File etherpad-lite.changes of Package etherpad-lite
-------------------------------------------------------------------
Thu Oct 2 15:13:09 UTC 2025 - Georg Pfuetzenreuter <mail+rpm@georg-pfuetzenreuter.net>
- Switch build from Python 2 to 3
- Package /srv/www directory (no longer part of filesystem, boo#1231027)
-------------------------------------------------------------------
Thu Jul 25 22:14:42 UTC 2024 - Georg Pfuetzenreuter <mail+rpm@georg-pfuetzenreuter.net>
- Facilitate AbiWord in AppArmor profile
-------------------------------------------------------------------
Wed Jul 24 20:36:39 UTC 2024 - Georg Pfuetzenreuter <mail+rpm@georg-pfuetzenreuter.net>
- Add AppArmor profile (confine application)
- Set PrivateTmp (avoid user uploads in system wide /tmp)
- Restart service on failure (5 attempts, useful if a remote database is not ready)
-------------------------------------------------------------------
Fri Jul 19 06:54:46 UTC 2024 - Georg Pfuetzenreuter <georg.pfuetzenreuter@suse.com>
- Update to 2.1.1:
* Fixed: Fallback to websocket and polling when unknown(old) config is present for socket io
* Fixed: Next page disabled if zero page by @samyakj023
* On CTRL+CLICK bring the window back to focus by Helder Sepulveda
* Fixed random websocket disconnects!
-------------------------------------------------------------------
Sat Jul 6 17:02:32 UTC 2024 - Georg Pfuetzenreuter <mail+rpm@georg-pfuetzenreuter.net>
- Refactor setup logic
-------------------------------------------------------------------
Sat Jul 6 14:29:40 UTC 2024 - Georg Pfuetzenreuter <mail+rpm@georg-pfuetzenreuter.net>
- Bundle new admin panel
-------------------------------------------------------------------
Sat Jun 22 14:47:07 UTC 2024 - Georg Pfuetzenreuter <mail+rpm@georg-pfuetzenreuter.net>
- Update to 2.1.0:
* Added PWA support. You can now add your Etherpad instance to your home screen on your mobile device or desktop.
* Fixed live plugin manager versions clashing. Thanks to @yacchin1205
* Fixed a bug in the pad panel where pagination was not working correctly when sorting by pad name
* Reintroduced APIKey.txt support. You can now switch between APIKey and OAuth2.0 authentication. This can be toggled with the setting authenticationMethod. The default is OAuth2. If you want to use the APIKey method you can set that to apikey.
- From 2.0.3:
* Added documentation for replacing apikeys with oauth2
* Bumped live plugin manager to 0.20.0. Thanks to @fgreinacher
* Added better documentation for using docker-compose with Etherpad
- From 2.0.2:
* Fixed the locale loading in the admin panel
* Added OAuth2.0 support for the Etherpad API. You can now log in into the Etherpad API with your admin user using OAuth2
- From 2.0.1:
* Fixed a bug where a plugin depending on a scoped dependency would not install successfully.
- From 2.0.0:
* Socket io has been updated to 4.7.5. This means that the json.send function won't work anymore and needs to be changed to .emit('message', myObj)
* Deprecating npm version 6 in favor of pnpm: We have made the decision to switch to the well established pnpm (https://pnpm.io/). It works by symlinking dependencies into a global directory allowing you to have a cleaner and more reliable environment.
* Introducing Typescript to the Etherpad core: Etherpad core logic has been rewritten in Typescript allowing for compiler checking of errors.
* Rewritten Admin Panel: The Admin panel has been rewritten in React and now features a more pleasant user experience. It now also features an integrated pad searching with sorting functionality.
* Live Plugin Manager: The live plugin manager caused problems when a plugin had depdendencies defined. This issue is now resolved.
- Refactor patches:
* etherpad-lite_default_config.patch
* etherpad-lite_move_autogenerated_key_files_to_var.patch
(+ cover more APIKEY.txt occurrences)
* etherpad-lite_avoid_getGitCommit_call.patch
- Consolidate and update packaging instructions
- No longer rebuild NodeJS (unsatisfied dependencies)
- Require pnpm (required for plugins)
- Run in production mode
-------------------------------------------------------------------
Wed Feb 21 12:19:10 UTC 2024 - ecsos <ecsos@opensuse.org>
- Comment out:
- Environment=NODE_PG_FORCE_NATIVE=1
With enabled etherpad does not start.
- Restart=always
When exist an error, etherpad restarts in a continuous loop.
- Add %{buildroot}%{install_dir}/var.
Without that etherpad does not run.
- Add and %{install_dir}/plugin_packages
Without that etherpad will break when add plugins.
-------------------------------------------------------------------
Sun Feb 11 22:59:51 UTC 2024 - Georg Pfuetzenreuter <georg.pfuetzenreuter@suse.com>
- Switch user/group handling to sysusers
-------------------------------------------------------------------
Tue Feb 6 10:14:38 UTC 2024 - Lars Vogdt <lars@linux-schulserver.de>
- update to 1.9.7
+ Added Live Plugin Manager: Plugins are now installed into a
separate folder on the host system.
This folder is called plugin_packages.
+ That way the plugins are separated from the normal etherpad installation.
+ Make repairPad.js more verbose
+ Fixed favicon not being loaded correctly
- update vendor tarball
-------------------------------------------------------------------
Tue Dec 26 13:24:32 UTC 2023 - Lars Vogdt <lars@linux-schulserver.de>
- update to 1.9.6
+ Prevent etherpad crash when update server is not reachable
+ Use npm@6 in Docker build
+ Fix setting the log level in settings.json
- update vendor tarball
-------------------------------------------------------------------
Wed Dec 13 11:06:23 UTC 2023 - Lars Vogdt <lars@linux-schulserver.de>
- update to 1.9.5
Compability changes
* This version deprecates NodeJS16 as it reached its end of life and won't
receive any updates. So to get started with Etherpad v1.9.5 you need NodeJS
18 and above.
