Panel Versions Save

Fixed

• [security] Fixes a CSRF vulnerability for both the administrative test email endpoint and node auto-deployment token generation endpoint. GHSA-wwgq-9jhf-qgw6

Changed

• Updates Minecraft eggs to include latest Java 17 yolk by default.

SHA256 Checksum

232a131448872837f29f285fa0f7be19b39062abf3a9ef617f4b985b03cc27a6  panel.tar.gz

Fixed

• Fixes broken application API endpoints due to changes introduced with session management in 1.6.4.
• (in 1.6.4) Fixes a session management bug that would cause a user who signs out of one browser to be unintentionally logged out of other browser sessions when using the client API.

SHA256 Checksum

18556850a8081e72e6b3daf8332483063ac8007922df52cefa35ce00b0095432  panel.tar.gz

Fixed

• [Security] Changes logout endpoint to be a POST request with CSRF-token validation to prevent a malicious actor from triggering a user logout.
• Fixes Wings receiving the wrong server suspension state when syncing servers.

Added

• Adds additional throttling to login and password reset endpoints.
• Adds server uptime display when viewing a server console.

SHA256 Checksum

b5026df64c100fca6e2845fc01f70f3b2767ac9965163df1efa3c10ef6c11266  panel.tar.gz

Fixed

• [Security] Fixes an authentication bypass vulerability that could allow a malicious actor to login as another user in the Panel without knowing that user's email or password.

Security Vulnerability Disclosure

Due to the severity of the vulnerability fixed in this release the technical details of the underlying bug have been embargoed until October 6th, 2021 @ 12:00 PST. At that time the following security release will become public detailing the underlying details of the vulnerability.

GHSA-5vfx-8w6m-h3v4 (High Severity) (CVSS 3.1: 8.1)

SHA256 Checksum

d6a5e0297fc8f62b2983fd90f0e2865594a3145ee8b1aef5de8c05a3e4df7a56  panel.tar.gz

Fixed

• Fixes server build modifications not being properly persisted to the database when edited.
• Correctly exposes the oom_disabled field in the build limits block for a server build so that Wings can pick it up.

SHA256 Checksum

51f9d82b216ab860955cd6e24596c2f016d9811449f92c00a32bc08dd27e96b1  panel.tar.gz

Fixed

• Fixes array merging logic for server transfers that would cause a 500 error to occur in some scenarios.
• Fixes user password updates not correctly logging the user out and returning a failure message even upon successful update.
• Fixes the count of used backups when browsing a paginated backup list for a server.
• Fixes an error being triggered when API endpoints are called with no User-Agent header and an audit log is generated for the action.
• Fixes state management on the frontend not properly resetting the loading indicator when adding subusers to a server.
• Fixes extraneous API calls being made to Wings for the server file listing when not on a file manager screen.

Added

• Adds foreign key relationship on the mount_node, mount_server and egg_mount tables.
• Adds environment variable PER_SCHEDULE_TASK_LIMIT to allow manual overrides for the number of tasks that can exist on a single schedule. This is currently defaulted to 10.
• OOM killer can now be configured at the time of server creation.

Changed

• Server updates are not dependent on a successful call to Wings occurring — if the API call fails internally the error will be logged but the server update will still be persisted.

Removed

• Removed WingsServerRepository::update() function — if you were previously using this to modify server elements on Wings please replace calls to it with ::sync() after updating Wings.

SHA256 Checksum

a077f11e86fdf94db0b78c6b4a7e1984078d2d9e437458b1aeee3f2316660180  panel.tar.gz

Fixed

• Fixes Docker image 404ing instead of being able to access the Panel.
• Fixes Java version feature being only loaded when the eula feature is specified.
• Fixes php artisan p:upgrade not forcing and seeding while running migrations.
• Fixes spinner overlays overlapping on the server console page.
• Fixes Wings being unable to update backup statuses.

SHA256 Checksum

4a32b6a08f67064bd7c49aa266144ca8baab8ee661442ba9b8030d35c992cbfb  panel.tar.gz

Fixed

• Fixes deleting a locked backup that has also been marked as failed to allow deletion rather than returning an error about being locked.
• Fixes server creation process not correctly sending start_on_completion to Wings instance.
• Fixes z-index on file mass delete modal so it is displayed on top of all elements, rather than hidden under some.
• Supports re-sending requests to the Panel API for backups that are currently marked as failed, allowing a previously failed backup to be marked as successful.
• Minor updates to multiple default eggs for improved error handling and more accurate field-level validation.

Updated

• Updates help text for CPU limiting when creating a new server to properly indicate virtual threads are included, rather than only physical threads.
• Updates all of the default eggs shipped with the Panel to reference new ghcr.io yolks repository.
• When adding 2FA to an account the key used to generate the token is now displayed to the user allowing them to manually input into their app if necessary.

Added

• Adds SSL/TLS options for MySQL and Redis in line with most recent Laravel updates.
• New users created for server MySQL instances will now have the correct permissions for creating foreign keys on tables.
• Adds new automatic popup feature to allow users to quickly update their Minecraft servers to the latest Java® eggs as necessary if unsupported versions are detected.

Removed

• Removes legacy userInteraction key from eggs which was unused.

SHA256 Checksum

f0a39543e21664c0354ee04c46ace8993e0c0cfba966d3825c29700a148ad65b  panel.tar.gz

Fixed

• Fixes logic to disallow creating a backup schedule if the server's backup limit is set to 0.
• Fixes bug preventing a database host from being updated if the linked node is set to "none".
• Fixes files and menus under the "Mass Actions Bar" being unclickable when it is visible.
• Fixes issues with the Teamspeak and Mumble eggs causing installs to fail.
• Fixes automated query to avoid pruning backups that are still running unintentionally.
• Fixes "Delete Server" confirmation modal on the admin screen to actually show up when deleting rather than immediately deleting the server.

Added

• Adds support for locking individual server backups to prevent deletion by users or automated backup processes.
• List of files to be deleted is now shown on the delete file confirmation modal.
• Adds support for using IF statements in database queries when a database user is created through the Panel.
• Adds support for using a custom mailgun API endpoint rather than only the US based endpoint.
• Adds CPU limit display next to the current CPU usage to match disk and memory usage reporting.
• Adds a "Scroll to Bottom" helper element to the server console when not scrolled to the bottom currently.
• Adds support for querying the API for servers by using the uuidShort field rather than only the uuid field.

Changed

• Updates codebase to use TypeScript 4.
• [security]: removes the external dependency for loading QRCode images. They're now generated directly on the frontend using JavaScript.

SHA256 Checksum

b13ac4ad0a01628d0dba8369b12eeeaa38d59b3abdc09daa900d3beb02e92b19  panel.tar.gz

Added

• Adds support for only running a schedule if the server is currently in an online state.
• Adds support for ignoring errors during task execution and continuing on to the next item in the sequence. For example, continuing to a server restart even if sending a command beforehand failed.
• Adds the ability to specify the group to use for file permissions when using the p:upgrade command.
• Adds the ability to manually run a schedule even if it is currently disabled.

SHA256 Checksum

1a8fb006fdfe04f06f5acdb13aafcde03b885613ce9aed9f14b62c103647bce2  panel.tar.gz