## Release notes - Security bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/5719) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5724)): Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to [timing attacks](https://en.wikipedia.org/wiki/Timing_attack). A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays. - [PR](https://codeberg.org/forgejo/forgejo/pulls/5718) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5721)): Because of a missing permission check, the branch used to propose a pull request to a repository can always be deleted by the user performing the merge. It was fixed so that such a deletion is only allowed if the user performing the merge has write permission to the repository from which the pull request was made. - Bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/5439) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5708)): Fix boolean inputs in workflow_dispatch - [PR](https://codeberg.org/forgejo/forgejo/pulls/5634) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5636)): package arch database not updating when uploading "any" architecture - [PR](https://codeberg.org/forgejo/forgejo/pulls/5627) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5631)): correct SQL query for active issues - [PR](https://codeberg.org/forgejo/forgejo/pulls/5626) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5629)): specify default value for `EXPLORE_DEFAULT_SORT`. - [PR](https://codeberg.org/forgejo/forgejo/pulls/5613) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5624)): fix: Add `recentupdated` as recognized sort option - [PR](https://codeberg.org/forgejo/forgejo/pulls/5616): Update dependency mermaid to v11.3.0 (v9.0/forgejo) - [PR](https://codeberg.org/forgejo/forgejo/pulls/5587) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5588)): Dockerfile: use alpine:3.20 instead of golang:1.23-alpine3.20 - [PR](https://codeberg.org/forgejo/forgejo/pulls/5585) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5586)): Dockerfile: unnecessary container image layer duplication - [PR](https://codeberg.org/forgejo/forgejo/pulls/5647): [commit](https://codeberg.org/forgejo/forgejo/commit/1913399d8176944f170d4f1c032dc37003aaafc0) Always update expiration time when creating an artifact - [PR](https://codeberg.org/forgejo/forgejo/pulls/5647): [commit](https://codeberg.org/forgejo/forgejo/commit/4fe311e7c0292e3ac79f8bc063f1bcacef4494f0) Update scheduled tasks even if changes are pushed by "ActionsUser" - [PR](https://codeberg.org/forgejo/forgejo/pulls/5715): [commit](https://codeberg.org/forgejo/forgejo/commit/768402c8841db5e8acc97919149ba329d5124e17) Fix disable 2fa bug - Localization - [PR](https://codeberg.org/forgejo/forgejo/pulls/5583) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5680)): i18n: update of translations from Codeberg Translate - Included for completeness but not worth a release note - [PR](https://codeberg.org/forgejo/forgejo/pulls/5702) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5710)): fix: use buffered iterate for debian searchpackages - [PR](https://codeberg.org/forgejo/forgejo/pulls/5688) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5691)): fix: make branch protection work for new branches - [PR](https://codeberg.org/forgejo/forgejo/pulls/5651) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5656)): link to security policy in security.txt - [PR](https://codeberg.org/forgejo/forgejo/pulls/5653) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5655)): fix: don't show truncated comments in RSS/Atom feeds - [PR](https://codeberg.org/forgejo/forgejo/pulls/5652) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5654)): fix: typo on releases for source code downloads - [PR](https://codeberg.org/forgejo/forgejo/pulls/5640) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5645)): Revert "add gap between branch dropdown and PR button" - [PR](https://codeberg.org/forgejo/forgejo/pulls/5615) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5618)): fix: Don't double escape delete branch text - [PR](https://codeberg.org/forgejo/forgejo/pulls/5595) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5596)): fix: Add server logging for OAuth server errors - [PR](https://codeberg.org/forgejo/forgejo/pulls/5592) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5594)): forgejo-cli is now a symlink and cannot be used for sanity checks - [PR](https://codeberg.org/forgejo/forgejo/pulls/5491) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5575)): fix: correct documentation for non 200 responses in swagger