+ The bundled windows NodeJS version has been bumped to the current
LTS version 20.
Notable enhancements and fixes
* The support for the tidy program to tidy up HTML files has been
removed. This decision was made because it hasn't been updated
for years and also caused an incompability when exporting a pad
with Abiword.
-------------------------------------------------------------------
Wed Nov 8 10:42:47 UTC 2023 - Lars Vogdt <lars@linux-schulserver.de>
- update to 1.9.4
* Log4js has been updated to the latest version. As it involved a
bump of 6 major version a lot has changed since then. Most notably
the console appender has been deprecated.
* Fix for MySQL: The logger calls were incorrectly configured leading
to a crash when e.g. somebody uses a different encoding than standard
MySQL encoding.
- recompile node-gyp python code to avoid inconsistent mtimes in the
bytecode
- update vendor tarball
-------------------------------------------------------------------
Fri Oct 6 15:59:59 UTC 2023 - lars@linux-schulserver.de - 1.9.3
- update to 1.9.3
Compability changes
* express-rate-limit has been bumped to 7.0.0: This involves the
breaking change that "max: 0" in the importExportRateLimiting is
set to always trigger. So set it to your desired value.
If you haven't changed that value in the settings.json you are all set.
Notable enhancements and fixes
* Bugfixes
+ Fix etherpad crashing with mongodb database
* Enhancements
+ Add surrealdb database support. You can find out more about
this database here.
+ Make sqlite faster: The sqlite library has been switched to
better-sqlite3. This should lead to better performance.
-------------------------------------------------------------------
Tue Aug 22 10:23:06 UTC 2023 - lars@linux-schulserver.de - 1.9.2
- Update to 1.9.2
Notable enhancements and fixes
+ Security
o Enable session key rotation: This setting can be enabled in the
settings.json. It changes the signing key for the cookie
authentication in a fixed interval.
+ Bugfixes
o Fix appendRevision when creating a new pad via the API
without a text.
+ Enhancements
o Bump JQuery to version 3.7
o Update elasticsearch connector to version 8
Compatibility changes
+ No compability changes as JQuery maintains excellent backwards
compatibility.
For plugin authors
+ Please update to JQuery 3.7. There is an excellent deprecation
guide over here. Version 3.1 to 3.7 are relevant for the
upgrade.
- refreshed patches:
+ etherpad-lite_avoid_getGitCommit_call.patch
+ etherpad-lite_default_config.patch
+ etherpad-lite_move_autogenerated_key_files_to_var.patch
- adjusted rpmlintrc (removed unused entries):
+ devel-file-in-non-devel-package
+ files-duplicated-waste
+ pem-certificate
-------------------------------------------------------------------
Mon Jul 3 13:33:50 UTC 2023 - lars@linux-schulserver.de - 1.9.1
- Update to 1.9.1
Notable enhancements and fixes
+ Security
o Limit requested revisions in timeslider and export to head revision.
+ Bugfixes
o revisions in CHANGESET_REQ (timeslider) and export (txt, html, custom)
are now checked to be numbers.
o bump sql for audit fix
+ Enhancements
o Add keybinding meta-backspace to delete to beginning of line
o Fix automatic Windows build via GitHub Actions
o Enable docs to be build cross platform thanks to asciidoctor
Compatibility changes
+ tests: drop windows 7 test coverage & use chrome latest for admin tests
+ Require Node 16 for Etherpad and target Node 20 for testing
-------------------------------------------------------------------
Thu Jun 22 09:02:09 UTC 2023 - lars@linux-schulserver.de - 1.9.0
- Update to 1.9.0
+ Improvements to login session management:
o express_sid cookies and sessionstorage:* database records are no longer
created unless requireAuthentication is true (or a plugin causes them to
be created).
o Login sessions now have a finite lifetime by default (10 days after
leaving).
o sessionstorage:* database records are automatically deleted when the login
session expires (with some exceptions that will be fixed in the future).
o Requests for static content (e.g., /robots.txt) and special pages (e.g.,
the HTTP API, /stats) no longer create login session state.
+ The following settings from settings.json are now applied as expected (they
were unintentionally ignored before):
o padOptions.lang
o padOptions.showChat
o padOptions.userColor
o padOptions.userName
+ HTTP API:
o Fixed the return value of getText when called with a specific revision.
o Fixed a potential attribute pool corruption bug with
copyPadWithoutHistory.
o Mappings created by createGroupIfNotExistsFor are now removed from the
database when the group is deleted.
o Fixed race conditions in the setText, appendText, and restoreRevision
functions.
o Added an optional authorId parameter to appendText,
copyPadWithoutHistory, createGroupPad, createPad, restoreRevision,
setHTML, and setText, and bumped the latest API version to 1.3.0.
+ Fixed a crash if the database is busy enough to cause a query timeout.
+ New /health endpoint for getting information about Etherpad's health (see
draft-inadarei-api-health-check-06).
+ Docker now uses the new /health endpoint for health checks, which avoids
issues when authentication is enabled. It also avoids the unnecessary creation
of database records for managing browser sessions.
+ When copying a pad, the pad's records are copied in batches to avoid database
timeouts with large pads.
+ Exporting a large pad to .etherpad format should be faster thanks to bulk
database record fetches.
+ When importing an .etherpad file, records are now saved to the database in
batches to avoid database timeouts with large pads.
For plugin authors
+ New expressPreSession server-side hook.
+ Pad server-side hook changes:
o padCheck: New hook.
o padCopy: New srcPad and dstPad context properties.
o padDefaultContent: New hook.
o padRemove: New pad context property.
