This first bugfix & security release for 1.10.x fixes one security vulnerability, several bugs and also adds the one or other improvement:

🔒 Security fixes

  • Severity High (7.1): It was possible for an unauthenticated attacker to completely bypass the authentication if the autologinLocal option was enabled within the Access Control configuration, even if they came from networks that were not configured as localNetworks, by spoofing their IP via the X-Forwarded-For header.

    Please note that this does not affect you unless you’ve enabled the autologinLocal feature (it ships as disabled by default and requires adjusting the config.yaml file to enable, or the installation of a third party plugin that does this for you). It likely also doesn’t affect you if you have enabled said feature but have OctoPrint only accessible on a trusted network.

    If you have autologinLocal enabled and your OctoPrint instance is reachable from a hostile network like the internet, e.g. through a port forward, this does affect you and you need to update ASAP. Until you are able to update, it is strongly recommended to disable the autologin feature and/or make your instance inaccessible from potentially hostile networks.

    See also the GitHub Security Advisory and CVE-2024-32977.

✨ Improvements

Core

  • #4975: Reserved temperature identifiers not confirmed as supported but still sent by the printer’s firmware will now only cause a warning log entry in octoprint.log on their first occurrence during a connection, not every time a temperature report is received. This is to combat log spam in case of firmware bugs and misconfiguration.
  • #5003: Make the ticks on the temperature graph’s timeline automatically scale with the cutoff to keep the graph readable even with several hours of history.
  • Revert back to the netifaces dependency. While netifaces2 as used in 1.10.0 works well, it is sadly causing some build issues in the field. In the interest of giving as many people as possible access to any bug and especially security fixes, we are thus reverting to the (unmaintained) netifaces for now and keeping an eye on the wheel availability and compatibility of netifaces2 for a future rollout.

Achievements Plugin

  • #5007: Clarify the requirement to properly configure the timezone and allow to reset all or only the time based achievements.
  • Clarify that the Achievements Plugin is a plugin that can be disabled, if one doesn’t want to have achievements.

🐛 Bug fixes

Core

  • #4952: Uploading multiple files through the web interface will now also work if printer side SD support has been disabled (see also PR#4953).
  • #4993: Fix resource consumption and server performance issues caused by a busy loop in the GCODE analysis.
  • PR#4996: Fix screenreader role on tabs to enable keyboard navigation
  • #5004: Fix drag’n’drop file uploading in Safari.
  • #5005: Fix netmask & external address detection.

Achievements Plugin

  • Fix the quote of the “One small step for (a) man” achievement to match NASA’s official transcript.
  • Use configured timezone for internal stats as well.

Application Keys Plugin

  • #5001: Fix regular user’s (non-admins) not being able to revoke application keys.

You can also take a look at the changelog on GitHub.

Like every single release (and release candidate) of OctoPrint ever since early 2016 this release was made possible only through continued financial support by people like you! 💕

Click here if you enjoy OctoPrint and want to help with its funding!

Issues while updating?

On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check this collection of the most common issues encountered over the past couple of release cycles first, and test if the included fixes solve your problem.

Also make sure to check any of the heads-ups or plugin incompatibilities listed below.

Heads-ups

The heads-ups from 1.10.0 still apply, please read them carefully, they might impact you and how you use OctoPrint! Also see the Further Information and Links below for more information, where to find help and how to roll back.

For this bugfix release there are additional heads-ups:

🔒 If you use autologin and have additional reverse proxies in front of OctoPrint, make sure they are configured correctly

If you have autologin enabled (which means OctoPrint will log you in automatically if you are accessing it from a local address), it is of utmost importance to properly configure any reverse proxies in front of OctoPrint so that the client IP can be determined correctly.

If you are accessing OctoPrint through haproxy as shipped on OctoPi, or behind a reverse proxy configured following one of the reverse proxy example configurations, there should be no issue. However, if you yourself have added any additional reverse proxies in front of OctoPrint, make sure those are configured correctly.

Please read more about this in the FAQ.

Thanks

Thanks to everyone who contributed to this bugfix release and provided full, analyzable bug reports, suggestions, feedback and - of course - funding!

A special Thank You! to these 2 fine people for their PRs!

Also another Thank you! to Jacopo Tediosi for the responsible disclosure of vulnerabilities fixed in this release.

Further Information

If connected to the internet, OctoPrint will allow you to apply this update automatically via an update notification. It may take up to 24h for this notification to pop up, so don't be alarmed if it doesn't show up immediately after reading this. You can force the update however via Settings > Software Update > Advanced options > Force check for update.

If your update fails chances are high you are running into one of the common update issues listed with fixes here, so please go through that FAQ entry first.

If you have any problems with your OctoPrint installation, please seek support on the community forum.

Discuss!