Release Notes (v1.3.1)

DSF-Team6/20/25About 2 min

Release Notes for v1.3.1

Release Notes

You can access all release notes on our GitHub.

General remarks:

This is an update for the new 1.x DSF and not compatible with 0.9.x and older version developed at highmed/highmed-dsf.
DSF v1.3.1 is not compatible with DSF Ping Pong v1.0.0.0, upgrade/use the Ping Pong plugin v1.0.1.0 if your are upgrading/using this version.
To Update an existing 1.x installation, please see the 1.x -> 1.3.1 Upgrade Guide.
For a fresh deployment, follow the installation instructions.

Features:

Removes insecure TLS cipher suites from the apache httpd reverse proxy Docker image.
Adds browser security policy headers for text/html requests and requests for /static/... resources.
Removes in-line css style and javascript event-handler definitions.
Reorganized commons-logging excludes, added Dependency ban rule.
Only sends the X-ClientCert header if the variable SSL_CLIENT_CERT is not empty. The value is empty if a users is not authenticated with a client certificate and client certificate authentication is optional.
Adds generated mail address based on the iss (issuer) and sub (subject) values from the access token to the currently logged in Practitioner object if the token does not contain an email claim.

Bug Fixes:

The OrganizationAffiliation page showed the Participation Organization identifier in the column Parent Organization. The expected Parent Organization identifier is now shown.
The apache httpd reverse proxy did not set the required X-Forwarded-Proto header, leading to "faulty" redirect URLs when using OIDC logins. The X-Forwarded-Proto header for proxy request to the FHIR App server is now set.

Known Compatible Process Plugins:

Docker containers for this release can be access via the GitHub Docker registry - ghcr.io:

Issues closed:

This release contains contributions from @wetret, @schwzr and @hhund.