PaperCut NG 21.2 release history

Security:

• Various security fixes. See PaperCut NG/MF Security Bulletin (March 2024) for more information. [CDSS-3505], [CDSS-3325], [PO-2080], [PIE-708], [PO-2030]
• This release also includes several pre-emptive security improvements and additions to layers of defense. These improvements were made as a result of code audits, pen tests and security reviews. Changes were made in line with our security uplift initiative.

Fixes:

• Addressed file traversal issues. [CDSS-2495], [PO-1447]
• Hardened internal API Authentication. [PO-1474]
• Updated third party libraries to recommended patch levels. [PO-1441]

Fixes:

• Addressed a Path Traversal vulnerability in the Application Server and Site Server. Under specific conditions, this could potentially allow an attacker read-only access to the server’s file system.  CVE-2023-31046 . [PO-1277]
• Addressed a Cross-Site Request Forgery (CSRF) vulnerability in the Application Server, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. This could be exploited if the target is an admin with a current login session. Exploiting this would typically involve the possibility of deceiving an admin into clicking a specially crafted malicious link, potentially leading to unauthorized changes.  CVE-2023-2533 . [PO-1366]

Fixes:

• Security improvements to address an issue identified as ZDI-CAN-18987 in the NG/MF Application Server and Site Server. [PO-1216]
• Security improvements to address an issue identified as ZDI-CAN-19226 in the NG/MF Application Server. [PO-1219]

Fixes:

• Fixed an issue that could cause an upgrade to fail when using version 21.2.9 with an MS SQL Server database. [PC-18810]

Other Notes:

• Note that this release includes the 3 security improvements listed in the previous release 21.2.9.

Fixes:

• Security improvements to address an issue in the Application Server. More information . [PC-18750]
• Security improvements to address potential Spring4Shell vulnerabilities in the Application Server. More information . [PC-18756]
• Security improvements to the Rhino.js scripting engine used with the Application Server. More information . [PO-816]

Other Notes:

• Note that this release has been removed from the website and from release archives, with a fix released in 21.2.10.

Fixes:

• Removed log4j 1.x dependencies from the PaperCut application install. Log4j 2.17.1 is now used exclusively. Note that customers upgrading from previous versions will also need to manually remove the /client/mac/legacy/PCClient.app application to avoid vulnerability scanners flagging this deprecated legacy client. [PO-725]

Fixes:

• Restored latest (2.17.1) versions of log4j2 libs accidentally reverted in previous release. [PO-785]
• Fixed an issue on Email To Print and Mobility Print where the printed page of the pdf file could be clipped. [PC-18698]

Enhancements:

• Added the tbl_printer_usage_log, table tbl_print_hardware_check, and tbl_refund_request tables to the list of tables that can be purged with db-tools. [PO-73]

Fixes:

• Fixed an issue that caused account balance adjustment to be off by a very small amount because of rounding issues. [PO-706]

• Fixed an issue that prevented device type filtering on the Devices page from working. [PO-655]

• Added a new config key (user.card.pin.hash-encode) to control whether user PINs will be hashed encoded and therefore unrecoverable. Default is ‘Y’. Set to ‘N’ if you are using the PaperCut Toshiba V2 and use PINs for login, to prevent user PINs from being hash encoded. [PO-540]

• Fixed an issue that could cause PDFs printed via Mobility print to fail to print “i” characters that were adjacent to “f” characters. [PO-236]

• Fixed an issue on macOS and Linux that could cause the number of copies made to be incorrect (number would be the square of the correct number). [PO-710]

• Fixed an issue with the Network Payment API that could cause top-up amounts to be calculated incorrectly in some edge cases. [PO-439]

• Fixed an issue that could cause print script pop up windows to be incorrectly sized in relation to the text. [PO-735]

• Fixes a bug that caused the User Client to present a Low Balance Notification on launch when Low Balance Notifications for the User Client were disabled. [PO-594]

• Fixed an issue that caused the user associated with anonymous/guest login with email to print to always be set to unrestricted when settings are saved. [PO-724]

• Fixed an issue that could cause long-run copy jobs that were interrupted (e.g. to refill paper tray) to be ended prematurely by the copier. [PO-731]

• Payment Gateway

  • Fixed an issue that caused PaperCut to incorrectly notify the user that the PayPal transaction was canceled, after returning to the PaperCut interface from the PayPal payment gateway. [PO-604]

• Release Station (Windows):

  • Fixed a configuration issue that prevented the release station from running on Windows network share paths (e.g. \\server\PCRelease). [PO-611]

• Print Provider:

  • Fixed an issue that could cause Canon UFR data to be interpreted incorrectly, leading to the number of pages to be calculated incorrectly. [PC-18465]
  • FX Versant 180 Press GX230 PostScript printer driver: Fixed an issue that caused grayscale output to be incorrectly detected as color. [PO-618]
  • Brother PCL5 printer driver: Fixed an issue that caused the page size to be treated as A4 when printing on some other paper sizes (e.g. A5). [PO-662]

Other Notes:

• Updated Handlebars.js library to version 4.7.7. [PO-603]
• Upgraded internal Jetty server to version 9.4.44. [PO-228]
• Updated licensing information summary to say “Licensed devices & connectors” [PO-621]

Fixes:

• Fixed an issue that caused the Web Cashier username search field dropdown to not function correctly. [PO-513]
• Upgraded all log4j2 libs to v2.17.1 to remove any possible vulnerability to CVE-2021-44832.

Fixes:

• Upgraded all log4j2 libs to v2.17 to remove vulnerability to CVE-2021-45105.

Fixes:

• Upgraded all log4j libs to v2.16 to remove vulnerability to CVE-2021-44228 (Log4Shell) and CVE-2021–45046.

Enhancements:

• Batch User Import:
  • Optimized to improve import times. [PO-573]
• Web Print:
  • Added the ability to detect password-protected Word documents and fail with a meaningful error message instead of waiting indefinitely. [PC-5325]
• Added password authentication support to the Standard Azure AD sync source. [PO-553]
• Improved Azure AD graph sync to now sync the users’ department. [PO-404]
• Changed the Health Check endpoint example to be a less expensive endpoint. [PO-276]
• Improved usability by removing the Azure ID configuration from the setup wizard to the Options > User Group Sync page. [PO-587]
• Added advanced config keys for the following, for which more information is available on request:
  • Hide the “Jobs” (Web Client) link in Mobile Print Release. [PC-18630]
  • Hide Mobile Print Release username and password authentication. [PC-18624]
  • Enable a custom program for resolving user card number lookups. [PC-17219]

Fixes:

• Batch User Import:
  • Fixed a bug that updated all database user records even when there was no data to update. [PO-567]
• Print Provider:
  • Fixed an issue that prevented PaperCut from detecting when Konica Minolta and Kyocera devices were out of paper. [PO-460]
  • Fixed an issue that caused the Print Provider to crash when certain PCL5 data was printed. [PO-561]
• Fixed an issue that prevented users from logging on if their Network Payment Gateway balance was a whole number (for example, $10) instead of a number that included a decimal point (for example, $10.00). [PO-377]
• Fixed an issue that caused SNI host checking to still be active if both SNI host checking and HSTS were disabled. [PO-511]