Alf.io 2.0-M4-2402-3 (2024-02-26)

This is a bugfix release for regressions/bugs introduced with 2.0-M4-2402

Bugs fixed

• #1337 cannot change name of view column "tai_additional_info" to "e_version" (thanks to @daedric7 for reporting it)

Full Changelog: https://github.com/alfio-event/alf.io/compare/2.0-M4-2402-1...2.0-M4-2402-2

Alf.io 2.0-M4-2402-1 (2024-02-24)

This is a bugfix release for regressions/bugs introduced with 2.0-M4-2402

Bugs fixed

• #1334 Can't create Organizations (thanks to @titi1125 for reporting it)
• #1335 Additional Items do not handle discount properly
• #1336 Cannot update additional item policy

Full Changelog: https://github.com/alfio-event/alf.io/compare/2.0-M4-2402...2.0-M4-2402-1

Security Fixes

• CVE-2024-25635: IDOR Vulnerability: Allowing Organization Owner to view the other Organizations API KEY and USERS - reported by @rac-fckscty
• CVE-2024-25634: IDOR make user can read e-mail log sent by other events - reported by @lujiefsi
• CVE-2024-25628: User sessions are not properly terminated - reported by @lujiefsi
• CVE-2024-25627: Cross-Site Scripting (XSS) via File Upload - reported by @PinkDraconian

What's Changed

• Build published on Docker for arm64
• Fix spring-session <-> spring security integration + session removal on user deletion/disable by @syjer in https://github.com/alfio-event/alf.io/pull/1214
• Google Wallet integration by @cbellone and @yanaga in https://github.com/alfio-event/alf.io/pull/1215
• case insensitive qr code by @cbellone in https://github.com/alfio-event/alf.io/pull/1218
• Payments list by @cbellone in https://github.com/alfio-event/alf.io/pull/1240
• Configuration API by @cbellone in https://github.com/alfio-event/alf.io/pull/1249
• Purchase context level config by @cbellone in https://github.com/alfio-event/alf.io/pull/1251
• #1269 Resolved the bug to show correct {{eventName}} on compose message page by @ved-asole in https://github.com/alfio-event/alf.io/pull/1275
• Manage additional service quantity by @cbellone in https://github.com/alfio-event/alf.io/pull/1308
• unify access resource check in a service by @syjer in https://github.com/alfio-event/alf.io/pull/1310
• Date of birth field + additional fields for subscriptions by @cbellone in https://github.com/alfio-event/alf.io/pull/1312

New Contributors

• @ved-asole made their first contribution in https://github.com/alfio-event/alf.io/pull/1275
• @yanaga made their first contribution in https://github.com/alfio-event/alf.io/pull/1215

Full Changelog: https://github.com/alfio-event/alf.io/compare/2.0-M4-2304...2.0-M4-2402

Alf.io 2.0-M4-2304 (2023-04-24)

Security fixes

• CVE-2023-2258 - CSV Injection (High Severity)
• CVE-2023-2259 - Admin Self-inflicted Server-side template injection (High Severity)
• CVE-2023-2260, reset password, disable users, update organization - Multiple IDOR vulnerabilities (High Severity)

please note that all security fixes are related to the Backoffice application. Some of them impact only multi-tenant deployments. The "public" application was not impacted.

thanks to @huntr-helper contributors: @lujiefsi and @yelprofessor !

Improvements

• create Subscription reservation via API #1183 (sponsored by Eventplane)
• API to retrieve check-in log #1188 (sponsored by Eventplane)
• Refactor payment confirmation #1202 (sponsored by Eventplane)
• Resize images #1209 (sponsored by Eventplane)
• Preload Language #1192
• Custom VAT Application #1193
• Implement Reservation Export #1194
• Manage multiple sponsors scan #1205

Bug fixed

• Fix user admin check #1206

Alf.io 2.0-M4-2301 (2023-01-14)

Security fixes

• CVE-2023-0300 (low severity) - Self-inflicted XSS
• CVE-2023-0301 (low severity) - Prevent organizers to insert dangerous link within their event description

please note that both security fixes are related to the Backoffice application. The "public" application was not impacted.

thanks to @huntr-helper contributors!