+ The db property on Pad objects is now public.
+ New getAuthorId server-side hook.
+ New APIs for processing attributes: ep_etherpad-lite/static/js/attributes
(low-level API) and ep_etherpad-lite/static/js/AttributeMap (high-level
API).
+ The import server-side hook has a new ImportError context property.
+ New exportEtherpad and importEtherpad server-side hooks.
+ The handleMessageSecurity and handleMessage server-side hooks have a new
sessionInfo context property that includes the user's author ID, the pad ID,
and whether the user only has read-only access.
+ The handleMessageSecurity server-side hook can now be used to grant write
access for the current message only.
+ The init_<pluginName> server-side hooks have a new logger context
property that plugins can use to log messages.
+ Prevent infinite loop when exiting the server
Bump dependencies
Compatibility changes
+ Node.js v14.15.0 or later is now required.
+ The default login session expiration (applicable if requireAuthentication is
true) changed from never to 10 days after the user leaves.
For plugin authors
+ The client context property for the handleMessageSecurity and
handleMessage server-side hooks is deprecated; use the socket context
property instead.
+ Pad server-side hook changes:
o padCopy:
The originalPad context property is deprecated; use srcPad instead.
The destinationID context property is deprecated; use dstPad.id
instead.
o padCreate: The author context property is deprecated; use the new
authorId context property instead. Also, the hook now runs asynchronously.
o padLoad: Now runs when a temporary Pad object is created during import.
Also, it now runs asynchronously.
o padRemove: The padID context property is deprecated; use pad.id
instead.
o padUpdate: The author context property is deprecated; use the new
authorId context property instead. Also, the hook now runs asynchronously.
+ Returning true from a handleMessageSecurity hook function is deprecated;
return 'permitOnce' instead.
+ Changes to the src/static/js/Changeset.js library:
o The following attribute processing functions are deprecated (use the new
attribute APIs instead):
- attribsAttributeValue()
- eachAttribNumber()
- makeAttribsString()
- opAttributeValue()
- opIterator(): Deprecated in favor of the new deserializeOps() generator
function.
- appendATextToAssembler(): Deprecated in favor of the new opsFromAText()
generator function.
- newOp(): Deprecated in favor of the new Op class.
+ The AuthorManager.getAuthor4Token() function is deprecated; use the new
AuthorManager.getAuthorId() function instead.
+ The exported database records covered by the exportEtherpadAdditionalContent
server-side hook now include keys like ${customPrefix}:${padId}:*, not just
${customPrefix}:${padId}.
+ Plugin locales should overwrite core's locales Stale
+ Plugin locales overwrite core locales
- updated vendor tarball
-------------------------------------------------------------------
Mon May 9 07:36:16 UTC 2022 - lars@linux-schulserver.de - 1.8.18
- Update to 1.8.18
+ Upgraded ueberDB to fix a regression with CouchDB (#5532)
- updated vendor tarball
-------------------------------------------------------------------
Mon Mar 14 13:47:12 UTC 2022 - ecsos <ecsos@opensuse.org>
- Update to 1.8.17
* Security fixes
- Fixed a vunlerability in the CHANGESET_REQ message handler
that allowed a user with any access to read any pad if the
pad ID is known.
* Notable enhancements and fixes
- Fixed a bug that caused all pad edit messages received at the
server to go through a single queue. Now there is a separate
queue per pad as intended, which should reduce message
processing latency when many pads are active at the same time.
-------------------------------------------------------------------
Mon Dec 20 12:55:09 UTC 2021 - ecsos <ecsos@opensuse.org>
- Enable patch0, patch1, patch2 angain.
Without patch0 etherpad-lite can not be start.
- Refresh,fix and extend patch0: default_config.patch
- Fix some rpmlint errors.
- Add filter in rpmlintrc and delete unused filter suse-*,
because of Tumbleweed build error.
-------------------------------------------------------------------
Fri Dec 3 09:55:39 UTC 2021 - lars@linux-schulserver.de - 1.8.16
- update to 1.8.16
Security fixes
+ Maliciously crafted .etherpad files can no longer overwrite arbitrary
non-pad database records when imported.
+ Imported .etherpad files are now subject to numerous consistency checks
before any records are written to the database. This should help avoid
denial-of-service attacks via imports of malformed .etherpad files.
+ Fixed leak of the writable pad ID when exporting from the pad's
read-only ID. This only matters if you treat the writeable pad IDs
as secret (e.g., you are not using ep_padlist2) and you share the
pad's read-only ID with untrusted users.
Instead of treating writeable pad IDs as secret, you are encouraged
to take advantage of Etherpad's authentication and authorization
mechanisms (e.g., use ep_openid_connect with ep_readonly_guest,
or write your own authentication and authorization plugins).
+ Updated dependencies.
Notable enhancements and fixes
+ Fixed several .etherpad import bugs.
+ Improved support for large .etherpad imports.
+ Accessibility fix for JAWS screen readers.
+ Fixed "clear authorship" error (see issue #5128).
+ Etherpad now considers square brackets to be valid URL characters.
+ The server no longer crashes if an exception is thrown while processing
a message from a client.
+ The useMonospaceFontGlobal setting now works (thanks @Lastpixl!).
+ Chat improvements:
- The message input field is now a text area, allowing multi-line
messages (use shift-enter to insert a newline).
- Whitespace in chat messages is now preserved.
+ Worked around a Firefox Content Security Policy bug that caused CSP
failures when 'self' was in the CSP header. See issue #4975 for details.
+ UeberDB upgraded from v1.4.10 to v1.4.18. For details, see the
ueberDB changelog. Highlights:
- The postgrespool driver was renamed to postgres, replacing the old
driver of that name. If you used the old postgres driver, you may
see an increase in the number of database connections.
