mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-01-10 15:42:16 +01:00
403a81bdb5
Some checks are pending
/ release (push) Waiting to run
testing / backend-checks (push) Waiting to run
testing / frontend-checks (push) Waiting to run
testing / test-unit (push) Blocked by required conditions
testing / test-e2e (push) Blocked by required conditions
testing / test-remote-cacher (redis) (push) Blocked by required conditions
testing / test-remote-cacher (valkey) (push) Blocked by required conditions
testing / test-remote-cacher (garnet) (push) Blocked by required conditions
testing / test-remote-cacher (redict) (push) Blocked by required conditions
testing / test-mysql (push) Blocked by required conditions
testing / test-pgsql (push) Blocked by required conditions
testing / test-sqlite (push) Blocked by required conditions
testing / security-check (push) Blocked by required conditions
https://codeberg.org/forgejo/forgejo/milestone/8832 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6255 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org> Co-committed-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
3.3 KiB
3.3 KiB
Release notes
- Security bug fixes
- PR (backported): When Forgejo is configured to run the internal ssh server with
[server].START_SSH_SERVER=true
, it was possible for a registered user to impersonate another user. The rootless container image uses the internal ssh server by default and was vulnerable. A Forgejo instance running from a binary or from a root container image does not use the internal ssh server by default and was not vulnerable. The incorrect use of the crypto package is the root cause of the vulnerability and was fixed for the internal ssh server.
- PR (backported): When Forgejo is configured to run the internal ssh server with
- Bug fixes
- PR (backported): fix: doctor fails with pq: syntax error at or near "." whilst counting Authorization token without existing User
- PR (backported): fix: Do not delete global Oauth2 applications
- Included for completeness but not worth a release note
- PR: Update module golang.org/x/crypto to v0.31.0 (v7.0/forgejo)
- PR (backported): chore(ci): set the milestone when a pull request is closed (take 4)
- PR (backported): chore(ci): set the milestone when a pull request is open (take 3)
- PR (backported): chore(ci): set the milestone when a pull request is open
- PR (backported): chore(ci): remove unused experimental DNS updates