Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-41964: Release BigBlueButton 2.4.0 · bigbluebutton/bigbluebutton

BigBlueButton is an open source web conferencing system. This vulnerability only affects release candidates of BigBlueButton 2.4. The attacker can start a subscription for poll results before starting an anonymous poll, and use this subscription to see individual responses in the anonymous poll. The attacker had to be a meeting presenter. This issue is patched in version 2.4.0. There are no workarounds.

CVE
#vulnerability#web#windows#nodejs#auth

This is the official release of BigBlueButton 2.4, the culmination of ~8 months of development, 1700 commits, 2 alpha, 4 beta, and 7 release candidates.

This release contains webcam improvements (thanks to switching to mediasoup), anonymous polls, virtual backgrounds, and the Learning Dashboard, a dashboard view of attendance, participation, and learning (as by response to polls) for the teacher. Link to installation command / instructions/ full list of features.

We thank ZKI, the German association of Higher Education IT centers, for funding some of the development for this release, especially in the areas of scalability and usability!

We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed a number of privacy and security issues that were fixed in this (and previous) releases.

We thank the many translators who helped ensure that BigBlueButton is localized into over 55 languages.

Thanks to the community members who provided feedback to the earlier 2.4 releases!

This release iteration includes multiple bug fixes and stability and security/privacy improvements.
We thank Luca Famà for responsibly reporting a security finding resolved in this iteration.

HTML5 client

newly introduced:

  • feat(screenshare): volume control #13688 (disabled by default)
  • feat(bbb-html5): add npm run script to lint a specific file/directory #13870
  • feat(bbb-html5): add a general forceRelay flag #13871 (disabled by default)
  • feat(webcams): add option to allow moderators to close another user’s webcams #13915 (disabled by default)
  • feat(webcams): exclude voice floor holder from camera quality limiter #13869

fixes:

  • fix: re-implement the server-side connection close when user is removed #13893 improved security
  • fix: increase current-poll security #13866 improved permissions
  • fix: camera background localization #13797
  • fix(webcams): keep base peer object in component, fix viewers randomly failing #13937
  • fix(accessibility): Fix Screen Reader Not Entering Actions Menu in FF (via Shortcut) #13905
  • fix(accesibility): Add Region Roles for Screen Reader Navigation #13906
  • fix: Joining breakout rooms creates popup windows #13913
  • fix(layout): mobile external-video refresh icon #13881
  • fix (whiteboard): cursor has to travel the last mile #13854 Thanks @hiroshisuga
  • fix(external-videos): use deviceInfo to detect mobile envs #13919
  • fix(fullaudio): remove cross wired configs #13876
  • revert: Revert auth token validation publisher changes #13927 improved stability

tests:

  • test: Adds User and customParameters test suite #13920

chores:

  • chore: Pulled the latest 2.4 HTML5 locales from Transifex #13956

bbb-etherpad****build for packages in BBB 2.5+

  • build: Update etherpad-lite from 1.8.13 to 1.8.16 #13938 improved security (also applied in 2.4 packages)
  • build: use official ep_cursortrace #13950 improved security (also applied in 2.4 packages)

bbb-learning-dashboard

  • fix: Forces the Polls to be shown in the correct creation order in Dashboard #13907
  • refactor: Dashboard support for users grouped by extId #13852
  • fix: Reduces Dashboard cookie lifetime #13895
  • fix: Dashboard breaks with user using big name #13925

akka-apps / core

  • fix: Make create passwords optional #13928
  • fix: Improved WhiteboardModifyPermissionsCheck #13853 improved permissions
  • refactor: Added logging for passwords #13932
  • refactor: Dashboard grouped by extId #13826
  • fix: Reduces Dashboard cookie lifetime #13895
  • chore: add legacy checkAuthorization endpoint #13941

Release name

In case an administrator does not want to update to the latest bionic-240 version, use as substitute to the -v argument in bbb-install.sh command
bionic-240-2.4.0
We still recommend using -v bionic-240.

Client build: 2440

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907