Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-41960: Release BigBlueButton 2.5-alpha-1 · bigbluebutton/bigbluebutton

BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to validateAuthToken using a victim’s userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim’s client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds.

CVE
#web#ios#ubuntu#dos#nodejs#js#git#nginx#pdf#auth#docker#chrome#firefox

This is the first release of BigBlueButton 2.5 and includes numerous new features and updates to existing ones.
Note that it runs on Ubuntu Bionic (18.04) and HTML5 client runs on Node 16.

BigBlueButton 2.5-dev is under active development. While we don’t recommend setting it up in a production environment, we do encourage administrators to try out the build with others and give us feedback on our bigbluebutton-dev mailing list.

Link to installation command / instructions/ schedule / planned features : https://docs.bigbluebutton.org/2.5/new.html

All fixes from BigBlueButton 2.4.x are here up to and including v2.4.4.

Big THANK YOU to all comminuty members who helped for this release - both through sending pull requests and through reporting bugs or requesting enhancements! 🎊

HTML5 client

newly introduced

  • feat: Activate waiting room permanently #13156 Thanks @PhMemmel
  • feat(audio): add bridge configurable scheme #13266
  • feat: Allow non-mod presenters to see raised hands dialog and lower raised hands #13300 Thanks @PhMemmel
  • feat(wb): Fill shape in whiteboard #10737 Thanks @hiroshisuga
  • feat(accessibility): Add Promoted / Demoted Toast Notification #14050
  • feat(polling): multiple choice poll #13253 Thanks @simonhir @mzinsmeister and @ramonlsouza !
  • feat: (Optional) Showing BBB version in About modal #14281

fixes

  • fix: Fix typo: “Unset” -> “Unsent” #13684 Thanks @hiroshisuga
  • fix: typo in raise-hand button styles #13579
  • fix: Fix wrong annotation codes #13674 Thanks @hiroshisuga
  • fix: Client crashes when trying to remove a user #13735
  • fix: Polling panel to remember “Work In Progress” polls #13754
  • fix: typing indicator names position (2.5) #13859
  • fix: Improved HD stretch of virtual background #13855 Thanks @drlight17
  • fix: Fix typo in validate authtoken method #14044
  • fix(video preview): bad alignment #14043
  • fix: mute + listen only icons in userlist #14161
  • fix: restore missing variable #14174
  • fix: close sidebar panel for non-presenters #14175
  • fix: screenshare position regression #14212

refactor

  • !removal: Dropping support for iframe postMessage API #13778
  • refactor: styled-components conversion #13603 #13608 #13623 #13648 #13645 #13680 #13577 #13591 actions bar #13566 userlist #13544
  • refactor: Styled-components CSS variables #13701 #13713
  • refactor: Add use-context-selector to layoutContext #13186
  • refactor: Implements CollectionEventsBroker for chat context - develop #13261
  • refactor: Add server side reactivity to publications #13174
  • refactor: reduce complexity and remove duplicated code from layouts #13277
  • refactor: Improve message when hand has been lowered #13301
  • refactor: Client authentication #13601
  • refactor: isPresenter rework #13745
  • refactor: connection status UX #13518
  • update(audio): do not check for chrome in iOS devices in audio modal #13562
  • refactor: Create custom cursor for current poll and user #13404
  • update: allow users in iOS join from chrome mobile version 94+ #13635
  • refactor: Random user ordering #13630
  • refactor: remove unused imports/exports #13705
  • refactor: add flexbox to avoid HTML changes #13551
  • refactor: Improve data structure to not break on reconnections #13574
  • refactor: Remove unnecessary clippath from textarea annotation on Firefox #13728 Thanks @hiroshisuga
  • refactor: remove unused imports/variables #14186
  • refactor: create ‘common’ folder for all reusable components #14367

other

  • chore(webrtc): let the server generate subscriber offers by default #13254
  • chore(bbb-html5): enable camera pin/screenshare volume control by default #14093
  • style: Center modal title #13739 Thanks @Buda9 and @ramonlsouza
  • style: Increase create breakout room users list height #14343

build (packaging scripts)

new BigBlueButton 2.5 is packaged using the open source packaging scripts located in https://github.com/bigbluebutton/bigbluebutton/tree/v2.5.x-release/build. Big THANK YOU to the community members who heavily contributed for this change: @zfgrnzfsberire @schrd @danimo @BrentBaccala @basisbit , see #12993

Additional changes to build/packaging:

  • build: switch bbb-freeswitch-core to build from master; cleanup #13509
  • build: Recovering bbb-freeswitch-core build on 2.5+ #13508
  • use placeholder files during change detection #13500 Thanks @zfgrnzfsberire
  • Instruct FreeSWITCH to announce external IP in SDP #11846 Thanks @znerol
  • build: Improve freeswitch build #13594 Thanks @BrentBaccala
  • build: Specify meteor version before building #13343
  • build: Rely on meteor version from docker image #13352
  • build: Remove node-sass rebuild (not needed for node 14) #13332
  • build: Added auto restart of bbb-html5-backend and frontend on failure #13527
  • build: Set worker_rlimit_nofile only once in nginx.conf #13248 Thanks @Nudin
  • build: html5 nodejs version + cleanup #13632
  • build (typo): occurs here and front install page #13303 Thanks @carehart
  • build: Update the Maintainer field for bigblutbutton #13742
  • build(etherpad): bump v1.8.16 #13939
  • fix(build): missing bbb-pads #14216
  • chore: [email protected] (full audio + mediasoup) #14218
  • build(bbb-pads): bump v1.0.2 #14345
  • fix(FS): Allow patch with different whitespace #14370
  • build: bump bbb-webrtc-sfu to 2.7.0-alpha.8 #14371
  • build: Node 16 for SFU, NPM 8.4.1, image tag update for BBB 2.5 #14307
  • build: Disable login for freeswitch and meteor users #14387
  • build: Set bbb-html5 client built in settings.yml #14391
  • build: Automatically set bbbServerVersion in settings.yml #14393
  • build: change StartLimitAction to none in bbb-html5 services #14392
  • fix: Force update of common-message and common-web libs #14389

General

  • docs: Replace dead links #13727 Thanks @daholzfeind
  • docs: Update SECURITY.md for 2.4 #13951

Learning Analytics Dashboard

  • feat: Added Timeline and improved UX of Dashboard #13626
  • feat: Provide Presentation info to Learning Dashboard #13708
  • feat: Dashboard support for multiple choices polls #13861
  • refactor: Merge Dashboard improvements from 2.4 to Develop #13926
  • refactor(Dashboard): add support for users grouped by extdId #13930
  • feature (Dashboard): add the UI for presentation slides #13862
  • style(dashboard): Several small visual fixes needed after conflicts #14117
  • fix(Dashboard): average activity score #14128

Core

  • feat: multiple choice poll #13253 Thanks @simonhir @mzinsmeister and @ramonlsouza !
  • feat(guest lobby): Add private guest lobby messages #14067 Thanks @SashoVihVas
  • feat(guest lobby): Add position in waiting queue for guest users #14063 Thanks @SashoVihVas
  • feat: Auto assign Breakouts (names and users) using previous rooms info or groups info #13678
  • feat(api): Created endpoint to insert file into presentation. #14264
  • feat(api): new api Create param: disabledFeatures #14293
  • refactor: Remove unused properties from chat message event #13564
  • fix: Breakouts assignments are ignored when freeJoin is true #13816
  • fix: Fix annotation order for pen drawings #12249 Thanks @hiroshisuga
  • fix(bbb-web) broken Asian filename for pre-uploaded presentation (fix on bbb-web) #14134 Thanks @hiroshisuga
  • fix: Clear cache before publish common-message and common-web #14346 #14377 #14389
  • fix: Change format of number values in getMeetingInfo #14348

bigbluebutton-config

  • refactor: Obsolete file check-localization-keys.txt #14048

recording

  • fix(recording): support recordings with no fill attribute #13918
  • fix(recording): Updated usage section of analytics script to match actual syntax #11805 Thanks @sebastianberm
  • fix(recording): not processed screenshare #14019 Thanks @jgribonvald
  • refactor(recording): Prevent unnecessary file copying in presentation recording processing #13697 Thanks @danielpetri1
  • bbb-record: refactoring, more config checks, list-workflows option #14022

bbb-libreoffice

  • fix(bbb-libreoffice): Improve permissions for etc sudoers for bbb-libreoffice #13183 Thanks @test-erik
  • fix: Use the config officeToPdfConversionTimeout in the Office conversion Docker #14368

bbb-etherpad and bbb-pads

Major refactor was done by @pedrobmarin to extract access control etc out of bbb-html5 into a new NodeJS application bbb-pads https://github.com/bigbluebutton/bbb-pads

  • refactor(etherpad): access control et al. #13916
  • feat(pads): add pads to bbb-conf #14196
  • fix(pads): add double quotes to APIKEY #14197
  • fix(config): correct path for bbb-pads.service #14200

bbb-webhooks

bbb-webhooks was extracted out of BigBlueButton’s main repository into a separate one, still under the same organization https://github.com/bigbluebutton/bbb-webhooks

  • refactor!(webhooks): remove from main repository #12535 bbb-webhooks is now located at https://github.com/bigbluebutton/bbb-webhooks

Release name

In case an administrator does not want to update to the latest bionic-250 version. Use as substitute to the -v argument in bbb-install.sh command
bionic-250-2.5-alpha-1
We still recommend using -v bionic-250.

Client build: 40

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907