Improvements

• Organization APIs at system level #1083 (sponsored by Eventplane)
• API for linking Subscriptions to an Event #1087 (sponsored by Eventplane)

Bug fixed

• Cannot search reservation by invoice number #1090
• Remove button should not be displayed for checked-in tickets #1093
• Various errors when selecting / deselecting the payment method #1100
• Error on "Confirmed" items on the Additional services page #1108
• Stripe API not working as expected #1159 (thanks to @icougil for reporting it and for helping us debugging it)

Alf.io 2.0-M4-2204 (2022-04-05)

Security fixes

This release contains a fix for CVE-2022-22965 a.k.a. "Spring Shell". Although we should not be impacted directly (we use jetty instead of tomcat as web server), we advise you to update your instance.

Improvements

• Accessibility improvements on the public reservation process

Bug fixed

• #1054 Error after trying to login to the demo instance (thanks to @PaulGoldschmidt for reporting it)

Alf.io 2.0-M4 (2022-01-31)

This is the fourth milestone on our way to Alf.io v2. See Roadmap and full Changelog

New Features

• Support Hybrid Events #949 (@cbellone)
• Introduce Subscriptions #987 - Sponsored by Eventplane (@syjer)
• Introduce Extension Capabilities #993 - Sponsored by Eventplane
• Custom Join Links for Online tickets #1017
• OpenID support for end customers #1006
• Enable reverse charge for a specific ticket type #1026
• Define a new API for creating reservations #1035 - sponsored by Eventplane
• Generate tickets automatically for subscriptions owners #1036 - sponsored by Eventplane
• Add additional info to check-in extension #1038

BREAKING CHANGES

this release includes some breaking changes in the database schema, making it incompatible with older versions of alf.io. It is strongly recommended to perform a full backup of your database before installing it, so that if anything goes wrong you can rollback to the latest 2.0-M3

Fixed Bugs

• Entering organisation or event stripe "Payment Webhook signing secret" may not override system value. #1019
• No way to view "additional options" or "donations" purchased so far. #1012
• Import existing attendees #998
• Transferring events between organisations breaks things #1046
• Cannot edit categories after changing event format #1024

Tech-related changes

• JavaScript Extension engine: Replace Nashorn with Rhino #956 - thanks to @mejrima

Alf.io 2.0-M4.RC4 (2021-12-18)

This release contains a security fix for the following CVEs:

• CVE-2021-45105
• CVE-2021-45046 (already fixed in 2.0-M4.RC3)
• CVE-2021-44228 (already fixed in 2.0-M4.RC2)

update is strongly recommended

BREAKING CHANGES

2.0-M4.RC1 introduced some breaking changes in the database schema. If you're updating from 2.0-M3, it is strongly suggested to perform a full backup of your database before installing it, so that if anything goes wrong you can rollback to the latest 2.0-M3

Alf.io 2.0-M3-2112-2 (2021-12-18)

This release contains a security fix for the following CVEs:

• CVE-2021-45105
• CVE-2021-45046 (already fixed in 2.0-M3-2112-1)
• CVE-2021-44228 (already fixed in 2.0-M3-2112)

update is strongly recommended

Alf.io 2.0-M4.RC3 (2021-12-15)

This release contains a security fix for the following CVEs:

• CVE-2021-45046
• CVE-2021-44228 (already fixed in 2.0-M4.RC2)

update is strongly recommended

This release fixes also some errors in the migration files.

BREAKING CHANGES

2.0-M4.RC1 introduced some breaking changes in the database schema. If you're updating from 2.0-M3, it is strongly suggested to perform a full backup of your database before installing it, so that if anything goes wrong you can rollback to the latest 2.0-M3