Headline
CVE-2022-41963: Release BigBlueButton 2.4.3 · bigbluebutton/bigbluebutton
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3 contain a whiteboard grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access is revoked. The attacker must be a meeting participant. This issue is patched in version 2.4.3 an version 2.5-alpha-1
This 2.4 release contains multiple small improvements and some security/stability fixes.
Thanks to the community members who provided feedback to the earlier 2.4 releases!
Special mentions to community patch contributors @schrd , @hiroshisuga , @jgribonvald , @moonlies – thank you!
HTML5 client
- fix: change log level from ‘error’ to ‘warn’ #14104
- fix: append build string to font requests #14140
- fix(waiting users): text box outline #14144
- fix: Play Audio Alerts For Chats While Panel Is Open #14114
- fix: Keep the state of the presentation after sharing the screen #14097
- fix(webcam): initial webcam direction #14137
- fix: Add a different background color for contents that are being displayed under the side panel #14169
- fix(webcams): add extra error handling to pub/sub peer callbacks #14102
- fix(accessibility): Add Polite Presentation Slide Change Announcement (Screen Reader) #14184
- fix: Add check to avoid undefined previous slide #14189
- fix(userdata): consistent breakout room userdata #14143
- fix(button): add button margin #14238
- fix(virtualBG): snippet “blur” translation #14230 Thanks @hiroshisuga
- fix(virtualBG): recover shrunken thumbnails on the modal #14231 Thanks @hiroshisuga
- fix: remove extra parentheses from virtual background label #14244
- fix: remove audio/video first join info on meeting end #14251
- fix: race condition (window title in breakout rooms) #14214
- fix(presentations): Redis message queue concurrency #14201
- fix: “restoreOnUpdate=true” conflicts with “Focus on presentation” #14257
- fix: Disconnected users omitted from connection history #14219
- fix(storage): check for existing Tracker.Dependency() instance #14268
- fix: makes restoreOnUpdate work for moderators #14282
- fix: Talking indicator element not showing on mobile with content sidebar open #14292
- fix(screenshare): change toast notification text #14297
- fix: fullscreen presentation shortcut in presenter toolbar #14279
- fix: Smart layout under some circumstances not behaving as expected when sharing video or screen #14300
- refactor: Client authentication #14295 (backport of #13601) improves security
- refactor(presentation): extra hint upload limit #14158
- refactor: Switch user_action logs from debug to info #14187
- refactor(locale): adjust playback ids #14254
- test: Playwight: new chat tests, improved selectors, fixed stress test #14083
- test: Improves organization, fixes selectors and adds/improves tests #14159
- test: Adds lock viewers tests #14262
- test: Locale test improvements #14271
- chore: update npm dependencies #14192
- chore: update caniuse-lite #14193
- chore: Pulled the latest 2.4 HTML5 locales from Transifex #14276
Core
- fix: Remove grace period for whiteboard messages #13931 improved permissions
- fix(screenshare): add akka-apps|webrtc-sfu broadcast stop sys msg #14091
- feat(api): Add param to disable Virtual Backgrounds in API /create #14075
- feat(api): allowRequestsWithoutSession as a meeting create param #14112
- Fix: Removing phone users always bans them #14088
- fix: Phone users to abide by guest policy #14147
- fix(webcams): add stream ID to broadcast check, better lock setting enforcement #14269
Recording
- fix(recording): not processed screenshare fix issue #14133 (backport of #14019 ) Thanks @jgribonvald
- fix(recording): Generate thumbnails from uploaded file #9837 Thanks @hiroshisuga
- fix(recording): fix publish crash when poll has no options/answers #14170
bbb-conf
- refactor(bbb-conf): Bbb record more checks #14288
bbb-libreoffice
- chore(bbb-libreoffice): Update to Libreoffice 7.2 #14318
bbb-webrtc-sfu
- Updated to 2.6.9
Build / packaging
- Rebuilt bbb-freeswitch-core with @mariogasparoni 's patch signalwire/freeswitch#1531 Additional changes made to match e7562a3
- Applied to 2.4 packaging: fix: serve compressed Javascript and CSS #14239 Thanks @schrd
- Applied to 2.4 packaging: ensure services can’t modify their code #14110 Thanks @schrd
- Applied to 2.4 packaging: fix missing directory error for etherpad installation #14181 Thanks @moonlies
Open source packaging (used in BBB 2.5+)
- build: fix missing directory error for etherpad installation #14181 Thanks @moonlies
- fix: serve compressed Javascript and CSS #14239 Thanks @schrd
- build: bump bbb-webrtc-sfu to v2.6.9 #14283
Release name
In case an administrator does not want to update to the latest bionic-230 version. Use as substitute to the -v argument in bbb-install.sh command
bionic-240-2.4.3
We still recommend using -v bionic-240.
Client build: 2515