Auditing of security events and lots of infrastructure changes
Today's update (b36b08a) brings with it the following changes:
Security issues
- Added audit messages for the following security events:
- Login success/failure
- E-portal authentication callback
- User impersonation
- User created/modified/deleted
- User accessed (profile page viewed)
- Credential modified
- Credential recovery
- Group membership modified
- Institution membership modified
- Role modified
- A programming error in the
reset_pwrequest handler made it possible to modify the password of any user without knowning the correct reset token. This issue has been improved further since the hotfix. - Changed behavior to not remove existing reset tokens when creating a new one. This avoids a potential denial-of-service attack vector in the reset password feature.
- When logging in as a new user while already logged in, a login failure will now log out the existing session.
- Upgraded to Perl 5.34.1 to fix security issues in
Archive::TarandCompress::Raw::Zlib. - Updated to
cpanm1.7045 to address the issue with CHECKSUMS file validation during CPAN package installation.
Performance improvements
- Started using the new e-portal health check endpoint to determine if API is available.
New features
- Changed Nginx web server from FastCGI to HTTP protocol for reverse-proxying to web application server. The web application server now uses standard PSGI/Plack runtime. Static file serving is now also supported directly in the web application server.
- Added test infrastructure to run NATS server and fully validate audit events.
Enhancements
- Changed CPAN dependency manager from Pinto to Carton.
- Now uses upstream versions of
perlbrewandcpanmdirectly, allowing for easier upgrades. - Simplified the code to support the
explaintemplate function.
Bugfixes
Feature removals / deprecations
- Removed support for FastCGI protocol for reverse-proxying. We use plain HTTP now, via PSGI.
- Removed Pinto and all CPAN packages directly from upstream.
- Stopped using
Module::Buildfor running test suite.
-
Portfolio
-
Blog
-
Migration to Ubuntu 22.04, Perl 5.38 and PostgreSQL 14
-
Fix e-mail and user name conflicts during e-portal login
-
Fixed e-portal login edge case and other bugs
-
Bugfix for broken reset password feature
-
Auditing of security events and lots of infrastructure changes
-
Fixed high severity security issue
-
Content parser, bugfixes and lots of feature removals
-
Enabled e-portal OIDC-based login method
-
New e-portal OIDC-based login and various bugfixes
-
Another hotpatch to fix recipient issue when forwarding message
-
Hotpatch: Fix invisible recipient in message system
-
Contact manager is now used in more places and more documentation available
-
Improved documentation and code quality
-
Improved email validation and other bugfixes
-
Improved message reading experience and other accessibility improvements
-
Improved object editor workflow and fixed user membership issues
-
Improve messaging and Google Chrome cookie behavior fixes
-
Migration from Rackspace to Azure data center
-
More user behavior reports and improved report performance
-
Improved documentation and page navigation
-
Fixed issue with client-side cookies on some sites
-
New macro feature, hardened security settings and lots of reference documentation
-
Voice message menu item, additional documentation and various bug fixes
-
Email notifications, better spam protection and improved documentation
-
Bugfixes, tracing identifers, improved metrics and more
-
Operating system upgrade
-
Improved database backup solution
-
Fixed server errors on delete_quiz and increased thumbnail timeouts
-
Fixed thumbnail generation issues, accessibility issues and more
-
Fix password-changing issue and other bugs
-
Fix issue with application error page being shown more than usual
-
Another hotpatch: PIN codes can be validated again
-
Hotpatch: Object comments can now be saved again
-
Improved self-registration workflow, increased performance and more
-
Remove inactive users feature and more GDPR privacy improvements
-
Template cookie access and improved email templates
-
Users are not deleted when ePortal message is received
-
Minor bugfix fixing user deletion issue
-
Security fix, ability to delete user account and more
-
Hashed passwords, faster search and more
-
Fix for contact manager timeout issue
-
Database upgrade, persistent connections and bulk metadata editor
-
Fixing regressions with new quiz() XHR submit feature
-
User session limit introduced, Flash rendering bugfixes and more
-
Fixed issues after yesterday's update
-
Reimplemented selector and quiz editor, lots of bugfixes and more
-
Fixed issue with formatting of timestamps from database
-
Timestamps now show in correct time zone and more lists are sorted correctly
-
New image measurement handler, Heap Analytics user tracking added and default permissions warning removed
-
Default permissions, CodeMirror editor improvements and bugfixes
-
Rewritten create_response() feature and various other improvements
-
Unexpected downtime because of hardware issue
-
Improved performance, WAV to MP3 transcoding and lots of other improvements
-
More powerful database server and some bugfixes
-
Migration to cloud environment, removal of cookie warning and chat feature
-
File uploading now fixed!
