Headline
CVE-2022-29235: Release BigBlueButton 2.4-rc-6 · bigbluebutton/bigbluebutton
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and up to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the current timestamp and play/pause. The problem has been patched in versions 2.3.18 and 2.4-rc-6 by modifying the stream to send the data only for users in the meeting. There are currently no known workarounds.
This is likely the last release candidate for BigBlueButton 2.4. It includes several functional fixes and a few privacy/security improvements (see below). If only minor items are reported in the coming days we plan on releasing 2.4.0 next. We’d like to encourage community memebers to try out this release and provide their feedback on BigBlueButton-dev forum both positive or negative.
Link to installation command / instructions/ schedule / planned features : https://docs.bigbluebutton.org/2.4/new.html
Thanks to the community members who provided feedback to the earlier 2.4 releases!
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed a number of privacy and security issues that were fixed in this release.
HTML5 client:
newly introduced:
- feat(webcam): add a way to re-open video preview without multiple cameras #13818
- feat: Allow BBB to run behind a proxy the avoid gUM permission queries per node #13731
- feat: add forceRelayOnFirefox option (false by default) #13789
fixes:
- fix: 2.4 RC3 - bug - presentation causes the client to crash #13781
- fix: waiting room ui regression #13776
- fix: Space bar does not switch to move tool #13798
- fix: Banner in meeting conflicts with layout calculation #13808
- fix: random-user modal blocks other modals #13800
- fix: unexpected blurred effect #13822
- fix: Safari fullscreen issues (2.4) #13834
- fix: Cannot interrupt audio Connecting process #13821
- fix: typing indicator names position (2.4) #13858
- fix: Users disappearing from the polling results when they vote #13864
- fix: Fix presentation download url #13868 Thanks @schrd
- fix: Keep original order of poll answers in whiteboard annotation (2.4) #13874
- fix: prevent poll response leak #13763 improved security
- fix: external video info leak #13788 improved security
- fix: prevent users from being able to send more than one typed poll answer #13757 improved permissions
- refactor: Remove unused user data on leave #13773 improved privacy
- refactor: Removes parameters usage in the group-chat-messages and authtoken-validation publishers #13802 improved security
- refactor: Update Guest Lobby Title String #13777
- refactor: Increase sidebar-content max width value #13785
- refactor: reduce sidebar min-width - 2.4 #13787
- refactor(random user picker): minimise sequential user pick #13831 Thanks @hiroshisuga
test:
- test: Updates playwright tests #13806
- fix (test): non-iterating loop in Playwright #13860 Thanks @hiroshisuga
bbb-web
- fix(core): look for session/jsession cookie in checkAuthorization endpoint #13814 improved security
- feat: Add new /join param excludeFromDashboard #13764
- chore: add user infos in custom HTTP headers to checkAuthorization’s OK, forward them to SFU #13827 improved security
akka-apps
- fix: Fixes the validation of banned users #13766 improved permissions
- fix: Fix Emoji Permissions in akka-apps #13817 improved permissions
- fix(webcams): viewer accounting, improved perm. checks in akka-apps, […] #13790 improved permissions
- feat: Add new /join param excludeFromDashboard #13764
- refactor: New Constraint Added to Join Requests #13837
- refactor: Remove a duplicated MeteorActor condition #13829 thanks @hiroshisuga
- refactor: Improved annotation permissions #13803 improved permissions
- refactor(random user picker): minimise sequential user pick #13831 Thanks @hiroshisuga
- refactor: Decrease time allowed for reconnection #13878
build / configuration
- disable JS execution in mongodb #13810 #13819 improved security
- chore: add user infos in custom HTTP headers to checkAuthorization’s OK, forward them to SFU #13827 improved security
- feat: Allow BBB to run behind a proxy the avoid gUM permission queries per node #13731 Thanks @schrd
- build: bump bbb-webrtc-sfu to v2.6.4 #13877
bbb-webrtc-sfu
- updated to v2.6.4
bbb-learning-dashboard
- refactor: Remove button to Copy Dashboard Link #13765
- refactor(learning dashboard): Hides anonymous poll row #13804
- feat: Add new /join param excludeFromDashboard #13764
- chore: update Dashboard’s package-lock.json #13848
bbb-libreoffice
- refactor: Libreoffice - Force correct permissions for sudoers file #13825 Thanks @test-erik
Recording
- chore(recording): Update Nokogiri + Optimist #13762
Release name
In case an administrator does not want to update to the latest bionic-240 version, use as substitute to the -v argument in bbb-install.sh command
----- <-- this release candidate shipped with an issue causing client crashes after user eject. Please use 2.4-rc-7 (the next release) where this was patched
We still recommend using -v bionic-240.
Client build: 2421