mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-23 14:53:34 +01:00
15 lines
8.5 KiB
Markdown
15 lines
8.5 KiB
Markdown
|
<!--start release-notes-assistant-->
|
||
|
|
||
|
## Release notes
|
||
|
<!--URL:https://codeberg.org/forgejo/forgejo-->
|
||
|
- Security bug fixes
|
||
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5974) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5976)): <!--number 5976 --><!--line 0 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC8xY2UzM2FhMzhkMWQyNThkMTQ1MjNmZjJjN2MyZGJmMzM5ZjIyYjc0KSBpdCB3YXMgcG9zc2libGUgdG8gdXNlIGEgdG9rZW4gc2VudCB2aWEgZW1haWwgZm9yIHNlY29uZGFyeSBlbWFpbCB2YWxpZGF0aW9uIHRvIHJlc2V0IHRoZSBwYXNzd29yZCBpbnN0ZWFkLiAgSW4gb3RoZXIgd29yZHMsIGEgdG9rZW4gc2VudCBmb3IgIGEgZ2l2ZW4gYWN0aW9uIChyZWdpc3RyYXRpb24sIHBhc3N3b3JkIHJlc2V0IG9yIHNlY29uZGFyeSBlbWFpbCB2YWxpZGF0aW9uKSBjb3VsZCBiZSB1c2VkIHRvIHBlcmZvcm0gYSBkaWZmZXJlbnQgYWN0aW9uLiBJdCBpcyBubyBsb25nZXIgcG9zc2libGUgdG8gdXNlIGEgdG9rZW4gZm9yIGFuIGFjdGlvbiB0aGF0IGlzIGRpZmZlcmVudCBmcm9tIGl0cyBvcmlnaW5hbCBwdXJwb3NlLg==-->[commit](https://codeberg.org/forgejo/forgejo/commit/1ce33aa38d1d258d14523ff2c7c2dbf339f22b74) it was possible to use a token sent via email for secondary email validation to reset the password instead. In other words, a token sent for a given action (registration, password reset or secondary email validation) could be used to perform a different action. It is no longer possible to use a token for an action that is different from its original purpose.<!--description-->
|
||
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5974) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5976)): <!--number 5976 --><!--line 1 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC8wNjFhYmU2MDA0NTIxMmFjZjhjM2Y1YzQ5YjVjYzc1OGI0Y2JjZGU5KSBhIGZvcmsgb2YgYSBwdWJsaWMgcmVwb3NpdG9yeSB3b3VsZCBzaG93IGluIHRoZSBsaXN0IG9mIGZvcmtzLCBldmVuIGlmIGl0cyBvd25lciB3YXMgbm90IGEgcHVibGljIHVzZXIgb3Igb3JnYW5pemF0aW9uLiBTdWNoIGEgZm9yayBpcyBub3cgaGlkZGVuIGZyb20gdGhlIGxpc3Qgb2YgZm9ya3Mgb2YgdGhlIHB1YmxpYyByZXBvc2l0b3J5Lg==-->[commit](https://codeberg.org/forgejo/forgejo/commit/061abe60045212acf8c3f5c49b5cc758b4cbcde9) a fork of a public repository would show in the list of forks, even if its owner was not a public user or organization. Such a fork is now hidden from the list of forks of the public repository.<!--description-->
|
||
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5974) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5976)): <!--number 5976 --><!