forgejo/release-notes-published/9.0.2.md

27 lines
13 KiB
Markdown
Raw Normal View History

<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5974) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5975)): <!--number 5975 --><!--line 0 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC8xY2UzM2FhMzhkMWQyNThkMTQ1MjNmZjJjN2MyZGJmMzM5ZjIyYjc0KSBpdCB3YXMgcG9zc2libGUgdG8gdXNlIGEgdG9rZW4gc2VudCB2aWEgZW1haWwgZm9yIHNlY29uZGFyeSBlbWFpbCB2YWxpZGF0aW9uIHRvIHJlc2V0IHRoZSBwYXNzd29yZCBpbnN0ZWFkLiAgSW4gb3RoZXIgd29yZHMsIGEgdG9rZW4gc2VudCBmb3IgIGEgZ2l2ZW4gYWN0aW9uIChyZWdpc3RyYXRpb24sIHBhc3N3b3JkIHJlc2V0IG9yIHNlY29uZGFyeSBlbWFpbCB2YWxpZGF0aW9uKSBjb3VsZCBiZSB1c2VkIHRvIHBlcmZvcm0gYSBkaWZmZXJlbnQgYWN0aW9uLiBJdCBpcyBubyBsb25nZXIgcG9zc2libGUgdG8gdXNlIGEgdG9rZW4gZm9yIGFuIGFjdGlvbiB0aGF0IGlzIGRpZmZlcmVudCBmcm9tIGl0cyBvcmlnaW5hbCBwdXJwb3NlLg==-->[commit](https://codeberg.org/forgejo/forgejo/commit/1ce33aa38d1d258d14523ff2c7c2dbf339f22b74) it was possible to use a token sent via email for secondary email validation to reset the password instead. In other words, a token sent for a given action (registration, password reset or secondary email validation) could be used to perform a different action. It is no longer possible to use a token for an action that is different from its original purpose.<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5974) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5975)): <!--number 5975 --><!--line 1 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC8wNjFhYmU2MDA0NTIxMmFjZjhjM2Y1YzQ5YjVjYzc1OGI0Y2JjZGU5KSBhIGZvcmsgb2YgYSBwdWJsaWMgcmVwb3NpdG9yeSB3b3VsZCBzaG93IGluIHRoZSBsaXN0IG9mIGZvcmtzLCBldmVuIGlmIGl0cyBvd25lciB3YXMgbm90IGEgcHVibGljIHVzZXIgb3Igb3JnYW5pemF0aW9uLiBTdWNoIGEgZm9yayBpcyBub3cgaGlkZGVuIGZyb20gdGhlIGxpc3Qgb2YgZm9ya3Mgb2YgdGhlIHB1YmxpYyByZXBvc2l0b3J5Lg==-->[commit](https://codeberg.org/forgejo/forgejo/commit/061abe60045212acf8c3f5c49b5cc758b4cbcde9) a fork of a public repository would show in the list of forks, even if its owner was not a public user or organization. Such a fork is now hidden from the list of forks of the public repository.<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5974) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5975)): <!--number 5975 --><!--line 2 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC8zZTNlZjc2ODA4MTAwY2IxYzg1MzM3ODczM2QwZjZhOTEwMzI0YWM2KSB0aGUgbWVtYmVycyBvZiBhbiBvcmdhbml6YXRpb24gdGVhbSB3aXRoIHJlYWQgYWNjZXNzIHRvIGEgcmVwb3NpdG9yeSAoZS5nLiB0byByZWFkIGlzc3VlcykgYnV0IG5vIHJlYWQgYWNjZXNzIHRvIHRoZSBjb2RlIGNvdWxkIHJlYWQgdGhlIFJTUyBvciBhdG9tIGZlZWRzIHdoaWNoIGluY2x1ZGUgdGhlIGNvbW1pdCBhY3Rpdml0eS4gUmVhZGluZyB0aGUgUlNTIG9yIGF0b20gZmVlZHMgaXMgbm93IGRlbmllZCB1bmxlc3MgdGhlIHRlYW0gaGFzIHJlYWQgcGVybWlzc2lvbnMgb24gdGhlIGNvZGUu-->[commit](https://codeberg.org/forgejo/forgejo/commit/3e3ef76808100cb1c853378733d0f6a910324ac6) the members of an organization team with read access to a repository (e.g. to read issues) but no read access to the code could read the RSS or atom feeds which include the commit activity. Reading the RSS or atom feeds is now denied unless the team has read permissions on the code.