This commit is contained in:
Franck Nijhof 2023-12-14 23:04:11 +01:00 committed by GitHub
parent ffc1164c8e
commit 0ebdd9a3fe
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 103 additions and 2 deletions

View File

@ -110,8 +110,8 @@ social:
# Home Assistant release details
current_major_version: 2023
current_minor_version: 12
current_patch_version: 2
date_released: 2023-12-13
current_patch_version: 3
date_released: 2023-12-14
# Either # or the anchor link to latest release notes in the blog post.
# Must be prefixed with a # and have double quotes around it.

View File

@ -68,6 +68,14 @@ Don't forget to [join our release party live stream on YouTube](https://www.yout
## A beautiful new login page
<div class='note'>
This feature has been disabled in Home Assistant 2023.12.3.
[Read more about it here](/blog/2023/12/14/disabling-new-login-page-functionality/).
</div>
The login page of Home Assistant has been redesigned to be more modern and
match the [recent redesign of the Home Assistant onboarding](/blog/2023/09/06/release-20239/#onboarding).
@ -492,6 +500,37 @@ The following integrations are now available via the Home Assistant UI:
[@puddly]: https://github.com/puddly
[@synesthesiam]: https://github.com/synesthesiam
## Release 2023.12.3 - December 14
- Ensure platform setup for all AVM FRITZ!SmartHome devices ([@mib1185] - [#105515])
- Update AEMET-OpenData to v0.4.7 ([@Noltari] - [#105676])
- Fix restoring UniFi clients with old unique id ([@Kane610] - [#105691])
- Bump zeroconf to 0.128.5 ([@bdraco] - [#105694])
- Add missing rest_command reload service to services.yaml ([@jpbede] - [#105714])
- Fix issue clearing renault schedules ([@epenet] - [#105719])
- Fix Fully Kiosk Browser MQTT event callbacks with non-standard event topics ([@cgarwood] - [#105735])
- Disable user profiles on login screen ([@frenck] - [#105749])
[#105135]: https://github.com/home-assistant/core/pull/105135
[#105324]: https://github.com/home-assistant/core/pull/105324
[#105515]: https://github.com/home-assistant/core/pull/105515
[#105655]: https://github.com/home-assistant/core/pull/105655
[#105676]: https://github.com/home-assistant/core/pull/105676
[#105691]: https://github.com/home-assistant/core/pull/105691
[#105694]: https://github.com/home-assistant/core/pull/105694
[#105714]: https://github.com/home-assistant/core/pull/105714
[#105719]: https://github.com/home-assistant/core/pull/105719
[#105735]: https://github.com/home-assistant/core/pull/105735
[#105749]: https://github.com/home-assistant/core/pull/105749
[@Kane610]: https://github.com/Kane610
[@Noltari]: https://github.com/Noltari
[@bdraco]: https://github.com/bdraco
[@cgarwood]: https://github.com/cgarwood
[@epenet]: https://github.com/epenet
[@frenck]: https://github.com/frenck
[@jpbede]: https://github.com/jpbede
[@mib1185]: https://github.com/mib1185
## Need help? Join the community!
Home Assistant has a great community of users who are all more than willing

View File

@ -0,0 +1,25 @@
---
layout: post
title: "Disabling new login page functionality"
description: "Why we are removing the redesigned login page introduced in release 2023.12 in patch 2023.12.3."
date: 2023-12-14 00:00:00
date_formatted: "December 14, 2023"
author: Paulus Schoutsen
author_twitter: balloob
comments: true
categories: Public-Service-Announcement
---
In [release 2023.12](https://www.home-assistant.io/blog/2023/12/06/release-202312/) we added a redesigned login page to Home Assistant. It detects when you are accessing Home Assistant via your local home network, and if so, presents a redesigned login experience that shows your user profiles. If you access Home Assistant from outside your home network, the login page still asks for your username and password, like before.
We have heard the concerns from the community that this functionality can open up your Home Assistant instance to a user enumeration attack from within the local network. A malicious actor with access to your local network could get the names and pictures of all Home Assistant users. They could use this information to make attacking your Home Assistant instance easier.
A security issue was filed for this on December 10, we have accepted and published the corresponding [GitHub Security Advisory](https://github.com/home-assistant/core/security/advisories/GHSA-jqpc-rc7g-vf83), and have disabled the redesigned login page functionality in patch 2023.12.3 released on December 14.
While researching the feedback we received, we were troubled to discover that the users who experienced problems with the new login page often used misconfigured reverse proxies. When the reverse proxy is not configured correctly, Home Assistant is no longer able to discern between traffic from your local home network or a public network. These users would see the redesigned login page when accessing Home Assistant from outside their home network.
To improve the network security of these users, we are researching how we can use Home Assistant to detect more variations of misconfigured proxies and inform them about it.
We redesigned the login page because we believed the local home network is within the privacy of your own home and a trusted environment for showing the people in it. We assumed that users attempting to log in on the local network are also trusted and allowed to see other user profiles, similar to what Microsoft, Apple, Netflix, and other companies assume in their products.
That said, we do hear you and take your feedback, and the potential security risk to users with misconfigured reverse proxies, seriously. Thank you for bringing this to our attention and being open about your concerns.