- For postgres, you can now set the dbSettings value in settings.json
to a connection string (e.g., "postgres://user:password@host/dbname")
instead of an object.
- For mongodb, the dbName setting was renamed to database (but dbName
still works for backwards compatibility) and is now optional (if
unset, the database name in url is used).
+ /admin/settings now honors the --settings command-line argument.
+ Fixed "Author X tried to submit changes as author Y" detection.
+ Error message display improvements.
+ Simplified pad reload after importing an .etherpad file.
Compatibility changes
+ The logconfig setting is deprecated.
- refreshed the following patches:
+ etherpad-lite_avoid_getGitCommit_call.patch
+ etherpad-lite_default_config.patch
+ etherpad-lite_move_autogenerated_key_files_to_var.patch
-------------------------------------------------------------------
Mon Jul 5 12:23:15 UTC 2021 - lars@linux-schulserver.de - 1.8.14
- update to 1.8.14
Security fixes
+ Fixed a persistent XSS vulnerability in the Chat component.
Compatibility changes
+ Node.js v12.13.0 or later is now required.
+ The favicon setting is now interpreted as a pathname to a favicon
file, not a URL.
Please see the documentation comment in settings.json.template.
+ The undocumented faviconPad and faviconTimeslider settings
have been removed.
+ MySQL/MariaDB now uses connection pooling, which means you will
see up to 10 connections to the MySQL/MariaDB server (by default)
instead of 1.
This might cause Etherpad to crash with a
"ER_CON_COUNT_ERROR: Too many connections"
error if your server is configured with a low connection limit.
+ Changes to environment variable substitution in settings.json
(see the documentation comments in settings.json.template for details)
+ An environment variable set to the string "null" now becomes null
instead of the string "null". Similarly, if the environment variable
is unset and the default value is "null" (e.g., "${UNSET_VAR:null}"),
the value now becomes null instead of the string "null".
It is no longer possible to produce the string "null" via
environment variable substitution.
+ An environment variable set to the string "undefined" now causes
the setting to be removed instead of set to the string "undefined".
Similarly, if the environment variable is unset and the default
value is "undefined" (e.g., "${UNSET_VAR:undefined}"), the setting
is now removed instead of set to the string "undefined".
It is no longer possible to produce the string "undefined" via
environment variable substitution.
+ Support for unset variables without a default value is now
deprecated. Please change all instances of "${FOO}" in your
settings.json to ${FOO:null} to keep the current behavior.
+ The DB_* variable substitutions in settings.json.docker that
previously defaulted to null now default to "undefined".
+ Calling next without argument when using Changeset.opIterator
does always return a new Op. See b9753dc for details.
Notable enhancements and fixes
+ MySQL/MariaDB now uses connection pooling, which should improve
stability and reduce latency.
+ Bulk database writes are now retried individually on write failure.
+ Minify: Avoid crash due to unhandled Promise rejection if stat fails.
+ padIds are now included in /socket.io query string, e.g.
https://video.etherpad.com/socket.io/?padId=AWESOME&EIO=3&transport=websocket&t=...&sid=....
This is useful for directing pads to separate socket.io nodes.
+ <script> elements added via aceInitInnerdocbodyHead hook are now executed.
+ Fix read only pad access with authentication.
+ Await more db writes.
+ Disabled wtfnode dump by default.
+ Send USER_NEWINFO messages on reconnect.
+ Fixed loading in a hidden iframe.
+ Fixed a race condition with composition. (Thanks @ingoncalves for
an exceptionally detailed analysis and @rhansen for the fix.)
- refreshed vendor.tar.xz
- refreshed patches:
+ etherpad-lite_avoid_getGitCommit_call.patch
+ etherpad-lite_default_config.patch
+ etherpad-lite_move_autogenerated_key_files_to_var.patch
- require nodejs and npm >= 12.13.0
-------------------------------------------------------------------
Thu Apr 15 15:35:48 UTC 2021 - lars@linux-schulserver.de - 1.8.13
- update to 1.8.13
Notable fixes
* Fixed a bug in the safeRun.sh script (#4935)
* Add more endpoints that do not need authentication/authorization (#4921)
* Fixed issue with non-opening device keyboard on smartphones (#4929)
* Add version string to iframe_editor.css to prevent stale cache entry (#4964)
Notable enhancements
* Refactor pad loading (no document.write anymore) (#4960)
* Improve import/export functionality, logging and tests (#4957)
* Refactor CSS manager creation (#4963)
* Better metrics
* Add test for client height (#4965)
Dependencies
* ueberDB2 1.3.2 -> 1.4.4
* express-rate-limit 5.2.5 -> 5.2.6
* etherpad-require-kernel 1.0.9 -> 1.0.11
- updated vendor file
- ignore etherpad-lite_abiword_missing_AbiCommand.patch for now
- refreshed patches:
+ etherpad-lite_avoid_getGitCommit_call.patch
+ etherpad-lite_default_config.patch
+ etherpad-lite_move_autogenerated_key_files_to_var.patch
- package documentation without executable bit
-------------------------------------------------------------------
Thu Mar 11 08:33:18 UTC 2021 - lars@linux-schulserver.de - 1.8.12
- update to 1.8.12
Security patches
* Fixed a regression in v1.8.11 which caused some pad names to cause
Etherpad to restart.
* Resolve potential ReDoS vulnerability in your project - GHSL-2020-359
Compatibility changes
* JSONP API has been removed in favor of using the mature
OpenAPI implementation.
* Node 14 is now required for Docker Deployments
Notable fixes
* Fixed a bug in the dirty database driver that sometimes caused
Node.js to crash during shutdown and lose buffered database writes.