<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5974) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5975)): <!--number 5975 --><!--line 3 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC85NTA4YWE3NzEzNjMyZWQ0MDEyNGE5MzNkOTFkNTc2NmNmMjM2OWMyKSB0aGUgdG9rZW5zIHVzZWQgd2hlbiBbcmVwbHlpbmcgYnkgZW1haWwgdG8gaXNzdWVzIG9yIHB1bGwgcmVxdWVzdHNdKGh0dHBzOi8vZm9yZ2Vqby5vcmcvZG9jcy92OS4wL3VzZXIvaW5jb21pbmcvKSB3ZXJlIHdlYWtlciB0aGFuIHRoZSBbcmZjMjEwNCByZWNvbW1lbmRhdGlvbnNdKGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2h0bWwvcmZjMjEwNCNzZWN0aW9uLTUpLiBUaGUgdG9rZW5zIGFyZSBub3cgdHJ1bmNhdGVkIHRvIDEyOCBiaXRzIGluc3RlYWQgb2YgODAgYml0cy4gSXQgaXMgbm8gbG9uZ2VyIHBvc3NpYmxlIHRvIHJlcGx5IHRvIGVtYWlscyBzZW50IGJlZm9yZSB0aGUgdXBncmFkZSBiZWNhdXNlIHRoZSB3ZWFrZXIgdG9rZW5zIGFyZSBpbnZhbGlkLg==-->[commit](https://codeberg.org/forgejo/forgejo/commit/9508aa7713632ed40124a933d91d5766cf2369c2) the tokens used when [replying by email to issues or pull requests](https://forgejo.org/docs/v9.0/user/incoming/) were weaker than the [rfc2104 recommendations](https://datatracker.ietf.org/doc/html/rfc2104#section-5). The tokens are now truncated to 128 bits instead of 80 bits. It is no longer possible to reply to emails sent before the upgrade because the weaker tokens are invalid.<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5974) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5975)): <!--number 5975 --><!--line 4 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC83ODZkZmM3ZmI4MWVlNzZkNDI5MmNhNWZjYjMzZTZlYTdiZGNjYzI5KSBhIHJlZ2lzdGVyZWQgdXNlciBjb3VsZCBtb2RpZnkgdGhlIHVwZGF0ZSBmcmVxdWVuY3kgb2YgYW55IHB1c2ggbWlycm9yIChlLmcuIGV2ZXJ5IDRoIGluc3RlYWQgb2YgZXZlcnkgOGgpLiBUaGV5IGFyZSBub3cgb25seSBhYmxlIHRvIGRvIHRoYXQgaWYgdGhleSBoYXZlIGFkbWluaXN0cmF0aXZlIHBlcm1pc3Npb25zIG9uIHRoZSByZXBvc2l0b3J5Lg==-->[commit](https://codeberg.org/forgejo/forgejo/commit/786dfc7fb81ee76d4292ca5fcb33e6ea7bdccc29) a registered user could modify the update frequency of any push mirror (e.g. every 4h instead of every 8h). They are now only able to do that if they have administrative permissions on the repository.<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5974) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5975)): <!--number 5975 --><!--line 5 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC9lNmJiZWNiMDJkNDc3MzBkM2NjNjMwZDQxOWZlMjdlZjJmYjVjYjM5KSBpdCB3YXMgcG9zc2libGUgdG8gdXNlIGJhc2ljIGF1dGhvcml6YXRpb24gKGkuZS4gdXNlcjpwYXNzd29yZCkgZm9yIHJlcXVlc3RzIHRvIHRoZSBBUEkgZXZlbiB3aGVuIHNlY3VyaXR5IGtleXMgd2VyZSBlbnJvbGxlZCBmb3IgYSB1c2VyLiBJdCBpcyBubyBsb25nZXIgcG9zc2libGUsIGFuIGFwcGxpY2F0aW9uIHRva2VuIG11c3QgYmUgdXNlZCBpbnN0ZWFkLg==-->[commit](https://codeberg.org/forgejo/forgejo/commit/e6bbecb02d47730d3cc630d419fe27ef2fb5cb39) it was possible to use basic authorization (i.e. user:password) for requests to the API even when security keys were enrolled for a user. It is no longer possible, an application token must be used instead.<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5974) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5975)): <!--number 5975 --><!