diff options
| author | Earl Warren <contact@earl-warren.org> | 2024-12-05 17:33:52 +0100 |
|---|---|---|
| committer | Earl Warren <contact@earl-warren.org> | 2024-12-05 17:46:14 +0100 |
| commit | 8dbd2da593a18a8c2109c9712d20e2fd2e0053d0 (patch) | |
| tree | bfdfa3bd8c98f23efdc9a748807679a023eef11c /release-notes-published/7.0.10.md | |
| parent | Merge pull request 'Update module golang.org/x/image to v0.23.0 (forgejo)' (#... (diff) | |
| download | forgejo-8dbd2da593a18a8c2109c9712d20e2fd2e0053d0.tar.xz forgejo-8dbd2da593a18a8c2109c9712d20e2fd2e0053d0.zip | |
chore(release-notes): keep release notes in release-notes-published
As of Forgejo 8.0.1 the release notes were only available in the
description of the corresponding milestone which is problematic for:
- searching
- safekeeping
The release-notes-published directory is created to remedy those problems:
- a copy of all those release notes from the milestones descriptions
is added.
- a reference is added to the RELEASE-NOTES.md file which will no
longer be used.
- a symbolic link to the RELEASE-NOTES.md is added for completeness.
- the release process will be updated to populate release-notes-published.
The RELEASE-NOTES.md file is kept where it is because it is referenced
by a number of URLs.
The release-notes directory would have been a better name but it is
already used for in flight release notes waiting for the next
release. Renaming this directory or changing it is rather involved.
Diffstat (limited to 'release-notes-published/7.0.10.md')
| -rw-r--r-- | release-notes-published/7.0.10.md | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/release-notes-published/7.0.10.md b/release-notes-published/7.0.10.md new file mode 100644 index 0000000000..bbdc413a44 --- /dev/null +++ b/release-notes-published/7.0.10.md @@ -0,0 +1,13 @@ +<!--start release-notes-assistant--> + +## Release notes +<!--URL:https://codeberg.org/forgejo/forgejo--> +- Security bug fixes + - [PR](https://codeberg.org/forgejo/forgejo/pulls/5719) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5723)): <!--number 5723 --><!--line 0 --><!--description Rm9yZ2VqbyBnZW5lcmF0ZXMgYSB0b2tlbiB3aGljaCBpcyB1c2VkIHRvIGF1dGhlbnRpY2F0ZSB3ZWIgZW5kcG9pbnRzIHRoYXQgYXJlIG9ubHkgbWVhbnQgdG8gYmUgdXNlZCBpbnRlcm5hbGx5LCBmb3IgaW5zdGFuY2Ugd2hlbiB0aGUgU1NIIGRhZW1vbiBpcyB1c2VkIHRvIHB1c2ggYSBjb21taXQgd2l0aCBHaXQuIFRoZSB2ZXJpZmljYXRpb24gb2YgdGhpcyB0b2tlbiB3YXMgbm90IGRvbmUgaW4gY29uc3RhbnQgdGltZSBhbmQgd2FzIHN1c2NlcHRpYmxlIHRvIFt0aW1pbmcgYXR0YWNrc10oaHR0cHM6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvVGltaW5nX2F0dGFjaykuIEEgcHJlLWNvbmRpdGlvbiBmb3Igc3VjaCBhbiBhdHRhY2sgaXMgdGhlIHByZWNpc2UgbWVhc3VyZW1lbnRzIG9mIHRoZSB0aW1lIGZvciBlYWNoIG9wZXJhdGlvbi4gU2luY2UgaXQgcmVxdWlyZXMgb2JzZXJ2aW5nIHRoZSB0aW1pbmcgb2YgbmV0d29yayBvcGVyYXRpb25zLCB0aGUgaXNzdWUgaXMgbWl0aWdhdGVkIHdoZW4gYSBGb3JnZWpvIGluc3RhbmNlIGlzIGFjY2Vzc2VkIG92ZXIgdGhlIGludGVybmV0IGJlY2F1c2UgdGhlIElTUCBpbnRyb2R1Y2UgdW5wcmVkaWN0YWJsZSByYW5kb20gZGVsYXlzLg==-->Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to [timing attacks](https://en.wikipedia.org/wiki/Timing_attack). A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays.<!--description--> + - [PR](https://codeberg.org/forgejo/forgejo/pulls/5718) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5720)): <!--number 5720 --><!--line 0 --><!--description QmVjYXVzZSBvZiBhIG1pc3NpbmcgcGVybWlzc2lvbiBjaGVjaywgdGhlIGJyYW5jaCB1c2VkIHRvIHByb3Bvc2UgYSBwdWxsIHJlcXVlc3QgdG8gYSByZXBvc2l0b3J5IGNhbiBhbHdheXMgYmUgZGVsZXRlZCBieSB0aGUgdXNlciBwZXJmb3JtaW5nIHRoZSBtZXJnZS4gSXQgd2FzIGZpeGVkIHNvIHRoYXQgc3VjaCBhIGRlbGV0aW9uIGlzIG9ubHkgYWxsb3dlZCBpZiB0aGUgdXNlciBwZXJmb3JtaW5nIHRoZSBtZXJnZSBoYXMgd3JpdGUgcGVybWlzc2lvbiB0byB0aGUgcmVwb3NpdG9yeSBmcm9tIHdoaWNoIHRoZSBwdWxsIHJlcXVlc3Qgd2FzIG1hZGUu-->Because of a missing permission check, the branch used to propose a pull request to a repository can always be deleted by the user performing the merge. It was fixed so that such a deletion is only allowed if the user performing the merge has write permission to the repository from which the pull request was made.<!--description--> +- Localization + - [PR](https://codeberg.org/forgejo/forgejo/pulls/5182) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5401)): <!--number 5401 --><!--line 0 --><!--description VHJhbnNsYXRpb24gYmFja3BvcnRzIHRvIHY3-->Translation backports to v7<!--description--> +- Included for completeness but not worth a release note + - [PR](https://codeberg.org/forgejo/forgejo/pulls/5725): <!--number 5725 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgbWVybWFpZCB0byB2MTAuOS4zIFtTRUNVUklUWV0gKHY3LjAvZm9yZ2Vqbyk=-->Update dependency mermaid to v10.9.3 [SECURITY] (v7.0/forgejo)<!--description--> + - [PR](https://codeberg.org/forgejo/forgejo/pulls/5241): <!--number 5241 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ28gdG8gdjEuMjIuNyAodjcuMC9mb3JnZWpvKQ==-->Update dependency go to v1.22.7 (v7.0/forgejo)<!--description--> +<!--end release-notes-assistant--> |