVEs:
- CVE-2021-45105
- CVE-2021-45046 (already fixed in 2.0-M3-2112-1)
- CVE-2021-44228 (already fixed in 2.0-M3-2112)
update is strongly recommended
Alf.io 2.0-M4.RC4
Alf.io 2.0-M4.RC4 (2021-12-18)
This release contains a security fix for the following CVEs:
- CVE-2021-45105
- CVE-2021-45046 (already fixed in 2.0-M4.RC3)
- CVE-2021-44228 (already fixed in 2.0-M4.RC2)
update is strongly recommended
BREAKING CHANGES
2.0-M4.RC1 introduced some breaking changes in the database schema.
If you're updating from 2.0-M3, it is strongly suggested to perform a full backup of your database before installing it, so that if anything goes wrong you can rollback to the latest 2.0-M3
Alf.io 2.0-M3-2112-1
Alf.io 2.0-M3-2112-1 (2021-12-15)
This release contains a security fix for the following CVEs:
- CVE-2021-45046
- CVE-2021-44228 (already fixed in 2.0-M3-2112)
update is strongly recommended