-
New plain-text editor, updated third-party packages in backend and more
-
Show all children in containers, signup form spambot protection, synthetic speech configuration persistence and more
-
Network upgrade completed
-
Fix audio playback in popups and various other minor issues
-
Hardware upgrade improves response time
-
New fs2tree template function, iOS MP3 playback bugfix and more
-
Unexpected downtime because of network issue
-
Faster user search, improved history feature and more bugfixes
-
Blob storage, history feature and performance improvements
-
IP address session protection changed and multiple bugfixes
-
SASS stylesheet rendering, page timeout, timers and more improvements
-
Fixed regressions in MP3 audio player
-
Enabled sending links to any objects and some bugfixes
-
Hotpatch to address bugs since last update
-
Improved performance for several reports and several other enhancements
-
HTTPS security fixes, institution blog and object locking performance fixes and much more
-
HTTPS support, quiz radio inline mode, Google Chrome voice recorder bugfix and more
-
New exam feature, filesystem(t) skip_custom_init feature and several bugfixes
-
EU cookie warning, changed e-portal login procedure and more
-
HTTP range request support, CORS header support and improved API documentation
-
CEFR placement test usage report, JSON response bugfix, updated video player, and more
-
Hotpatch to fix broken file uploader and more
-
New PDF watermark feature, rewritten text output handling and several bugfixes
-
New HTML5-based voice recorder, more API documentation and bugfixes
-
New feature to upload profile photo, improved access key form, developer documentation and several bugfixes
-
Major design overhaul, new file uploader and lots, lots more
-
Flash embedding has changed to support latest Flash runtime
-
Improved folder menu rendering, simplified language selection and more
-
Session security and language improvements
-
Session variables, flash messages, performance improvements and more
-
Update to Google Universal Analytics and fix multiple character encoding issues
-
Bugfix for missing send button on Java-based voice recorder
-
Server upgrades, feature additions and lots of improvements
-
Small update for better protection against latency during e-portal login
-
E-portal deadlock login issue fixed + JSON response mode
-
Fix character encoding issue with quiz assignments
-
Minor correction to user activity report
-
D-bok web reader working again
-
Improved voice recorder, file manager and much more
-
Signed Java applets and improved page view logging
-
Switch to Nginx and e-portal push message support
-
E-portal provisioning and multimedia playback revamp
-
Minor update: Added group quick-search box in my students report
-
New Flash-based sound recorder available
-
ePortal and BookSync integration available
-
Big user database cleanup, performance improvements and various bugfixes
-
Several minor problems fixed
-
Completely new course activity report
-
Time tracking issue in Internet Explorer 7 and 8 fixed!
-
Vastly improved user presence time tracking!
-
SOLVED: Problems to login with email
-
Improved report performance and email hidden everywhere
-
Object cycle (image of the week) feature
-
Real-time chat available!
-
A few bugfixes related to the new calendar feature
-
Forum comments in HTML and multiple bugfixes for IE7/8
-
Calendar with Skype integration
-
Project groups, MathML embedding and multiple bugfixes and improvements
-
New app API and lots of additional enhancements and bugfixes
-
New database server online
-
Better response time
-
Improved performance and concurrency
-
CEFR HTML email reports and several bugfixes and improvements
-
New update with group enrollment feature and various bugfixes
-
Mostly bugfixes and minor improvements
-
New video player, video thumbnails, quiz editor bug fixes and more
-
New speech synthesis and matchbox code
-
Lexin
-
Finally fixing the problematic IE7/8 crashes
-
New talkbook request handler and various bugfixes
-
Features galore: Statistics on questions, job notification msg +
-
List of the most active bloggers available
-
WYSIWYG editor finally working with Internet Explorer 9
-
Performance improvements finally coming!
-
Details on today's software update
-
Feilretting etter gårsdagens oppdatering
-
Software update completed!
-
Usage log functionality restored
-
Today's software update is completed
-
Software update today
-
Details on today's software update
-
Software update details
-
Unexpected downtime / instability
-
Software update completed!
-
Oppdatering av systemet 12.11.10
-
-