--line 2 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC8zZTNlZjc2ODA4MTAwY2IxYzg1MzM3ODczM2QwZjZhOTEwMzI0YWM2KSB0aGUgbWVtYmVycyBvZiBhbiBvcmdhbml6YXRpb24gdGVhbSB3aXRoIHJlYWQgYWNjZXNzIHRvIGEgcmVwb3NpdG9yeSAoZS5nLiB0byByZWFkIGlzc3VlcykgYnV0IG5vIHJlYWQgYWNjZXNzIHRvIHRoZSBjb2RlIGNvdWxkIHJlYWQgdGhlIFJTUyBvciBhdG9tIGZlZWRzIHdoaWNoIGluY2x1ZGUgdGhlIGNvbW1pdCBhY3Rpdml0eS4gUmVhZGluZyB0aGUgUlNTIG9yIGF0b20gZmVlZHMgaXMgbm93IGRlbmllZCB1bmxlc3MgdGhlIHRlYW0gaGFzIHJlYWQgcGVybWlzc2lvbnMgb24gdGhlIGNvZGUu-->[commit](https://codeberg.org/forgejo/forgejo/commit/3e3ef76808100cb1c853378733d0f6a910324ac6) the members of an organization team with read access to a repository (e.g. to read issues) but no read access to the code could read the RSS or atom feeds which include the commit activity. Reading the RSS or atom feeds is now denied unless the team has read permissions on the code.<!--description-->
|
||
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5974) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5976)): <!--number 5976 --><!--line 3 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC85NTA4YWE3NzEzNjMyZWQ0MDEyNGE5MzNkOTFkNTc2NmNmMjM2OWMyKSB0aGUgdG9rZW5zIHVzZWQgd2hlbiBbcmVwbHlpbmcgYnkgZW1haWwgdG8gaXNzdWVzIG9yIHB1bGwgcmVxdWVzdHNdKGh0dHBzOi8vZm9yZ2Vqby5vcmcvZG9jcy92OS4wL3VzZXIvaW5jb21pbmcvKSB3ZXJlIHdlYWtlciB0aGFuIHRoZSBbcmZjMjEwNCByZWNvbW1lbmRhdGlvbnNdKGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2h0bWwvcmZjMjEwNCNzZWN0aW9uLTUpLiBUaGUgdG9rZW5zIGFyZSBub3cgdHJ1bmNhdGVkIHRvIDEyOCBiaXRzIGluc3RlYWQgb2YgODAgYml0cy4gSXQgaXMgbm8gbG9uZ2VyIHBvc3NpYmxlIHRvIHJlcGx5IHRvIGVtYWlscyBzZW50IGJlZm9yZSB0aGUgdXBncmFkZSBiZWNhdXNlIHRoZSB3ZWFrZXIgdG9rZW5zIGFyZSBpbnZhbGlkLg==-->[commit](https://codeberg.org/forgejo/forgejo/commit/9508aa7713632ed40124a933d91d5766cf2369c2) the tokens used when [replying by email to issues or pull requests](https://forgejo.org/docs/v9.0/user/incoming/) were weaker than the [rfc2104 recommendations](https://datatracker.ietf.org/doc/html/rfc2104#section-5). The tokens are now truncated to 128 bits instead of 80 bits. It is no longer possible to reply to emails sent before the upgrade because the weaker tokens are invalid.<!--description-->
|
||
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5974) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5976)): <!--number 5976 --><!--line 4 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC83ODZkZmM3ZmI4MWVlNzZkNDI5MmNhNWZjYjMzZTZlYTdiZGNjYzI5KSBhIHJlZ2lzdGVyZWQgdXNlciBjb3VsZCBtb2RpZnkgdGhlIHVwZGF0ZSBmcmVxdWVuY3kgb2YgYW55IHB1c2ggbWlycm9yIChlLmcuIGV2ZXJ5IDRoIGluc3RlYWQgb2YgZXZlcnkgOGgpLiBUaGV5IGFyZSBub3cgb25seSBhYmxlIHRvIGRvIHRoYXQgaWYgdGhleSBoYXZlIGFkbWluaXN0cmF0aXZlIHBlcm1pc3Npb25zIG9uIHRoZSByZXBvc2l0b3J5Lg==-->[commit](https://codeberg.org/forgejo/forgejo/commit/786dfc7fb81ee76d4292ca5fcb33e6ea7bdccc29) a registered user could modify the update frequency of any push mirror (e.g. every 4h instead of every 8h). They are now only able to do that if they have administrative permissions on the repository.<!--description-->
|
||