--line 6 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC83MDY3Y2M3ZGE0ZjE0NGNjOGEyZmQyYWU2ZTUzMDdlMDQ2NWFjZTdmKSBzb21lIG1hcmt1cCBzYW5pdGF0aW9uIHJ1bGVzIHdlcmUgbm90IGFzIHN0cm9uZyBhcyB0aGV5IGNvdWxkIGJlIChlLmcuIGFsbG93aW5nIGBlbW9qaSBzb21ldGhpbmdlbHNlYCBhcyB3ZWxsIGFzIGBlbW9qaWApLiBUaGUgcnVsZXMgYXJlIG5vdyBzdHJpY3RlciBhbmQgZG8gbm90IGFsbG93IGZvciBzdWNoIGNhc2VzLg==-->[commit](https://codeberg.org/forgejo/forgejo/commit/7067cc7da4f144cc8a2fd2ae6e5307e0465ace7f) some markup sanitation rules were not as strong as they could be (e.g. allowing `emoji somethingelse` as well as `emoji`). The rules are now stricter and do not allow for such cases.<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5974) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5975)): <!--number 5975 --><!--line 7 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC9iNzAxOTY2NTNmOWQ3ZDNiOWQ0ZTcyZDExNGU1Y2M2ZjQ3Mjk4OGM0KSB3aGVuIEZvcmdlam8gaXMgY29uZmlndXJlZCB0byBlbmFibGUgaW5zdGFuY2Ugd2lkZSBzZWFyY2ggKGUuZy4gd2l0aCBbYmxldmVdKGh0dHBzOi8vYmxldmVzZWFyY2guY29tLykpLCByZXN1bHRzIGZvdW5kIGluIHRoZSByZXBvc2l0b3JpZXMgb2YgcHJpdmF0ZSBvciBsaW1pdGVkIHVzZXJzIHdlcmUgZGlzcGxheWVkIHRvIGFub255bW91cyB2aXNpdG9ycy4gVGhlIHJlc3VsdHMgZm91bmQgaW4gcHJpdmF0ZSBvciBsaW1pdGVkIG9yZ2FuaXphdGlvbnMgd2VyZSBub3QgZGlzcGxheWVkLiBUaGUgc2VhcmNoIHJlc3VsdHMgZm91bmQgaW4gdGhlIHJlcG9zaXRvcmllcyBvZiBwcml2YXRlIG9yIGxpbWl0ZWQgdXNlciBhcmUgbm8gbG9uZ2VyIGRpc3BsYXllZCB0byBhbm9ueW1vdXMgdmlzaXRvcnMu-->[commit](https://codeberg.org/forgejo/forgejo/commit/b70196653f9d7d3b9d4e72d114e5cc6f472988c4) when Forgejo is configured to enable instance wide search (e.g. with [bleve](https://blevesearch.com/)), results found in the repositories of private or limited users were displayed to anonymous visitors. The results found in private or limited organizations were not displayed. The search results found in the repositories of private or limited user are no longer displayed to anonymous visitors.<!--description-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5941) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5945)): <!--number 5945 --><!--line 0 --><!--description Zml4OiBoYW5kbGUgcmVuYW1lZCBkZXBlbmRlbmN5IGZvciBjYXJnbyByZWdpc3RyeQ==-->fix: handle renamed dependency for cargo registry.<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5795) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5800)): <!--number 5800 --><!--line 0 --><!--description Zml4OiBzdXBwb3J0IGB3d3cuZ2l0aHViLmNvbWAgZm9yIG1pZ3JhdGlvbnM=-->support `www.github.com` for migrations.<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5887): <!--number 5887 --><!--line 0 --><!--description Zml4OiBNb3ZlIGZvcmdvdF9wYXNzd29yZC1saW5rIHRvIGZpeCBsb2dpbiB0YWIgb3JkZXI=-->move forgot_password-link to fix login tab order.<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5850) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5879)): <!--number 5879 --><!--line 0 --><!--description W1BPUlRdIEZpeCBjb2RlIG93bmVycyB3aWxsIG5vdCBiZSBtZW50aW9uZWQgd2hlbiBhIHB1bGwgcmVxdWVzdCBjb21lcyBmcm9tIGEgZm9ya2VkIHJlcG9zaXRvcnkgKGdpdGVhIzMwNDc2KQ==-->code owners will not be mentioned when a pull request comes from a forked repository.