forgejo/release-notes-published/9.0.3.md
forgejo-release-manager 835e72b247 chore(release-notes): Forgejo v9.0.3 (#6256)
https://codeberg.org/forgejo/forgejo/milestone/8833
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6256
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
Co-committed-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
2024-12-12 18:13:29 +00:00

39 lines
9.1 KiB
Markdown

<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6248) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6253)): <!--number 6253 --><!--line 0 --><!--description Zml4OiBlbnN1cmUgY29ycmVjdCBzc2ggcHVibGljIGtleSBpcyB1c2VkIGZvciBhdXRoZW50aWNhdGlvbg==-->When Forgejo is configured to run the internal ssh server with `[server].START_SSH_SERVER=true`, it was possible for a registered user to impersonate another user. The rootless container image uses the internal ssh server by default and was vulnerable. A Forgejo instance running from a binary or from a root container image does not use the internal ssh server by default and was not vulnerable. The incorrect use of the crypto package is the root cause of the vulnerability and was fixed for the internal ssh server.<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6249) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6251)): <!--number 6251 --><!--line 0 --><!--description Zml4OiBSZXZlcnQgImFsbG93IHN5bmNocm9uaXppbmcgdXNlciBzdGF0dXMgZnJvbSBPQXV0aDIgbG9naW4gcHJvdmlkZXJzICgjMzE1NzIpIg==-->Revert "allow synchronizing user status from OAuth2 login providers"<!--description-->
- User Interface bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6104): <!--number 6104 --><!--line 0 --><!--description Rml4IHdpa2kgc2VhcmNoIG92ZXJmbG93aW5nIG9uIHdpZGUgc2NyZWVucyAoIzYwNDcp-->Fix wiki search overflowing on wide screens (#6047)<!--description-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6097) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6168)): <!--number 6168 --><!--line 0 --><!--description RG8gbm90IHJld3JpdGUgc3NoIGtleXMgZmlsZXMgd2hlbiBkZWxldGluZyBhIHVzZXIgd2l0aG91dCBvbmU=-->Do not rewrite ssh keys files when deleting a user without one<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6124) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6129)): <!--number 6129 --><!--line 0 --><!--description Zml4OiBkb2N0b3IgZmFpbHMgd2l0aCBwcTogc3ludGF4IGVycm9yIGF0IG9yIG5lYXIgIi4iIHdoaWxzdCBjb3VudGluZyBBdXRob3JpemF0aW9uIHRva2VuIHdpdGhvdXQgZXhpc3RpbmcgVXNlcg==-->fix: doctor fails with pq: syntax error at or near "." whilst counting Authorization token without existing User<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6054) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6057)): <!--number 6057 --><!--line 0 --><!--description Zml4OiBEbyBub3QgZGVsZXRlIGdsb2JhbCBPYXV0aDIgYXBwbGljYXRpb25z-->fix: Do not delete global Oauth2 applications<!--description-->
- Other changes without a feature or bug label
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6064): <!--number 6064 --><!--line 0 --><!--description W2dpdGVhXSB3ZWVrIDIwMjQtNDgtdjkuMCBjaGVycnkgcGljayAoZ2l0ZWEvbWFpbiAtPiB2OS4wL2Zvcmdlam8p-->[gitea] week 2024-48-v9.0 cherry pick (gitea/main -> v9.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5998): <!--number 5998 --><!--line 0 --><!--description W2dpdGVhXSB3ZWVrIDIwMjQtNDctdjkuMCBjaGVycnkgcGljayAoZ2l0ZWEvbWFpbiAtPiB2OS4wL2Zvcmdlam8p-->[commit](https://codeberg.org/forgejo/forgejo/commit/53c546951115d9e269a2778f90e43b0cb413eab6) Strict matching of allowed content for sanitizer for asciicast and csv rendering<!--description-->
- Included for completeness but not worth a release note
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6247): <!--number 6247 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvY3J5cHRvIHRvIHYwLjMxLjAgKHY5LjAvZm9yZ2Vqbyk=-->Update module golang.org/x/crypto to v0.31.0 (v9.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6223) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6231)): <!--number 6231 --><!--line 0 --><!--description Y2hvcmUoY2kpOiBzZXQgdGhlIG1pbGVzdG9uZSB3aGVuIGEgcHVsbCByZXF1ZXN0IGlzIGNsb3NlZCAodGFrZSA0KQ==-->chore(ci): set the milestone when a pull request is closed (take 4)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6219) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6225)): <!--number 6225 --><!--line 0 --><!--description Y2hvcmUoY2kpOiBzZXQgdGhlIG1pbGVzdG9uZSB3aGVuIGEgcHVsbCByZXF1ZXN0IGlzIG9wZW4gKHRha2UgMyk=-->chore(ci): set the milestone when a pull request is open (take 3)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6211) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6217)): <!