View File

@ -853,6 +853,17 @@ For a summary in a more readable format:
- Reload ZHA integration on any error, not just recoverable ones ([@puddly] - [#105659])
- Bump ZHA dependencies ([@puddly] - [#105661])
## Release 2023.12.3 - December 14
- Ensure platform setup for all AVM FRITZ!SmartHome devices ([@mib1185] - [#105515])
- Update AEMET-OpenData to v0.4.7 ([@Noltari] - [#105676])
- Fix restoring UniFi clients with old unique id ([@Kane610] - [#105691])
- Bump zeroconf to 0.128.5 ([@bdraco] - [#105694])
- Add missing rest_command reload service to services.yaml ([@jpbede] - [#105714])
- Fix issue clearing renault schedules ([@epenet] - [#105719])
- Fix Fully Kiosk Browser MQTT event callbacks with non-standard event topics ([@cgarwood] - [#105735])
- Disable user profiles on login screen ([@frenck] - [#105749])
[#101186]: https://github.com/home-assistant/core/pull/101186
[#101196]: https://github.com/home-assistant/core/pull/101196
[#101349]: https://github.com/home-assistant/core/pull/101349
@ -1893,3 +1904,22 @@ For a summary in a more readable format:
[@mkmer]: https://github.com/mkmer
[@puddly]: https://github.com/puddly
[@synesthesiam]: https://github.com/synesthesiam
[#105135]: https://github.com/home-assistant/core/pull/105135
[#105324]: https://github.com/home-assistant/core/pull/105324
[#105515]: https://github.com/home-assistant/core/pull/105515
[#105655]: https://github.com/home-assistant/core/pull/105655
[#105676]: https://github.com/home-assistant/core/pull/105676
[#105691]: https://github.com/home-assistant/core/pull/105691
[#105694]: https://github.com/home-assistant/core/pull/105694
[#105714]: https://github.com/home-assistant/core/pull/105714
[#105719]: https://github.com/home-assistant/core/pull/105719
[#105735]: https://github.com/home-assistant/core/pull/105735
[#105749]: https://github.com/home-assistant/core/pull/105749
[@Kane610]: https://github.com/Kane610
[@Noltari]: https://github.com/Noltari
[@bdraco]: https://github.com/bdraco
[@cgarwood]: https://github.com/cgarwood
[@epenet]: https://github.com/epenet
[@frenck]: https://github.com/frenck
[@jpbede]: https://github.com/jpbede
[@mib1185]: https://github.com/mib1185

View File

@ -62,6 +62,13 @@ As an open source project, Home Assistant cannot offer bounties for security vul
The following is a list of past security advisories that have been published by the Home Assistant project.
**2023-12-14: User accounts disclosed to unauthenticated actors on the LAN**
Severity: _Moderate (CVSS: 4.2)_
Detailed information: _[Security advisory](https://github.com/home-assistant/core/security/advisories/GHSA-jqpc-rc7g-vf83)_
Assigned CVE: _[CVE-2023-50715](https://nvd.nist.gov/vuln/detail/CVE-2023-50715)_
Discovered by: _[r01k](https://github.com/r01k)_
Fixed in: _Home Assistant Core 2023.12.3_
**2023-10-19: Actions expression injection in `helpers/version/action.yml`**
Severity: _Low (This is an internal project)_
Detailed information: _[Security advisory](https://github.com/home-assistant/core/security/advisories/GHSA-jff5-5j3g-vhqc)_