Picard 2.5.5 is a bugfix release addressing two issues found in Picard 2.5.4.
The latest release is available for download on the Picard download page.
We had many reports of Windows users not being able to launch the just released Picard 2.5.3. This is a hotfix release to address this issue. There are no changes for other platforms.
The updated version is available from the Picard download page.
Thanks a lot to everyone reporting on this issue and helping to get this resolved quickly and sorry for the trouble.
The Picard team is happy to announce the release of Picard 2.5.3. This release fixes a performance regression introduced in Picard 2.5.2 and brings many more bug fixes and improvements to existing functionality.
The latest release is available for download on the Picard download page.
The complete list of changes of this and previous releases is available in the changelog. You can also discuss new features or usage on our forums.
This release contains code contributions by Sophist, mineo, BSDKaffee, zas, and outsidecontext. Many thanks also to all translators and everybody who suggested features and reported bugs in our community forums or on the issue tracker.
We’re saddened to write that we’ve let some of our users down by accidentally leaking their email addresses and birth dates via a bug in the web pages of musicbrainz.org. This caused some users to receive unwanted spam emails.
However, we would like to emphasize that no passwords, passwords hashes or any other bits of private user information other than email addresses and birth dates were leaked.
If you have never added or edited an annotation on MusicBrainz, then your email address and birth date were never leaked and you can ignore this — your data has not leaked.
What happened
About two weeks ago a MusicBrainz editor contacted us to say that their email address that was in use only at MusicBrainz had received spam. The user changed the email address to a very distinct email address in order to rule out a spammer guessing the updated email address. But it happened again, and the user received email to the unguessable email address.
At this point we began an audit of the MusicBrainz server codebase in an attempt to find out where the leak was, patch it as soon as possible, and discover who was affected by it.
What we found
On 2019-04-26 we released a new version of the MusicBrainz server and in this version we added email addresses to the list of editor data we pass to our server to build MusicBrainz pages. The goal of this was to display them in admin-facing pages to, ironically, be able to fight spammers who were using MusicBrainz as a spamming tool. We also added the editor’s birth date, to be able to congratulate them on their birthday. Neither of these cases should have ever been a problem, since the private data should only be used on pages built and sent from our own server (where the data cannot be seen by anyone else), and any editor info sent to the users’ browser goes through a “sanitizing” process eliminating all this private information.
After some digging, we discovered that due to a bug we had overlooked in the code that stripped this data, the addresses and dates had started being sent to the browser whenever an entity page with an annotation was requested. The email address and birth date of the last person to have edited an annotation in MusicBrainz (any annotations, attached to any of our entities) was leaked on the page for the entities in question. This data was contained in a massive block of JSON data in the page source and was never shown on the web page for humans to see, which is why this issue went undetected for so long.
Who was affected
We looked at all editors who wrote any annotations that were displayed between the date the problematic code was released and the date the bug was fixed. This can mean either the annotation was written during this time period, or it was written before that but (being the latest version of the annotation for the entity) it was still displayed during this time period. This gave us a total of 17,644 editors whose data was at some point visible from the JSON block in at least one entity’s source code. We sadly do not have a way to know for sure how many of the affected were actually ever found and stored by spammers, since we attempt to block botnets as much as possible. As such, we simply have no way of knowing who was really affected by this leak — only who might have been.
What we’ve done
Once we detected the issue on November 22, we immediately put out a hotfix to all production (and beta) servers plugging the leak. The hotfix acted to sanitize the editor data by removing email addresses and birth dates from the JSON. We also deployed two additional changes that should help prevent similar issues from occurring, by avoiding sending sensitive editor data to our template renderer altogether. See all changes from the git tag v-2020-11-22-hotfix.
We are planning to improve our testing infrastructure to detect exposure of editor data — this will become a routine part of our continuous integration process. We are also going to ensure that any pull request dealing with editor data goes through a strict testing checklist.
How did spammers get these email addresses?
You might be wondering how such an obscure leak in a web page can end up in spammers finding and using your email — you’re not alone.
Our sites are under near constant traffic from seemingly random internet bots fetching thousands of our pages in a day, with no apparent goal. All of our metadata is available for download, so why would someone download pages from us at random?
Well, we now know — web pages can contain a whole host of random data that shouldn’t be there. Email addresses, birth dates and such are just the starting point — there have been websites that have leaked credit card numbers and even login passwords, possibly compromising the integrity of user accounts.
In this case it appears that a botnet kept downloading pages from musicbrainz.org and driving the load on our servers up. We’ve been trying to block botnets ever since they’ve come into existence, but this is a laborious task that is never complete.
It appears that spammers used the botnet to scour the internet for private data such as emails to then send out lovely spam emails to all compromised users.