* Fixed a regression in v1.8.8 that caused "Uncaught TypeError:
Cannot read property '0' of undefined" with some plugins (#4885)
* Less warnings in server console for supported element types on import.
* Support Azure and other network share installations by using a more
truthful relative path.
* Fix server crash issue within PadMessageHandler due to SocketIO handling
* Fix editor issue with drop downs not being visible
* Ensure correct version is passed when loading front end resources
* Ensure underscore and jquery are available in original location
for plugin comptability
* Various performance and stability fixes
Notable enhancements
* Dependency updates
* Various Docker deployment improvements
* Various new translations
* Improvement of rendering of plugin hook list and error message handling
* Improved page load speeds
* Improved line number alignment and user experience around line anchors
* Notification to admin console if a plugin is missing during user file import
* Beautiful loading and reconnecting animation
* Additional code quality improvements
* Dependency updates
- refreshed the following patches:
+ etherpad-lite_avoid_getGitCommit_call.patch
+ etherpad-lite_default_config.patch
+ etherpad-lite_move_autogenerated_key_files_to_var.patch
+ etherpad-lite_abiword_missing_AbiCommand.patch
-------------------------------------------------------------------
Thu Feb 11 15:10:47 UTC 2021 - mrueckert@suse.de - 1.8.7
- switch node_modules tarball to vendor.tar.xz
- minor cleanup of the spec file
-------------------------------------------------------------------
Mon Dec 28 19:06:05 UTC 2020 - lars@linux-schulserver.de - 1.8.7
- update to 1.8.7
Compatibility-breaking changes
* IMPORTANT: It is no longer possible to protect a group pad with a
password. All API calls to setPassword or isPasswordProtected will fail.
Existing group pads that were previously password protected will no longer be
password protected. If you need fine-grained access control, you can restrict
API session creation in your frontend service, or you can use plugins.
* All workarounds for Microsoft Internet Explorer have been removed. IE might
still work, but it is untested.
* Plugin hook functions are now subject to new sanity checks. Buggy hook
functions will cause an error message to be logged
* Authorization failures now return 403 by default instead of 401
* The authorize hook is now only called after successful authentication. Use
the new preAuthorize hook if you need to bypass authentication
* The authFailure hook is deprecated; use the new authnFailure and
authzFailure hooks instead
* The indexCustomInlineScripts hook was removed
* The client context property for the handleMessage and
handleMessageSecurity hooks has been renamed to socket (the old name is
still usable but deprecated)
* The aceAttribClasses hook functions are now called synchronously
* The format of ENTER, CREATE, and LEAVE log messages has changed
* Strings passed to $.gritter.add() are now expected to be plain text, not
HTML. Use jQuery or DOM objects if you need formatting
Notable new features
* Users can now import without creating and editing the pad first
* Added a new readOnly user setting that makes it possible to create users in
settings.json that can read pads but not create or modify them
* Added a new canCreate user setting that makes it possible to create users in
settings.json that can modify pads but not create them
* The authorize hook now accepts readOnly to grant read-only access to a pad
* The authorize hook now accepts modify to grant modify-only (creation
prohibited) access to a pad
* All authentication successes and failures are now logged
* Added a new cookie.sameSite setting that makes it possible to enable
authentication when Etherpad is embedded in an iframe from another site
* New exportHTMLAdditionalContent hook to include additional HTML content
* New exportEtherpadAdditionalContent hook to include additional database
content in .etherpad exports
* New expressCloseServer hook to close Express when required
* The padUpdate hook context now includes revs and changeset
checkPlugins.js has various improvements to help plugin developers
* The HTTP request object (and therefore the express-session state) is now
accessible from within most eejsBlock_* hooks
* Users without a password or hash property in settings.json are no longer
ignored, so they can now be used by authentication plugins
* New permission denied modal and block permissionDenied
Plugins are now updated to the latest version instead of minor or patches
Notable fixes
* Fixed rate limit accounting when Etherpad is behind a reverse proxy
* Fixed typos that prevented access to pads via an HTTP API session
* Fixed authorization failures for pad URLs containing a percent-encoded
character
* Fixed exporting of read-only pads
* Passwords are no longer written to connection state database entries or logged
in debug logs
* When using the keyboard to navigate through the toolbar buttons the button
with the focus is now highlighted
* Fixed support for Node.js 10 by passing the --experimental-worker flag
* Fixed export of HTML attributes within a line
* Fixed occasional "Cannot read property 'offsetTop' of undefined" error in
timeslider when "follow pad contents" is checked
socket.io errors are now displayed instead of silently ignored
* Pasting while the caret is in a link now works (except for middle-click paste
on X11 systems)
* Removal of Microsoft Internet Explorer specific code
* Import better handles line breaks and white space
* Fix issue with createDiffHTML incorrect call of getInternalRevisionAText
* Allow additional characters in URLs
* MySQL engine fix and various other UeberDB updates (See UeberDB changelog).
* Admin UI improvements on search results (to remove duplicate items)
* Removal of unused cruft from clientVars (ip and userAgent)
Minor changes
* Temporary disconnections no longer force a full page refresh
* Toolbar layout for narrow screens is improved
* Fixed SameSite cookie attribute for the language, token, and pref
cookies
* Fixed superfluous database accesses when deleting a pad
* Expanded test coverage.
