Self-managed Server 4.1.3 Release Notes

Release 4.1.3 is a security update that includes fixes and improvements identified during a recent security analysis and penetration test.

Downloads

• Windows: activityinfo_windows-x64_4_1_3.msi
• Debian/Ubuntu: activityinfo_4_1_3.deb
• Docker: activityinfo/activityinfo:4.1.3
• Self-contained JAR: activityinfo_4_1_3.jar

The following are the improvements in the Self-Managed Server version 4.1.3 compared to 4.1.2:

Fixes

• AI-3655 Fix failed password throttling in self-managed server
• AI-3652 Fully enforce Content-Security Policy (switch from Content-Security-Policy-Report-Only to Content-Security-Policy header)
• AI-3654 Limit the number of personal API tokens to 10 tokens per user

Additional configuration options

This release also includes additional, optional, security measures can be enabled through configuration:

• AI-3653 Enable Strict Transport Security through configuration (recommended)
• AI-3657 Allow disabling account disclosure through config.ini (not recommended)
• AI-3658 Enable X-XSS-Protection header when enabled in config.ini (not recommend)

Upgrade notes

If you are upgrading from an earlier version of the standalone server and using HTTPS Proxy Mode, ensure your proxy server is passing the X-Real-IP header to ensure that the server can properly throttle failed login attempts by IP address.