Release 2.1.25 is mostly a fix release in which was implemented a lot of corrections and security issues.

Notice that this release requires your attention before rolling it out on your production server.

Get last release

Main changes

Security

Fixes for XSS and SQL injections were performed in some queries that were still not protected.

Implementation of OWASP CSRF Protector Project library which securises Teampass against Cross Site Request Forgery. More information about it on OWASP website.

In case of an upgrade, please be sure to run the upgrade script to make this library to be initialized for your server.

For those interested, OWASP also provide securization at Apache server level through a specific module (it requires Apache 2.2).

Loggin users actions with Syslog

If you want to handle the login through Syslog, it is now possible by enabling this from the Settings page in tab “Customize”. In case you enable it, you need to indicate the Server location and its port.

Tree folders loaded sequentially

It is now possible to load the Tree folders sequentially. This may present an advantage in case of huge number of folders to be shown.

This is an option available at User level. To enable/disable this option,

  • open User Profile dialogbox,
  • in front of Tree load strategy select Full or Sequential.

New Yes/no button in Settings page

A new style for Yes/No buttons is now used in order to ease the visibility in the Settings page.

Important Changes

Please consider this chapter before upgrading your Teampass instance to this release.

Implementation of CSRFP library

After copying the files from 2.1.25 package on your server, it is mandatory to run the /install/upgrade.php in order to this library to be initialized on your server. If not run, it will not be possible to run Teampass without Errors.

Personal Saltkey evolution (since 2.1.24)

Related to bugs existing in the way to manage the PSK, some code changes have an impact on existing Personal Items.

The main impact is that PSK cannot contain anymore symbol characters and is limited to numbers, letters and hyphens.

So before updating, it is mandatory to inform your users that they need to change their PSK in case this one contains a symbol character (especially single quote and double quotes character).

If not done, there is no guarantee that their Personal Items passwords will be readable after migration.

Github tickets

The complete list of changes tracked in Github are available in changelog.md file.