* package-lock.json is now lint checked on commit
* Various lint fixes/modernization of code
- refreshed node_modules tarball
- refreshed patches:
+ etherpad-lite_abiword_missing_AbiCommand.patch
+ etherpad-lite_avoid_getGitCommit_call.patch
+ etherpad-lite_default_config.patch
+ etherpad-lite_move_autogenerated_key_files_to_var.patch
-------------------------------------------------------------------
Thu Oct 15 15:26:20 UTC 2020 - lars@linux-schulserver.de - 1.8.6
- update to 1.8.6
IMPORTANT: This fixes a severe problem with postgresql in 1.8.5
SECURITY: Fix authentication bypass vulnerability
API: Update version to 1.2.15
FEATURE: Add copyPadWithoutHistory API (#4295)
FEATURE: Package more asset files to save http requests (#4286)
MINOR: Improve UI when reconnecting
TESTS: Improve tests
- refreshed/renamed all patches
- refreshed node_modules tarball
-------------------------------------------------------------------
Wed Sep 16 18:35:28 UTC 2020 - lars@linux-schulserver.de - 1.8.5
- update to 1.8.5
IMPORTANT DROP OF SUPPORT: Drop support for IE. Browsers now need async/await.
IMPORTANT SECURITY: Rate limit Commits when env=production
SECURITY: Non completed uploads no longer crash Etherpad
SECURITY: Log authentication requests
FEATURE: Support ES6 (migrate from Uglify-JS to Terser)
FEATURE: Improve support for non-cookie enabled browsers
FEATURE: New hooks for index.html
FEATURE: New script to delete sessions.
FEATURE: New setting to allow import withing an author session on a pad
FEATURE: Checks Etherpad version on startup and notifies if update
is available. Also available in /admin interface.
FEATURE: Timeslider updates pad location to most recent edit
MINOR: Outdent UL/LI items on removal of list item
MINOR: Various UL/LI import/export bugs
MINOR: PDF export fix
MINOR: Front end tests no longer run (and subsequently error) on pull requests
MINOR: Fix issue with
closing a list before it opens
MINOR: Fix bug where large pads would fire a console error in timeslider
MINOR: Fix ?showChat URL param issue
MINOR: Issue where timeslider URI fails to be correct if padID is numeric
MINOR: Include prompt for clear authorship when entire document is selected
MINOR: Include full document aText every 100 revisions to make
pad restoration on database curruption achievable
MINOR: Several Colibris CSS fixes
MINOR: Use mime library for mime types instead of hard-coded.
MINOR: Don't show "new pad button" if instance is read only
MINOR: Use latest NodeJS when doing Windows build
MINOR: Change disconnect logic to reconnect instead of silently failing
MINOR: Update SocketIO, async, jQuery and Mocha which were stuck due to stale code.
MINOR: Rewrite the majority of the bin scripts to use more modern syntax
MINOR: Improved CSS anomation through prefers-reduced-motion
PERFORMANCE: Use workers (where possible) to minify CSS/JS on
first page request. This improves initial startup times.
PERFORMANCE: Cache EJS files improving page load speed when maxAge > 0.
PERFORMANCE: Fix performance for large pads
TESTS: Additional test coverage for OL/LI/Import/Export
TESTS: Include Simulated Load Testing in CI.
TESTS: Include content collector tests to test contentcollector.js
logic external to pad dependents.
TESTS: Include fuzzing import test.
TESTS: Ensure CI is no longer using any cache
TESTS: Fix various tests...
TESTS: Various additional Travis testing including libreoffice import/export
- refreshed all patches
-------------------------------------------------------------------
Fri May 29 09:45:51 UTC 2020 - lars@linux-schulserver.de - 1.8.4
- added etherpad-lite-1.8.4-abiword_missing_AbiCommand.patch:
+ looks like the latest abiword 3.0.2 on Leap 15.1 does not work
together with etherpad-lite: "Plugin AbiCommand not found or loaded"
=> this patch simply falls back to the '--to' commandline
option of abiword to get the export done
-------------------------------------------------------------------
Wed May 27 09:39:09 UTC 2020 - lars@linux-schulserver.de - 1.8.4
- update to 1.8.4
This is a maintenance release after 1.8.3.
Users relying on MySQL are particularly encouraged to upgrade.
FIX: fix a performance regression on MySQL introduced in 1.8.3
FIX: when running behind a reverse proxy and exposed in an inner directory,
fonts and toolbar icons should now be visible.
This is a regression introduced in 1.8.3
FIX: cleanups in the UI after the CSS rehaul of 1.8.3
MINOR: protect against bugged/stale UI elements after updates. An explicit
cache busting via random query string is performed at each start.
This needs to be replaced with hashed names in static assets.
MINOR: improved some tests
MINOR: fixed long-standing bugs in the maintenance tools in /bin
(migrateDirtyDBtoRealDB, rebuildPad, convert, importSqlFile)
from 1.8.3:
FEATURE: colibris is now the default skin for new installs
FEATURE: improved colibris visuals, and migrated to Flexbox layout
FEATURE: skin variants: colibris skin colors can be easily customized.
Visit http://127.0.0.1:9001/p/test#skinvariantsbuilder
REQUIREMENTS: minimum required Node version is 10.13.0 LTS.
MINOR: stability fixes for the async migration in 1.8.0
(fixed many UnhandledPromiseRejectionWarning and the few remaining crashes)
MINOR: improved stability of import/export functionality
MINOR: fixed many small UI quirks (timeslider, import/export, chat)
MINOR: Docker images are now built & run in production mode by default
MINOR: reduced the size of the Docker images
MINOR: better documented cookies and configuration parameters of the Docker image
MINOR: better database support (especially MySQL)
MINOR: additional test coverage
MINOR: restored compatibility with ep_hash_auth
MINOR: migrate from swagger-node-express to openapi-backend
MINOR: honor the Accept-Language HTTP headers sent by browsers, eventually serving language variants
PERFORMANCE: correctly send HTTP/304 for minified files
SECURITY: bumped many dependencies. At the time of the release, this
version has 0 reported vulnerabilities by npm audit
SECURITY: never send referrer when opening a link
SECURITY: rate limit imports and exports
SECURITY: do not allow pad import if a user never contributed to that pad
SECURITY: expose configuration parameter for limiting max import size
BREAKING CHANGE: undoing the "clear authorship colors" command is no
longer supported (see #2802)
BREAKING CHANGE: the visuals and CSS structure of the page was updated.