Summary
We would like to wholeheartedly apologize for this data leak. We take data privacy seriously and we aim to have high standards about privacy and data security. We find ourselves frustrated by the endless data leaks that happen on the Internet on a seemingly continuous basis and work hard to avoid committing these mistakes in our domain. However, we’re also human and we do make mistakes periodically. As explained above, we’re working to improve our systems and processes in order to prevent this from happening again.
We hope that you accept our most sincere apologies for this leak.
Robert Kaye, Michael Wiencek, Nicolás Tamargo and Yvan Rivierre
Picard 2.5.2 is a maintenance release, fixing some bugs and providing minor improvements to the recent 2.5.1 release. Thanks a lot to everyone who gave feedback and reported issues.
The latest release is available for download on the Picard download page.
The complete list of changes of this and previous releases is available in the changelog. You can also discuss new features or usage on our forums.
Right after Halloween, this new release of MusicBrainz Server tricks some bugs and treats some improvements, plus some work on the usually terrifying React conversion and updates to handle external links.
A new release of MusicBrainz Docker is also available that matches this update of MusicBrainz Server. See the release notes for update instructions.
Thanks to chaban, darwinx0r, kellnerd, hibiscuskazaneko, jesus2099, lotheric, snartal, and tularion for having reported bugs and suggested improvements. Thanks to grafi_tt, mfmeulenbelt, salorock, and shepard for updating the translations. And thanks to all others who tested the beta version!
The git tag is v-2020-11-02.
Picard 2.5.1 is a maintenance release, fixing some bugs and providing minor improvements to the recent 2.5 release. Thanks a lot to everyone who gave feedback and reported issues.
The latest release is available for download on the Picard download page.
The complete list of changes of this and previous releases is available in the changelog. You can also discuss new features or usage on our forums.
Picard 2.5 is now available.
Thanks a lot to everybody who contributed to this release with code, translations, bug reports and general feedback.
This release contains few fixes and improvements over previous beta version. A complete list of changes since the beta release is available below.
New packages can be downloaded from Picard website Downloads section.
As usual, please report any issue through our bug tracker.
The whole Picard team would like to thank everyone involved in this project, whether they are developpers, users, translators, documentation contributors.
Since some time the whole Picard documentation is better than ever, thanks, mainly, to the fantastic job rdswift did. With the help of the community we should be able to provide translations for this documentation in upcoming future (tests were done recently). If you want to help, read Contributing page.
You can also discuss new features or usage on our forums.
Today’s MusicBrainz Server brings a new data report, a continued conversion to React, some bugfixes and small improvements, but also tests refactoring.
Meanwhile, the search server has been updated twice in a row to fix bugs in JSON output mostly with MB Solr 3.2 (release notes) and MB Solr 3.3 (release notes), including the MusicBrainz API breaking change announced last month.
A new release of MusicBrainz Docker is also available that matches this update of MusicBrainz Server. See the release notes for update instructions.
Thanks to amCap1712 for fixing bugs in MB Solr, and to loujine for contributing code with yet a new data report. Thanks to Avamander, bonchiver_, chaban, draconx, eloise_freya, GTF1982, hawke, hibiscuskazeneko, jesus2099, jrv, kellnerd, Kid Devine, Psychoadept, selflessself, and wcw1966 for having reported bugs and suggested improvements. Thanks to kellnerd, mfmeulenbelt, and salorock for updating the translations. And thanks to all others who tested the beta version!
The git tag is v-2020-10-19.
Picard 2.5 Beta 1 is now available. This is a pre-release to gather final feedback on the changes before the final 2.5 release.
Thanks a lot to everybody who contributed to this release with code, translations, bug reports and general feedback.
This release fixes some possible crashes, makes Picard able to run on the new macOS 11, provides several small UI improvements, allows using file tags and variables in tagger script, and more. See below for a full list of changes.
Picard 2.5 beta 1 is available for download from the download page.
The easiest way to help us getting a great Picard 2.5 release is using and testing this release candidate. Please report bugs on the Picard issue tracker and provide feedback in the community forums.
Please also help translate Picard. There have been many changes to the user interface and existing translations need to be updated for the final 2.4 release. Translating is easy and can be done online: Head over to MusicBrainz’s translation page on Transifex and click on “Help Translate MusicBrainz”.
Once you have registered an account on Transifex you can start translating. For Picard the primary resource to translate is “picard“, but there is also the “picard_appstream” resource which is used for providing descriptions for various Linux software-center applications.
If you are a software developer you are very welcomed to provide fixes and features. Picard is free software and the source code is available on GitHub. See Developing on the Picard website to get started.