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5974) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5976)): <!--number 5976 --><!--line 5 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC9lNmJiZWNiMDJkNDc3MzBkM2NjNjMwZDQxOWZlMjdlZjJmYjVjYjM5KSBpdCB3YXMgcG9zc2libGUgdG8gdXNlIGJhc2ljIGF1dGhvcml6YXRpb24gKGkuZS4gdXNlcjpwYXNzd29yZCkgZm9yIHJlcXVlc3RzIHRvIHRoZSBBUEkgZXZlbiB3aGVuIHNlY3VyaXR5IGtleXMgd2VyZSBlbnJvbGxlZCBmb3IgYSB1c2VyLiBJdCBpcyBubyBsb25nZXIgcG9zc2libGUsIGFuIGFwcGxpY2F0aW9uIHRva2VuIG11c3QgYmUgdXNlZCBpbnN0ZWFkLg==-->[commit](https://codeberg.org/forgejo/forgejo/commit/e6bbecb02d47730d3cc630d419fe27ef2fb5cb39) it was possible to use basic authorization (i.e. user:password) for requests to the API even when security keys were enrolled for a user. It is no longer possible, an application token must be used instead.<!--description-->
|
||
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5974) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5976)): <!--number 5976 --><!--line 6 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC83MDY3Y2M3ZGE0ZjE0NGNjOGEyZmQyYWU2ZTUzMDdlMDQ2NWFjZTdmKSBzb21lIG1hcmt1cCBzYW5pdGF0aW9uIHJ1bGVzIHdlcmUgbm90IGFzIHN0cm9uZyBhcyB0aGV5IGNvdWxkIGJlIChlLmcuIGFsbG93aW5nIGBlbW9qaSBzb21ldGhpbmdlbHNlYCBhcyB3ZWxsIGFzIGBlbW9qaWApLiBUaGUgcnVsZXMgYXJlIG5vdyBzdHJpY3RlciBhbmQgZG8gbm90IGFsbG93IGZvciBzdWNoIGNhc2VzLg==-->[commit](https://codeberg.org/forgejo/forgejo/commit/7067cc7da4f144cc8a2fd2ae6e5307e0465ace7f) some markup sanitation rules were not as strong as they could be (e.g. allowing `emoji somethingelse` as well as `emoji`). The rules are now stricter and do not allow for such cases.<!--description-->
|
||
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5974) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5976)): <!--number 5976 --><!--line 7 --><!--description W2NvbW1pdF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2NvbW1pdC9iNzAxOTY2NTNmOWQ3ZDNiOWQ0ZTcyZDExNGU1Y2M2ZjQ3Mjk4OGM0KSB3aGVuIEZvcmdlam8gaXMgY29uZmlndXJlZCB0byBlbmFibGUgaW5zdGFuY2Ugd2lkZSBzZWFyY2ggKGUuZy4gd2l0aCBbYmxldmVdKGh0dHBzOi8vYmxldmVzZWFyY2guY29tLykpLCByZXN1bHRzIGZvdW5kIGluIHRoZSByZXBvc2l0b3JpZXMgb2YgcHJpdmF0ZSBvciBsaW1pdGVkIHVzZXJzIHdlcmUgZGlzcGxheWVkIHRvIGFub255bW91cyB2aXNpdG9ycy4gVGhlIHJlc3VsdHMgZm91bmQgaW4gcHJpdmF0ZSBvciBsaW1pdGVkIG9yZ2FuaXphdGlvbnMgd2VyZSBub3QgZGlzcGxheWVkLiBUaGUgc2VhcmNoIHJlc3VsdHMgZm91bmQgaW4gdGhlIHJlcG9zaXRvcmllcyBvZiBwcml2YXRlIG9yIGxpbWl0ZWQgdXNlciBhcmUgbm8gbG9uZ2VyIGRpc3BsYXllZCB0byBhbm9ueW1vdXMgdmlzaXRvcnMu-->[commit](https://codeberg.org/forgejo/forgejo/commit/b70196653f9d7d3b9d4e72d114e5cc6f472988c4) when Forgejo is configured to enable instance wide search (e.g. with [bleve](https://blevesearch.com/)), results found in the repositories of private or limited users were displayed to anonymous visitors. The results found in private or limited organizations were not displayed. The search results found in the repositories of private or limited user are no longer displayed to anonymous visitors.<!--description-->
|
||
|
<!--end release-notes-assistant-->
|