Plugins may need a CSS rehaul
- refreshed modules tarball
- added etherpad-lite-1.8.4_avoid_getGitCommit_call.patch to avoid
"ENOENT: no such file or directory, lstat '/srv/www/etherpad-lite/.git'"
messages at server start
- rebased A etherpad-lite-*_default_config.patch and
etherpad-lite-*_move_autogenerated_key_files_to_var.patch
-------------------------------------------------------------------
Fri Jan 3 14:00:00 UTC 2020 - lars@linux-schulserver.de - 1.8.0
- update to 1.8.0
SECURITY: change referrer policy so that Etherpad addresses aren't
leaked when links are clicked (discussion: #3636)
SECURITY: set the "secure" flag for the session cookies when served
over SSL. From now on it will not be possible to serve the
same instance both in cleartext and over SSL
FEATURE: code was migrated to async/await, getting rid of a lot
of callbacks (see #3540)
FEATURE: support configuration via environment variables
FEATURE: include an official Dockerfile in the main repository
FEATURE: support including plugins in custom Docker builds
FEATURE: conditional creation of users: when its password is null,
a user is not created. This helps, for example, in advanced
configuration of Docker images.
REQUIREMENTS: minimum required Node version is 8.9.0 LTS. Release
1.8.3 will require at least Node 10.13.0 LTS
MINOR: in the HTTP API, allow URL parameters and POST bodies to co-exist
MINOR: fix Unicode bug in HTML export
MINOR: bugfixes to colibris chat window
MINOR: code simplification (avoided double negations, introduced
early exits, ...)
MINOR: reduced the size of the Windows package
MINOR: upgraded the nodejs runtime to 10.16.3 in the Windows package
SECURITY: avoided XSS in IE11
SECURITY: the version is exposed in http header only when configured
SECURITY: updated vendored jQuery version
SECURITY: bumped dependencies
- refreshed modules tarball
- added README.openSUSE
- rebased A etherpad-lite-*_default_config.patch and
etherpad-lite-*_move_autogenerated_key_files_to_var.patch
-------------------------------------------------------------------
Mon Dec 2 21:15:22 UTC 2019 - lars@linux-schulserver.de - 1.7.5
- update to 1.7.5
NEW: Catch SIGTERM for graceful shutdown
NEW: Show actual applied text formatting for caret position
NEW: Add settings to improve scrolling of viewport on line changes
NEW: Added pad shortcut disabling feature
NEW: Create option to automatically reconnect after a few seconds
FEATURE: introduced support for multiple skins.
See http://etherpad.org/doc/v1.7.5/#index_skins
FEATURE: added a new, optional skin. It can be activated choosing
skinName: "colibris" in settings.json
FEATURE: allow file import using LibreOffice
SECURITY: updated many dependencies. No known high or moderate
risk dependencies remain.
SECURITY: generate better random pad names
SECURITY: updated MySQL, Elasticsearch and PostgreSQL drivers
SECURITY: started updating deprecated code and packages
SECURITY: Escape data when listing available plugins
SECURITY: Update ejs
SECURITY: xss vulnerability when reading window.location.href
SECURITY: sanitize jsonp
FIX: don't nuke all installed plugins if npm install fails
FIX: improved LibreOffice export
FIX: allow debug mode on node versions >= 6.3
FIX: getLineHTMLForExport() no longer produces multiple copies of a line.
WARNING: this could potentially break some plugins
FIX: authorship of bullet points no longer changes when a second
author edits them
FIX: improved Firefox compatibility (non printable keys)
FIX: getPadPlainText() was not working
FIX: line numbers are aligned with text again (broken in 1.6.4)
FIX: text entered between connection loss and reconnection was not saved
FIX: diagnostic call failed when etherpad was exposed in a subdirectory
FIX: Fix typo in apicalls.js which prevented importing isValidJSONPName
FIX: fixed plugin dependency issue
FIX: Update iframe_editor.css
FIX: unbreak Safari iOS line wrapping
FIX: minification of code
Update: socket.io to 1.7.3
Update: l10n lib
Update: request to 2.83.0
Update: Node for windows to 8.9.0
- build as noarch
- fix some env calls
- adjusted patches:
+ etherpad-lite-1.7.5_default_config.patch
+ etherpad-lite-1.7.5_move_autogenerated_key_files_to_var.patch
-------------------------------------------------------------------
Thu Aug 3 09:37:58 UTC 2017 - mrueckert@suse.de
- update to 1.6.1
- install pg-native and force usage
-------------------------------------------------------------------
Fri Aug 5 10:16:31 UTC 2016 - mrueckert@suse.de
- update to 1.6.0:
- SECURITY: Fix a possible xss attack in iframe link
- NEW: Add a aceSelectionChanged hook to allow plugins to react
when the cursor location changes.
- NEW: Accepting Arrays on 'exportHtmlAdditionalTags' to handle
attributes stored as ['key', 'value']
- NEW: Allow admin to run on a sub-directory
- NEW: Support version 5 of node.js
- NEW: Update windows build to node version 4.4.3
- NEW: Create setting to control if a new line will be indented
or not
- NEW: Add an appendText API
- NEW: Allow LibreOffice to be used when exporting a pad
- NEW: Create hook exportHtmlAdditionalTagsWithData
- NEW: Improve DB migration performance
- NEW: allow settings to be applied from the filesystem
- NEW: remove applySettings hook and allow credentials.json to be
part of core
- NEW: Use exec to switch to node process
- NEW: Validate incoming color codes
- Fix: Avoid space removal when pasting text from word processor.
