• Added plugin to talk to ChatGPT using bot commands.
• The bundled Eclipse Temurin was updated to version 17.0.6
• The services of RPM and DEB use the `SystemD` format instead of the outdated `init.d` format.
• The Docker Containers have been updated to run with a restricted user instead of the root users.

• Scheduler migration from version 16 and earlier: The automatic migration of Scheduler tasks from versions 16 and earlier is no longer supported. In order to keep all of your configured Scheduler tasks please install an intermediate version, such as v22.10, before updating to the desired version 23 or later.

• The Docker Containers have been updated to run with a restricted user instead of the `root` users.
  • The new restricted users id and group id are `1000`.
  • Host mounted volumes have to be updated to reflect the new user and group id manually.
  • Host mounted volumes mount points of the users home directory have to be updated from `/root` to `/home/<username>`. The `<username>` is determined using the `whois` command in the container
  • Additional information is available from our FAQ: https://faq.inetsoftware.de/t/upgrading-to-user-restricted-docker-container/277

• Added Markdown text interpretation in the CommonMark and i-net CoWork flavors.

• NULL values of the Show Value formula will be ignored now and not be rendered as 'NULL' string.
• Fixed various issues related to standard and custom number formatting in export format XLSX.
• Fixed `java.lang.IllegalArgumentException: Comparison method violates its general contract!` that occurred when searching in the viewer

• The query timeout set via the Designer user interface was ignored.

• The JNLP client could theoretically be sent another client's cookie at startup.

• Directly printing a report now requires the URL parameter `printNow=1`.
• Printer tray selection is supported. For Java 17, the command line parameter `–add-exports=java.desktop/sun.print=ALL-UNNAMED` is required. Command line parameter can be set in the configuration application in the advanced view.

• Triggers can be set to start after events as opposed to only before them.
• The calendar trigger automatically refreshes its events from the given calendar every 30 seconds.

• Next task execution times filter out past potential execution times.

• In the configuration you can set whether the audio and video connections are allowed to go through the public client connections or only through configured TURN servers.

• The CoWork Calls WebAPI ignored the preview mode option that prevents accidental execution of destructive operations.

- The details like name, description and icon of meeting rooms can be changed by authorized users. - Users with the “Create Meeting Rooms” permission can add additional members to a room via the member list.

• Added separate backup and restore option for Embedded Websites.

• Support for generating a Softwarae-Bill-of-Materials JSON file using the server's `./well-known/sbom` URL with an administrative user account.

• Added text area field for POST and PUT methods to allow directly sending JSON data with the request

• Scrolling of the messages improved
• The user's online status is displayed at the messages and at the suggestions for mentions. Displaying the status on the individual messages can be deactivated in the settings.
• In the menu of a message the user and the time of the message are shown.
• It is possible to reply to messages. The user of the quoted message is automatically mentioned and gets a notification about the reply.
• Messages, channels and users for direct messages can be found via the global search bar
• Management of members of teams and channels has been changed:
  • Formerly public channels (with no members specified) now have the “All Users” group as a member by default.
  • Teams and channels without members are no longer accessible to all users, now they can be accessed by no one
  • Channels can now be explicitly set to inherit members from the team. Alternatively, a custom selection can be made.
  • Groups no longer need to have CoWork permission explicitly set to be set for memberships. All groups are selectable.
• Channels support uploading of custom icons
• Videos will be played inline in the channel.
• The color markers used to highlight new messages in channels can be set as follows: mentions only, all messages or completely disabled.
• Using the “Copy Text” action in the context menu, the selected text or the entire text of a message can be copied.
• In the “Emoji” dialog of the configuration interface, custom emoji can be added via SVG.
• An extra page with details of logged-in users and created messages has been added for the diagnostic application. Other CoWork plugins can add additional information.
• Automatic playback of gif animations and videos can be customized in the settings.
• Links to web pages in messages additionally generate a preview with title, description and image if the web page contains appropriate Open Graph or Twitter metatags.

• Eventlog entries are also written in Recovery Manager.
• Configuration action in Login category added to reset authentication group members.

• *Security Update for CVE-2022-36033*
  • jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https:*developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
• *Security Update for CVE-2020-13946*
  • In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.
• *Security Update for CVE-2022-42003*
  • In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
• *Security Update for CVE-2022-31684*
  • Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
• *Security Update for CVE-2022-41946*
  • pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.
• *Security Update for CVE-2021-37533*
  • Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https:*issues.apache.org/jira/browse/NET-711.
• *Security Update for CVE-2022-23494*
  • tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the `image` plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user. This vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements. Users are advised to upgrade to either 5.10.7 or 6.3.1. Users unable to upgrade may ensure the the `images_upload_handler` returns a valid value as per the images_upload_handler documentation.
• *Security Update for CVE-2022-41915*
  • Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.
• *Security Update for CVE-2023-22551*
  • The FTP (aka “Implementation of a simple FTP client and server”) project through 96c1a35 allows remote attackers to cause a denial of service (memory consumption) by engaging in client activity, such as establishing and then terminating a connection. This occurs because malloc is used but free is not.
• *Security Update for CVE-2023-24998*
  • Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
• *Security Update for CVE-2022-45688*
  • A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
• *Security Update for CVE-2022-45688*
  • Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `“` (double quote), it will continue to read the cookie string until it sees a closing quote – even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=“b; JSESSIONID=1337; c=d”` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.

• Support for S/MIME signature and encryption of email messages

• Simple line breaks were incorrectly displayed in the browser version of MS Teams.

• Added magnifying glass icon in the search bar to increase the visibility of the search function.
• In the company info dialog of the configuration, it is possible to set to whom the installation hint for the application as a PWA is displayed. Guests and other special user accounts never get the hint displayed.

• When installing on a drive other than C: (Windows) then the program data directory can be changed during the setup.

• The event log backup job can optionally include previously archived event entries when using a file persistence.

• Adds the {initiator} placeholder to the server stop trigger, which contains the display name of the user who restarted the server.
• Tasks executed using the `/api/taskplanner/execute` endpoint are temporarily stored for the user, allowing them to access them later. If the tasks are not accessed again via the WebAPI within 60 seconds, they will be automatically removed.

• In the task planner maintenance section, it was not possible to move tasks away from deactivated users.

• File results of a Task Planner task are optionally sent as an attachment with the CoWork message.

• Added a helpful link instead of an error message in the task planner dialog in case an external server hadn't been set yet.

• Fixed spelling mistake in “Dark Forest” theme

• Added Web API Extension for Users and Groups, that allows to search for either user or groups and display detail information about them.