Software-update: openHAB 4.2.1

OpenHAB is domoticasoftware waarmee componenten uitgelezen en aangestuurd kunnen worden. Daarbij kun je denken aan lichtschakelaars, diverse sensors, ledlampen, beveiligingsapparatuur en tal van andere domoticahardware. Het kan door middel van zogenaamde bindings onder andere praten via Z-Wave, Nest en Zigbee, of producten van IKEA Trådfri, Xiaomi Smart Home en Philips Hue aansturen. Voor meer informatie verwijzen we naar deze pagina en voor gebruikerservaringen kun je ook op ons Forum terecht, in Het Grote openHAB-topic. De ontwikkelaars hebben openHAB 4.2.1 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.

Release Notes

This patch release addresses the following security advisories:

• SSRF/XSS (CometVisu) GHSA-v7gr-mqpj-wwb
• Sensitive information disclosure (CometVisu) GHSA-3g4c-hjhr-73rj
• RCE through path traversal (CometVisu) GHSA-f729-58x4-gqgf
• Path traversal (CometVisu) GHSA-pcwp-26pw-j98w

All of these are related to the CometVisu add-on for openHAB - if you are a user of CometVisu, we strongly recommend to upgrade your system to openHAB 4.2.1 in order to fix those vulnerabilities. For all other users, the upgrade is optional - please check the detailed release notes below on whether the included fixes are relevant for you:

Runtime

• 4314: Add default scope to profile when loading items file
• 4303: PersistenceExtensions: fix DateTimeException when persisting an empty TimeSeries
• 4305: Config parameter: Change inferred i18n key for add-ons + alternative key
• 4309: Fix merge of AddonInfo (masterAddonInfo field)
• 4312: Fix dynamic binding of AddonService to ConsoleCommandExtension service
• 4313: Fix Timer.isRunning() returning true immediately after rescheduling
• 4320: Add missing system profile types and UIDs
• 4323: Fix startup of background discovery
• 4326: Clean up removed links in GenericItemChannelLinkProvider

Add-ons

• 17032: Fix price handler refresh
• 17159: Fix dependency issues and bump to newer version libs
• 17185: Fix clearing Now Playing channels
• 17081: Fix creation of properties and dynamic channels at init
• 17082: Fix macAddress property when discovering a server
• 17124: Fix websocket registration
• 17203: Fix enabling/disabling of Mac OS file sharing
• 17217: Fix IAE when sending a remote key to player
• 17048: Fix invalid status response handling
• 17042: Properly escape + character in query string
• 17204: Fix Pico buttons for non-LEAP bridges
• 17054: Fix unit retrieval for group items
• 17011: Revise fix for Gen1 initialization problem for manually created Things
• 17015: Fix thing type descriptions for Plus Mini series
• 17053: Fix initialization of BLU Motion device
• 17122: Fix BLU Gateway support, IllegalNumberFormatException when favorites are empty in cover mode
• 17163: Fix thing re-init after power cycle for firmware update
• 17167: Fix BLU Discovery when Shelly Cloud Bluetooth Gateway is enabled
• 17180: Fix NullPointerExceptions

User Interfaces

• 2660: Fix description for iconify parameter
• 2671: Security fixes & cleanup for cometvisu backend
• 2696: Add more path checks and secure against XXE attacks
• 2655: Fix code editor overflow in sitemap editor
• 2656: Page editors: Encapsulate CSS to avoid polluting global CSS
• 2662: oh-context: Fix rendering failure when not in edit mode
• 2673: Overview page: Fix defineVars is not working
• 2677: Charts: Fix issues with charts not displaying on iOS >= 17.4
• 2678: Fix 404s for overview page, semantic model tabs and add-on store
• 2689: Link add: Fix create item fails for trigger channels
• 2682: Fix bracketing in context block
• 2688: Fix code generation for Thing object on Thing status block