Today's update (83ca572) brings with it the following changes:

Security issues

• Fix cross-site scripting security issue in message system.
• Fix cross-site-scripting security issue in preview_content(r).
• Fix cross-site-scripting security issue in user profile related to user's name.

Bugfixes

• Because of a regression from a previous security fix, some teachers weren't able to find their students when searching for them in the new_message(r) contact manager form. This should now be rectified.

Today's update (e0705b8) brings with it the following changes:

Security issues

• Fix cross-site-scripting vulnerability (XSS) in user profile about me section.
• Fix cross-site-scripting vulnerability (XSS) in send_message(r).
• Fix all user enumeration vulnerability in search user UI. Now it only searches your related users (e.g. from same institution).
• Upgrade CPAN package CryptX to 0.087 to fix multiple security vulnerabilities.
• Upgrade CPAN package Mozilla::CA to 20250602 to fix security vulnerability.
• Upgrade CPAN package Log::Any to 1.718 to fix security vulnerability.

Performance improvements

• Enable rate-limiting in web server to avoid denial-of-service attacks.

New features

• Add RED Prometheus metrics for observability.
• Add saturation Prometheus metrics for observability.
• Add audit events Prometheus metrics for observability.
• Protect information in the /metrics endpoint from the public for privacy.

Enhancements

• Upgrade to latest stable version of Perl, 5.42.0.
• Update all third-party CPAN packages to latest versions.
• Use official Nginx packages instead of Ubuntu versions.
• Use RenovateBot to keep third-party dependencies up to date.

Bugfixes

• Moved WYSIWYG content editor buttons around to support smaller screens better.

Today's update (645472d) brings with it the following changes:

Security issues

• Operating system has been updated to Ubuntu 22.04.

Performance improvements

• Perl has been upgraded to version 5.38.
• PostgreSQL has been upgraded to version 14.

Enhancements

• Ensure e-Portal product only assigned to teachers are not accessible for students.
• Changed HTTP status code emitted from front page handler to 200 when site is not configured.
• Support IPv6 clients.

Bugfixes

• Update atime when blob is accessed in cache directory. This improves cache cleanup behavior.

Feature removals / deprecations

• Client-side performance monitoring using Report-To HTTP header has been disabled. This is to reduce costs for storage of this information, as it is no longer needed.

Today's update (a557bed) brings with it the following changes:

Enhancements

• If an email or user name was in conflict with an existing user in Portfolio during e-portal login, it would generate a generic error message and synchronization would be aborted. Now the error message will contain either the user name or email in conflict, making it easier to figure out which user must be modified to fix the conflict.
• If a user name from e-portal is in conflict with an existing user name in Portfolio, an error during synchronization would occur. With this change a new user name will be generated during login based on the conflicting user's full name.

Today's update (ba9f819) brings with it the following changes:

Security issues

• Set a limit on how large HTTP uploads are allowed to be, to avoid a potential denial-of-service situation.

Bugfixes

• When logging in directly by clicking on a product in e-portal that uses the OIDC-based login method, a session cookie was not generated before redirecting to e-portal login system. This caused a Portfolio login prompt to be shown when returning from e-portal and trying to synchronize permissions. This issue should now be fixed.
• Fixed issue where HTTP uploads larger than 1MB might not work properly.

Feature removals / deprecations

• Removed unused Portfolio::Course->student_progress() method.