increase to 13.0.3

Signed-off-by: Simon L. <szaimen@e.mail.de>
aio-interface: change session cookie SameSite from Strict to Lax to fix cross-site getlogin flow (#8064 )
2026-05-21 10:50:10 +00:00 · 2026-05-07 16:22:14 +02:00 · 2026-05-07 16:10:18 +02:00 · 2026-05-07 07:53:51 +00:00 · 2026-05-06 13:03:28 +02:00 · 2026-05-06 13:00:57 +02:00
10 changed files with 11 additions and 12 deletions
--- a/Containers/apache/Dockerfile
+++ b/Containers/apache/Dockerfile
@@ -2,7 +2,7 @@
 FROM caddy:2.11.2-alpine AS caddy

 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
-FROM httpd:2.4.66-alpine3.23
+FROM httpd:2.4.67-alpine3.23

 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy

--- a/Containers/docker-socket-proxy/Dockerfile
+++ b/Containers/docker-socket-proxy/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.3.7-alpine
+FROM haproxy:3.3.8-alpine

 # hadolint ignore=DL3002
 USER root
--- a/Containers/fulltextsearch/Dockerfile
+++ b/Containers/fulltextsearch/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from here https://github.com/elastic/dockerfiles/blob/9.3/elasticsearch/Dockerfile
-FROM elasticsearch:9.3.3
+FROM elasticsearch:9.4.0

 USER root

--- a/Containers/mastercontainer/headers.Caddyfile
+++ b/Containers/mastercontainer/headers.Caddyfile
@@ -18,9 +18,9 @@ header {
    Referrer-Policy "no-referrer" # Tells the browser to never sent a Referer header. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Referrer-Policy
    X-Robots-Tag "noindex, nofollow" # Tells web crawlers to not index this page. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Robots-Tag
    Origin-Agent-Cluster "?1" # Isolates AIO from other same site pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin-Agent-Cluster
-    Cross-Origin-Opener-Policy "same-origin"; # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
-    Cross-Origin-Embedder-Policy "require-corp"; # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
-    Cross-Origin-Resource-Policy "same-origin"; # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
+    Cross-Origin-Opener-Policy "same-origin" # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
+    Cross-Origin-Embedder-Policy "require-corp" # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
+    Cross-Origin-Resource-Policy "same-origin" # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy

    # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), aria-notify=(), attribution-reporting=(), autoplay=(), bluetooth=(), browsing-topics=(), camera=(), captured-surface-control=(), ch-ua-high-entropy-values=(), compute-pressure=(), cross-origin-isolated=(), deferred-fetch=(), deferred-fetch-minimal=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), local-network=(), local-network-access=(), loopback-network=(), magnetometer=(), microphone=(), midi=(), on-device-speech-recognition=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), private-state-token-redemption=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), summarizer=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
--- a/Containers/mastercontainer/start.sh
+++ b/Containers/mastercontainer/start.sh
@@ -338,7 +338,7 @@ else
 fi

 # Log level logics
-if [ -n "$AIO_LOG_LEVEL" ] && ! grep -q "^debug$\|^info$\|^warn$\|^error$"; then
+if [ -n "$AIO_LOG_LEVEL" ] && ! echo "$AIO_LOG_LEVEL" | grep -q "^debug$\|^info$\|^warn$\|^error$"; then
    print_red "AIO_LOG_LEVEL must be one of 'debug', 'info', 'warn' or 'error'.
 It is set to '$AIO_LOG_LEVEL'".
    exit 1
--- a/Containers/redis/Dockerfile
+++ b/Containers/redis/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/redis/docker-library-redis/blob/release/8.2/alpine/Dockerfile
-FROM redis:8.6.2-alpine
+FROM redis:8.6.3-alpine

 COPY --chmod=775 start.sh /start.sh

--- a/Containers/talk/Dockerfile
+++ b/Containers/talk/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.12.8-scratch AS nats
+FROM nats:2.14.0-scratch AS nats
 FROM eturnal/eturnal:1.12.2-alpine AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling
 FROM alpine:3.23.4 AS janus
--- a/php/containers.json
+++ b/php/containers.json
@@ -892,7 +892,6 @@
      "environment": [
        "HP_SHARED_KEY=%HP_SHARED_KEY%",
        "NC_INSTANCE_URL=https://%NC_DOMAIN%",
-        "HP_LOG_LEVEL=%COLLABORA_LOG_LEVEL%",
        "HP_FRP_DISABLE_TLS=true",
        "TZ=%TIMEZONE%"
      ],
--- a/php/public/index.php
+++ b/php/public/index.php
@@ -68,7 +68,7 @@ session_start([
    "use_strict_mode" => true, // Only allow initialized session IDs. See https://www.php.net/manual/en/session.configuration.php#ini.session.use-strict-mode
    "cookie_secure" => true, // Only send cookies over https (not http). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#secure
    "cookie_httponly" => true, // Block the cookie from being read with js in the browser, will still be send for fetch request triggered by js. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#httponly
-    "cookie_samesite" => "Strict", // Only send the cookie with requests triggered by AIO itself. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value
+    "cookie_samesite" => "Lax", // Send the cookie with same-site requests and top-level cross-site navigations (e.g. redirect after token-based getlogin). "Strict" would block the session cookie on the redirect that follows a cross-site navigation, breaking the getlogin flow from Nextcloud's admin panel. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value
 ]);

