mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-27 06:03:51 +03:00
8dbd2da593
As of Forgejo 8.0.1 the release notes were only available in the description of the corresponding milestone which is problematic for: - searching - safekeeping The release-notes-published directory is created to remedy those problems: - a copy of all those release notes from the milestones descriptions is added. - a reference is added to the RELEASE-NOTES.md file which will no longer be used. - a symbolic link to the RELEASE-NOTES.md is added for completeness. - the release process will be updated to populate release-notes-published. The RELEASE-NOTES.md file is kept where it is because it is referenced by a number of URLs. The release-notes directory would have been a better name but it is already used for in flight release notes waiting for the next release. Renaming this directory or changing it is rather involved.
13 lines
3.5 KiB
Markdown
13 lines
3.5 KiB
Markdown
<!--start release-notes-assistant-->
|
|
|
|
## Release notes
|
|
<!--URL:https://codeberg.org/forgejo/forgejo-->
|
|
- Security bug fixes
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5719) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5723)): <!--number 5723 --><!--line 0 --><!--description Rm9yZ2VqbyBnZW5lcmF0ZXMgYSB0b2tlbiB3aGljaCBpcyB1c2VkIHRvIGF1dGhlbnRpY2F0ZSB3ZWIgZW5kcG9pbnRzIHRoYXQgYXJlIG9ubHkgbWVhbnQgdG8gYmUgdXNlZCBpbnRlcm5hbGx5LCBmb3IgaW5zdGFuY2Ugd2hlbiB0aGUgU1NIIGRhZW1vbiBpcyB1c2VkIHRvIHB1c2ggYSBjb21taXQgd2l0aCBHaXQuIFRoZSB2ZXJpZmljYXRpb24gb2YgdGhpcyB0b2tlbiB3YXMgbm90IGRvbmUgaW4gY29uc3RhbnQgdGltZSBhbmQgd2FzIHN1c2NlcHRpYmxlIHRvIFt0aW1pbmcgYXR0YWNrc10oaHR0cHM6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvVGltaW5nX2F0dGFjaykuIEEgcHJlLWNvbmRpdGlvbiBmb3Igc3VjaCBhbiBhdHRhY2sgaXMgdGhlIHByZWNpc2UgbWVhc3VyZW1lbnRzIG9mIHRoZSB0aW1lIGZvciBlYWNoIG9wZXJhdGlvbi4gU2luY2UgaXQgcmVxdWlyZXMgb2JzZXJ2aW5nIHRoZSB0aW1pbmcgb2YgbmV0d29yayBvcGVyYXRpb25zLCB0aGUgaXNzdWUgaXMgbWl0aWdhdGVkIHdoZW4gYSBGb3JnZWpvIGluc3RhbmNlIGlzIGFjY2Vzc2VkIG92ZXIgdGhlIGludGVybmV0IGJlY2F1c2UgdGhlIElTUCBpbnRyb2R1Y2UgdW5wcmVkaWN0YWJsZSByYW5kb20gZGVsYXlzLg==-->Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to [timing attacks](https://en.wikipedia.org/wiki/Timing_attack). A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays.<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5718) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5720)): <!--number 5720 --><!--line 0 --><!--description QmVjYXVzZSBvZiBhIG1pc3NpbmcgcGVybWlzc2lvbiBjaGVjaywgdGhlIGJyYW5jaCB1c2VkIHRvIHByb3Bvc2UgYSBwdWxsIHJlcXVlc3QgdG8gYSByZXBvc2l0b3J5IGNhbiBhbHdheXMgYmUgZGVsZXRlZCBieSB0aGUgdXNlciBwZXJmb3JtaW5nIHRoZSBtZXJnZS4gSXQgd2FzIGZpeGVkIHNvIHRoYXQgc3VjaCBhIGRlbGV0aW9uIGlzIG9ubHkgYWxsb3dlZCBpZiB0aGUgdXNlciBwZXJmb3JtaW5nIHRoZSBtZXJnZSBoYXMgd3JpdGUgcGVybWlzc2lvbiB0byB0aGUgcmVwb3NpdG9yeSBmcm9tIHdoaWNoIHRoZSBwdWxsIHJlcXVlc3Qgd2FzIG1hZGUu-->Because of a missing permission check, the branch used to propose a pull request to a repository can always be deleted by the user performing the merge. It was fixed so that such a deletion is only allowed if the user performing the merge has write permission to the repository from which the pull request was made.<!--description-->
|
|
- Localization
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5182) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5401)): <!--number 5401 --><!--line 0 --><!--description VHJhbnNsYXRpb24gYmFja3BvcnRzIHRvIHY3-->Translation backports to v7<!--description-->
|
|
- Included for completeness but not worth a release note
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5725): <!--number 5725 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgbWVybWFpZCB0byB2MTAuOS4zIFtTRUNVUklUWV0gKHY3LjAvZm9yZ2Vqbyk=-->Update dependency mermaid to v10.9.3 [SECURITY] (v7.0/forgejo)<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5241): <!--number 5241 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ28gdG8gdjEuMjIuNyAodjcuMC9mb3JnZWpvKQ==-->Update dependency go to v1.22.7 (v7.0/forgejo)<!--description-->
|
|
<!--end release-notes-assistant-->
|