Rocket.Chat 0.70 released


#1

Back with another exciting release!

This release brings beta release of end to end encryption! This one is pretty exciting! More details about that here: https://rocket.chat/docs/user-guides/end-to-end-encryption/

It also brings blockstack as a decentralized auth provider.

Ability to bring in files from webdav or save a file to your own webdav. Think Nextcloud :wink:

Apps are now on by default! With that brings support for apps to define their own api endpoints.

Enjoy!

Rocket.Chat 0.70.0

Engine versions

  • Node: 8.11.3
  • NPM: 5.6.0

:warning:️ BREAKING CHANGES

  • Update the default port of the Prometheus exporter (#11351 by @thaiphv)
  • [IMPROVE] New emails design (#12009)

:tada: New features

  • Allow multiple subcommands in MIGRATION_VERSION env variable (#11184 by @arch119)
  • Support for end to end encryption (#10094)
  • Livechat Analytics and Reports (#11238 by @pkgodara)
  • Apps: Add handlers for message updates (#11993)
  • Livechat notifications on new incoming inquiries for guest-pool (#10588)
  • Customizable default directory view (#11965 by @ohmonster)
  • Blockstack as decentralized auth provider (#12047)
  • Livechat REST endpoints (#11900)
  • REST endpoints to get moderators from groups and channels (#11909)
  • User preference for 24- or 12-hour clock (#11169 by @vynmera)
  • REST endpoint to set groups’ announcement (#11905)
  • Livechat trigger option to run only once (#12068 by @edzluhan)
  • REST endpoints to create roles and assign roles to users (#11855 by @aferreira44)
  • Informal German translations (#9984)
  • Apps: API provider (#11938)
  • Apps are enabled by default now (#12189)
  • Add Livechat Analytics permission (#12184)
  • WebDAV Integration (User file provider) (#11679 by @karakayasemi)

:rocket: Improvements

  • Cache livechat get agent trigger call (#12083)
  • BigBlueButton joinViaHtml5 and video icon on sidebar (#12107)
  • Use eslint-config package (#12044)

:bug: Bug fixes

  • Livechat agent joining on pick from guest pool (#12097)
  • Apps: Add missing reactions and actions properties to app message object (#11780)
  • Broken slack compatible webhook (#11742)
  • Changing Mentions.userMentionRegex pattern to include
    tag (#12043)
  • Double output of message actions (#11902)
  • Login error message not obvious if user not activated (#11785 by @crazy-max)
  • Adding scroll bar to read receipts modal (#11919)
  • Fixing translation on ‘yesterday’ word when calling timeAgo function (#11946)
  • Fixing spacement between tags and words on some labels (#12018)
  • video message recording, issue #11651 (#12031 by @flaviogrossi)
  • Prevent form submission in Files List search (#11999)
  • Re-add the eye-off icon (#12079 by @MIKI785)
  • Internal error when cross-origin with CORS is disabled (#11953)
  • Message reaction in GraphQL API (#11967)
  • Direct messages leaking into logs (#11863)
  • Wrong build path in install.sh (#11879)
  • Permission check on joinRoom for private room (#11857)
  • Close popover on shortcuts and writing (#11562)
  • Typo in a configuration key for SlackBridge excluded bot names (#11872 by @TobiasKappe)
  • Real Name on Direct Messages (#12154)
  • Position of popover component on mobile (#12038)
  • Duplicate email and auto-join on mentions (#12168)
  • Horizontal scroll on user info tab (#12102)
  • Markdown ampersand escape on links (#12140)
  • Saving user preferences (#12170)
  • Apps being able to see hidden settings (#12159)
  • Allow user with “bulk-register-user” permission to send invitations (#12112)
  • IRC Federation no longer working (#11906)
  • Files list missing from popover menu when owner of room (#11565)
  • Not able to set per-channel retention policies if no global policy is set for this channel type (#11927 by @vynmera)
  • app engine verbose log typo (#12126 by @williamriancho)
🔍 Minor changes
  • Release 0.69.2 (#12026 by @kaiiiiiiiii)
  • LingoHub based on develop (#11936)
  • Better organize package.json (#12115)
  • Fix using wrong variable (#12114)
  • Fix the style lint (#11991)
  • Merge master into develop & Set version to 0.70.0-develop (#11921 by @c0dzilla & @rndmh3ro & @ubarsaiyan & @vynmera)
  • Release 0.69.2 (#12026 by @kaiiiiiiiii)
  • Regression: fix message box autogrow (#12138)
  • Regression: Modal height (#12122)
  • Fix: Change wording on e2e to make a little more clear (#12124)
  • Improve: Moved the e2e password request to an alert instead of a popup (#12172)
  • New: Option to change E2E key (#12169)
  • Improve: Decrypt last message (#12173)
  • Fix: e2e password visible on always-on alert message. (#12139)
  • Improve: Expose apps enable setting at General > Apps (#12196)
  • Fix: Message changing order when been edited with apps enabled (#12188)
  • Improve: E2E setting description and alert (#12191)
  • Improve: Do not start E2E Encryption when accessing admin as embedded (#12192)
  • Fix: Add e2e doc to the alert (#12187)
  • Improve: Switch e2e doc to target _blank (#12195)
  • Improve: Rename E2E methods (#12175)

:woman_technologist::man_technologist: Contributors :heart_eyes:

:woman_technologist::man_technologist: Core Team :nerd_face:


End-to-End Encryption
#2

I’ve come to see that you give an official node version as a reference version. While I find this to be good in general, currently 8.11.3 is not the latest version. If 8.11.4 would have been a maintenance-only release, I’d see no problem, yet it is a security-release. Quoting from the release notes:

This is a security release, fixing a number of vulnerabilities in OpenSSL and Node.js. Refer to the August 2018 Security Releases announcement for full details.

Notable Changes

  • buffer : Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding (CVE-2018-12115)
  • deps : Upgrade to OpenSSL 1.0.2p, fixing:
    • Client DoS due to large DH parameter (CVE-2018-0732)
    • ECDSA key extraction via local side-channel (CVE not assigned)

So my suggestion would be to update :slight_smile: I know this causes testing efforts… but what can you do… it’s security.

EDIT: Ah! As I see just know, even 8.12.0 is out (though not listing security-changes).

Cheers
Thomas


#3

So our official node version is actually based on the version the particular meteor version is tested against.

It might be possible for us to recommend 8.11.4 since just a security fix. In the past there have been issues (I think you encountered them actually) when using slightly newer version of node.js.

Will take a look into it. :smile:


#4

Ah, I see. That makes sense…

Indeed I have, very much so :smiley: I myself will always default to using the latest version of node.js unless it’s explicitly known to cause issues.

So I guess adhering to Meteor suggestions is indeed the better choice for the general audience.

Cheers & thanks for getting back
Thomas