--number 6217 --><!--line 0 --><!--description Y2hvcmUoY2kpOiBzZXQgdGhlIG1pbGVzdG9uZSB3aGVuIGEgcHVsbCByZXF1ZXN0IGlzIG9wZW4=-->chore(ci): set the milestone when a pull request is open<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6176): <!--number 6176 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgQGdpdGh1Yi9yZWxhdGl2ZS10aW1lLWVsZW1lbnQgdG8gdjQuNC40ICh2OS4wL2Zvcmdlam8p-->Update dependency @github/relative-time-element to v4.4.4 (v9.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6152) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6155)): <!--number 6155 --><!--line 0 --><!--description Zml4OiByZW1vdmUgc29mdGJyZWFrIGZyb20gZ2l0aHViIGxlZ2FjeSBjYWxsb3V0-->fix: remove softbreak from github legacy callout<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6144) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6149)): <!--number 6149 --><!--line 0 --><!--description Zml4OiBjb3JyZWN0IHBlcm1pc3Npb24gbG9hZGluZyBmb3IgbGltaXRlZCBvcmdhbmlzYXRpb24=-->fix: correct permission loading for limited organisation<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6128) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6131)): <!--number 6131 --><!--line 0 --><!--description Zml4OiBjbGVhbiB1cCBsb2cgZmlsZXMgdGhhdCBubyBsb25nZXIgZXhpc3Q=-->fix: clean up log files that no longer exist<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6114) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6127)): <!--number 6127 --><!--line 0 --><!--description Zml4OiByZXR1cm4gY29ycmVjdCB0eXBlIGluIGBHZXRTdWJNb2R1bGVg-->fix: return correct type in `GetSubModule`<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6050) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6092)): <!--number 6092 --><!--line 0 --><!--description SW1wcm92ZSBTd2FnZ2VyIGRvY3VtZW50YXRpb24gZm9yIHVzZXIgZW5kcG9pbnRz-->Improve Swagger documentation for user endpoints<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6084) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6085)): <!--number 6085 --><!--line 0 --><!--description Zml4OiBub3JtYWxpemUgZ3Vlc3NlZCBsYW5ndWFnZXMgZnJvbSBlbnJ5-->fix: normalize guessed languages from enry<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6052) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6070)): <!--number 6070 --><!--line 0 --><!--description U2hvdyBwYWdlIHRpdGxlcyBpbiB3aWtpIHNlYXJjaCByZXN1bHRzICgjNjA0OCk=-->Show page titles in wiki search results (#6048)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6060): <!--number 6060 --><!--line 0 --><!--description aTE4bjogYmFja3BvcnQgb2YgdHJhbnNsYXRpb24gdXBkYXRlcyA1NzU0LCA1ODQ1LCA1OTYw-->i18n: backport of translation updates 5754, 5845, 5960<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6034) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6035)): <!--number 6035 --><!--line 0 --><!--description Y2hvcmUoY2kpOiByZW1vdmUgdW51c2VkIGV4cGVyaW1lbnRhbCBETlMgdXBkYXRlcw==-->chore(ci): remove unused experimental DNS updates<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6013) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6016)): <!--number 6016 --><!--line 0 --><!--description Zml4KHRlc3QpOiBUZXN0R2l0QXR0cmlidXRlQ2hlY2tlckVycm9yIG11c3QgYWxsb3cgYnJva2VuIHBpcGU=-->fix(test): TestGitAttributeCheckerError must allow broken pipe<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5996) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6005)): <!--number 6005 --><!--line 0 --><!--description Zml4OiBjaGVjayByZWFkIHBlcm1pc3Npb25zIGZvciBjb2RlIG93bmVyIHJldmlldyByZXF1ZXN0cw==-->fix: check read permissions for code owner review requests<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5989) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6004)): <!--number 6004 --><!--line 0 --><!--description Zml4OiB1c2UgYmV0dGVyIGNvZGUgdG8gZ3JvdXAgVUlEIGFuZCBzdG9wd2F0Y2hlcw==-->fix: use better code to group UID and stopwatches<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5991) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5993)): <!--number 5993 --><!--line 0 --><!--description Zml4OiBhcGkgcmVwbyBjb21wYXJlIHdpdGggY29tbWl0IGhhc2hlcw==-->fix: api repo compare with commit hashes<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5986) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5992)): <!--number 5992 --><!--line 0 --><!--description YnVnOiBjb3JyZWN0bHkgZ2VuZXJhdGUgb2F1dGgyIGp3dCBzaWduaW5nIGtleQ==-->bug: correctly generate oauth2 jwt signing key<!--description-->
<!--end release-notes-assistant-->