- Fix: Removing style that makes editor scroll to the top on iOS
without any action from the user
- Fix: Fix API call appendChatMessage to send new message to all
connected clients
- Fix: Timeslider "Return to pad" button
- Fix: Generating pad HTML with tags like instead of TAG:VALUE
- Fix: Get git commit hash even if the repo only points to a bare
repo.
- Fix: Fix decode error if pad name contains special characters
and is sanitized
- Fix: Fix handleClientMessage_USER_* payloads not containing
user info
- Fix: Set language cookie on initial load
- Fix: Timeslider Not Translated
- Other: set charset for mysql connection in settings.json
- Other: Dropped support for io.js
- Other: Add support to store credentials in credentials.json
- Other: Support node version 4 or higher
- Other: Update uberDB to version 0.3.0
- packaging changes:
- instead of calling run.sh just call node with the main file
(this is basically what run.sh does with a lot of extra noise
like calling installDeps.sh which always tries to update files)
- in the init script: use pgrep to write the pidfile
- set umask so we dont get world readable key and DB files
- service file:
- make etherpad restart in case of crashes
- schedule it after postgresql
- added etherpad-lite-1.6.0_default_config.patch
- move the DB in the default config to /var/lib/etherpad-lite
- etherpad-lite-1.6.0_move_autogenerated_key_files_to_var.patch
both key files are generated into and read from
/var/lib/etherpad-lite
- run the parts from installDeps.sh which we need in %build
- generate src/.ep_initialized in %build otherwise it wont start
as non root
- no longer symlink the config into /srv/www/etherpad-lite
we pass --settings to etherpad instead.
- merge with the spec file in the OBS
- no longer build as noarch as there are actually some binary
files in it. but it seems our check doesnt find *.node files.
- drop unzip BR
- dont fdupes. we might symlink unrelated files.
-------------------------------------------------------------------
Wed Feb 3 19:05:38 UTC 2016 - Lars.Vogdt@suse.com
- update to 1.5.7:
+ NEW: Add support for intermediate CA certificates for ssl
+ NEW: Provide a script to clean up before running etherpad
+ NEW: Use ctrl+shift+1 to do a ordered list
+ NEW: Show versions of plugins on startup
+ NEW: Add author on padCreate and padUpdate hook
+ Fix: switchToPad method
+ Fix: Dead keys
+ Fix: Preserve new lines in copy-pasted text
+ Fix: Compatibility mode on IE
+ Fix: Content Collector to get the class of the DOM-node
+ Fix: Timeslider export links
+ Fix: Double prompt on file upload
+ Fix: setText() replaces the entire pad text
+ Fix: Accessibility features on embedded pads
+ Fix: Tidy HTML before abiword conversion
+ Fix: Remove edit buttons in read-only view
+ Fix: Disable user input in read-only view
+ Fix: Pads end with a single newline, rather than two newlines
+ Fix: Toolbar and chat for mobile devices
- Give up the idea to have the needed modules as separate packages
for now. Include them in the tarball directly instead.
- provide service and init file for different distributions
-------------------------------------------------------------------
Tue Apr 21 12:40:34 UTC 2015 - lrupp@suse.com
- update to 1.5.6:
+ SECURITY: Also don't allow read files on directory traversal on minify paths
+ SECURITY: Also don't allow read files on directory traversal on frontend tests path
+ SECURITY: Don't allow read files on directory traversal
+ SECURITY Fix: Information leak for etherpad exports (CVE-2015-2298)
+ Fix: Add check for special characters in createPad API function
+ Fix: Middle click on a link in firefox don't paste text anymore
+ Fix: Made setPadRaw async to import larger etherpad files
+ Fix: rtl
+ Fix: Problem in older IEs
+ FIX: Firefox keeps attributes (bold etc) on cut/copy -> paste
+ Fix: showControls=false now works
+ Fix: Cut and Paste works...
+ Fix: Rare scroll issue
+ Fix: Handling of custom pad path
+ Fix: Better error handling of imports and exports of type "etherpad"
+ Fix: Walking caret in chrome
+ Fix: Better handling for changeset problems
+ NEW: Accessibility support for Screen readers, includes new fonts and keyboard shortcuts
+ NEW: API endpoint for Append Chat Message and Chat Backend Tests
+ NEW: Error messages displayed on load are included in Default Pad Text (can be supressed)
+ NEW: Content Collector can handle key values
+ NEW: getAttributesOnPosition Method
+ NEW: padOptions can be set in settings.json now
+ NEW: Support for node version 0.12.x
+ NEW: API endpoint saveRevision, getSavedRevisionCount and listSavedRevisions
+ NEW: setting to allow load testing
+ Other: Update to express 4.x
+ Other: Dropped support for node 0.8
+ Other: Update ejs to version 2.x
+ Other: Moved sessionKey from settings.json to a new auto-generated SESSIONKEY.txt file
-------------------------------------------------------------------
Sun Feb 8 12:59:30 UTC 2015 - lrupp@suse.de
- update to 1.5.1:
+ various bugfixes and enhancements, please refer to
/usr/share/doc/packages/etherpad-lite/CHANGELOG.md for details
- home directory for etherpad user switched to %{_var}/lib/%{name}
- do not create symlink: breaks %config(noreplace)
- added etherpad-lite-rpmlintrc to get rid of thousands of warnings
- add documentation
- move logfile to it's own subdirectory
- add logrotate snipplet
- removed etherpad-remove-installDeps.patch : fixed upstream
-------------------------------------------------------------------
Thu Nov 13 09:32:57 UTC 2014 - lrupp@suse.com
- define settings.json as config file for now (should be move to
/etc/etherpad-lite later on
-------------------------------------------------------------------
Thu Jan 9 13:38:15 UTC 2014 - nrochard@gmail.com
- Initial release 1.3.0