 if ($wasAuthenticated) {
--- a/php/templates/includes/aio-version.twig
+++ b/php/templates/includes/aio-version.twig
@@ -1 +1 @@
-13.0.0
+13.0.3
Author	SHA1	Message	Date
Simon L.	15ae285d9f	increase to 13.0.3 Signed-off-by: Simon L. <szaimen@e.mail.de>	2026-05-07 16:22:14 +02:00
Simon L.	1fa4f3b6a3	aio-interface: change session cookie SameSite from Strict to Lax to fix cross-site getlogin flow (#8064 )	2026-05-07 16:10:18 +02:00
copilot-swe-agent[bot]	654c39ff1e	fix: change session cookie SameSite from Strict to Lax to fix cross-site getlogin flow Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/acf6148d-63c7-4ee2-a856-6de7de68118d Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-05-07 07:53:51 +00:00
Simon L.	91d59af4dc	increase to 13.0.2 Signed-off-by: Simon L. <szaimen@e.mail.de>	2026-05-06 13:03:28 +02:00
Simon L.	5091f27e87	build(deps): bump redis from 8.6.2-alpine to 8.6.3-alpine in /Containers/redis (#8061 )	2026-05-06 13:00:57 +02:00
Simon L.	c74d08902e	build(deps): bump elasticsearch from 9.3.3 to 9.4.0 in /Containers/fulltextsearch (#8060 )	2026-05-06 13:00:45 +02:00
Simon L.	216c73d3aa	build(deps): bump httpd from 2.4.66-alpine3.23 to 2.4.67-alpine3.23 in /Containers/apache (#8059 )	2026-05-06 13:00:34 +02:00
Simon L.	6c1c33e069	build(deps): bump haproxy from 3.3.7-alpine to 3.3.8-alpine in /Containers/docker-socket-proxy (#8047 )	2026-05-06 13:00:22 +02:00
Simon L.	f0949a8746	build(deps): bump nats from 2.12.8-scratch to 2.14.0-scratch in /Containers/talk (#8037 )	2026-05-06 13:00:08 +02:00
dependabot[bot]	79eccd576d	build(deps): bump redis in /Containers/redis Bumps redis from 8.6.2-alpine to 8.6.3-alpine. --- updated-dependencies: - dependency-name: redis dependency-version: 8.6.3-alpine dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-06 04:20:08 +00:00
dependabot[bot]	323a34a437	build(deps): bump elasticsearch in /Containers/fulltextsearch Bumps elasticsearch from 9.3.3 to 9.4.0. --- updated-dependencies: - dependency-name: elasticsearch dependency-version: 9.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-06 04:19:29 +00:00
dependabot[bot]	f2076fa56b	build(deps): bump httpd in /Containers/apache Bumps httpd from 2.4.66-alpine3.23 to 2.4.67-alpine3.23. --- updated-dependencies: - dependency-name: httpd dependency-version: 2.4.67-alpine3.23 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-06 04:19:18 +00:00
Simon L.	99ea91c5ef	increase to v13.0.1 Signed-off-by: Simon L. <szaimen@e.mail.de>	2026-05-04 10:49:10 +02:00
Simon L.	7b2de0683e	fix harp container not starting anymore (#8048 )	2026-05-04 10:48:29 +02:00
Simon L.	f7b677fb51	fix harp container not starting anymore Signed-off-by: Simon L. <szaimen@e.mail.de>	2026-05-04 10:39:21 +02:00
Simon L.	ee8a5a185c	mastercontainer: fix checking for AIO_LOG_LEVEL (#8035 )	2026-05-04 10:36:45 +02:00
Simon L.	2b0cb13f35	aio-interface: fix Cross-Origin-* headers not being sent (#8046 )	2026-05-04 10:36:22 +02:00
dependabot[bot]	1e064fed8a	build(deps): bump haproxy in /Containers/docker-socket-proxy Bumps haproxy from 3.3.7-alpine to 3.3.8-alpine. --- updated-dependencies: - dependency-name: haproxy dependency-version: 3.3.8-alpine dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-04 04:20:18 +00:00
Zoey	a1eaea85ed	fix Cross-Origin-* headers not being sent Signed-off-by: Zoey <zoey@z0ey.de>	2026-05-03 22:34:27 +02:00
dependabot[bot]	bc2105d668	build(deps): bump nats in /Containers/talk Bumps nats from 2.12.8-scratch to 2.14.0-scratch. --- updated-dependencies: - dependency-name: nats dependency-version: 2.14.0-scratch dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-01 04:27:45 +00:00
Simon L.	c545bffc53	mastercontainer: fix checking for AIO_LOG_LEVEL Signed-off-by: Simon L. <szaimen@e.mail.de>	2026-04-30 16:07:48 +02:00
@@ -1 +1 @@
 .0.0
 .0.3