<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5831) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5834)): <!--number 5834 --><!--line 0 --><!--description Zml4OiBsYWJlbHMgYXJlIG1pc3NpbmcgaW4gdGhlIHB1bGwgcmVxdWVzdCBwYXlsb2FkIHJlbW92aW5nIGEgbGFiZWw=-->labels are missing in the pull request payload removing a label.<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5778) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5810)): <!--number 5810 --><!--line 0 --><!--description SW4gYSBGb3JnZWpvIEFjdGlvbnMgd29ya2Zsb3csIHRoZSBgdW5sYWJlbGVkYCBldmVudCB0eXBlIGZvciBwdWxsIHJlcXVlc3RzIHdhcyBpbmNvcnJlY3RseSBtYXBwZWQgdG8gdGhlIGxhYmVsZWQgZXZlbnQgdHlwZS4=-->in a Forgejo Actions workflow, the `unlabeled` event type for pull requests was incorrectly mapped to the labeled event type.<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5778) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5810)): <!--number 5810 --><!--line 1 --><!--description V2hlbiBhIEZvcmdlam8gQWN0aW9ucyBpc3N1ZSBvciBwdWxsIHJlcXVlc3Qgd29ya2Zsb3cgaXMgdHJpZ2dlcmVkIGJ5IGFuIGBsYWJlbGVkYCBvciBgdW5sYWJlbGVkYCBldmVudCB0eXBlLCBpdCBtaXNzZXMgaW5mb3JtYXRpb24gYWJvdXQgdGhlIGxhYmVsIGFkZGVkIG9yIHJlbW92ZWQuIEl0IGlzIG5vdyBhdmFpbGFibGUgaW4gdGhlIGBsYWJlbGAgZGF0YSBtZW1iZXIgb2YgdGhlIGV2ZW50IHBheWxvYWQu-->when a Forgejo Actions issue or pull request workflow is triggered by an `labeled` or `unlabeled` event type, it misses information about the label added or removed. It is now available in the `label` data member of the event payload.<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5778) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5810)): <!--number 5810 --><!--line 2 --><!--description VGhlIHB1bGwgcmVxdWVzdCB3b3JrZmxvdyBtdXN0IGFsd2F5cyB1cGRhdGUgdGhlIGhlYWQgU0hBIGNvbW1pdCBzdGF0dXMuIE5vdCBqdXN0IHdoZW4gdGhlIFBSIGlzIHN5bmNocm9uaXplZCwgb3BlbmVkIG9yIGNsb3NlZC4gT3RoZXJ3aXNlIGl0IG1ha2VzIGl0IGltcG9zc2libGUgdG8gZGVmaW5lIGEgam9iIHRvIGJlIGEgcmVxdWlyZWQgY2hlY2sgKGZvciBpbnN0YW5jZSBhIGpvYiB0aGF0IGlzIHRyaWdnZXJlZCB3aGVuIGxhYmVscyBhcmUgbW9kaWZpZWQgYW5kIHZlcmlmaWVzIHRoYXQgYSBnaXZlbiBjb21iaW5hdGlvbiBpcyBwcmVzZW50KS4=-->the pull request workflow must always update the head SHA commit status. Not just when the PR is synchronized, opened or closed. Otherwise, a job that is run more often than on commits (e.g. checking for specific labels or approvals) cannot be defined as a required check.<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5746) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5759)): <!--number 5759 --><!--line 0 --><!--description Zml4IGdpdC1ncmVwIGZvciBjb2RlIHNlYXJjaCB3aGVuIGdpdCB2ZXJzaW9uIGlzIGJlbG93IDIuMzg=-->fix git-grep for code search when git version is below 2.38.<!--description-->
- Localization
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5681) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5748)): <!--number 5748 --><!--line 0 --><!--description aTE4bjogdXBkYXRlIG9mIHRyYW5zbGF0aW9ucyBmcm9tIENvZGViZXJnIFRyYW5zbGF0ZQ==-->i18n: update of translations from Codeberg Translate.<!--description-->
<!--end release-notes-assistant-->