1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-28 13:49:13 -05:00
forgejo/release-notes-published/7.0.10.md

14 lines
3.5 KiB
Markdown
Raw Normal View History

<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5719) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5723)): <!--number 5723 --><!--line 0 --><!--description Rm9yZ2VqbyBnZW5lcmF0ZXMgYSB0b2tlbiB3aGljaCBpcyB1c2VkIHRvIGF1dGhlbnRpY2F0ZSB3ZWIgZW5kcG9pbnRzIHRoYXQgYXJlIG9ubHkgbWVhbnQgdG8gYmUgdXNlZCBpbnRlcm5hbGx5LCBmb3IgaW5zdGFuY2Ugd2hlbiB0aGUgU1NIIGRhZW1vbiBpcyB1c2VkIHRvIHB1c2ggYSBjb21taXQgd2l0aCBHaXQuIFRoZSB2ZXJpZmljYXRpb24gb2YgdGhpcyB0b2tlbiB3YXMgbm90IGRvbmUgaW4gY29uc3RhbnQgdGltZSBhbmQgd2FzIHN1c2NlcHRpYmxlIHRvIFt0aW1pbmcgYXR0YWNrc10oaHR0cHM6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvVGltaW5nX2F0dGFjaykuIEEgcHJlLWNvbmRpdGlvbiBmb3Igc3VjaCBhbiBhdHRhY2sgaXMgdGhlIHByZWNpc2UgbWVhc3VyZW1lbnRzIG9mIHRoZSB0aW1lIGZvciBlYWNoIG9wZXJhdGlvbi4gU2luY2UgaXQgcmVxdWlyZXMgb2JzZXJ2aW5nIHRoZSB0aW1pbmcgb2YgbmV0d29yayBvcGVyYXRpb25zLCB0aGUgaXNzdWUgaXMgbWl0aWdhdGVkIHdoZW4gYSBGb3JnZWpvIGluc3RhbmNlIGlzIGFjY2Vzc2VkIG92ZXIgdGhlIGludGVybmV0IGJlY2F1c2UgdGhlIElTUCBpbnRyb2R1Y2UgdW5wcmVkaWN0YWJsZSByYW5kb20gZGVsYXlzLg==-->Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to [timing attacks](https://en.wikipedia.org/wiki/Timing_attack). A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays.<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5718) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5720)): <!--number 5720 --><!--line 0 --><!--description QmVjYXVzZSBvZiBhIG1pc3NpbmcgcGVybWlzc2lvbiBjaGVjaywgdGhlIGJyYW5jaCB1c2VkIHRvIHByb3Bvc2UgYSBwdWxsIHJlcXVlc3QgdG8gYSByZXBvc2l0b3J5IGNhbiBhbHdheXMgYmUgZGVsZXRlZCBieSB0aGUgdXNlciBwZXJmb3JtaW5nIHRoZSBtZXJnZS4gSXQgd2FzIGZpeGVkIHNvIHRoYXQgc3VjaCBhIGRlbGV0aW9uIGlzIG9ubHkgYWxsb3dlZCBpZiB0aGUgdXNlciBwZXJmb3JtaW5nIHRoZSBtZXJnZSBoYXMgd3JpdGUgcGVybWlzc2lvbiB0byB0aGUgcmVwb3NpdG9yeSBmcm9tIHdoaWNoIHRoZSBwdWxsIHJlcXVlc3Qgd2FzIG1hZGUu-->Because of a missing permission check, the branch used to propose a pull request to a repository can always be deleted by the user performing the merge. It was fixed so that such a deletion is only allowed if the user performing the merge has write permission to the repository from which the pull request was made.<!--description-->
- Localization
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5182) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5401)): <!--number 5401 --><!--line 0 --><!--description VHJhbnNsYXRpb24gYmFja3BvcnRzIHRvIHY3-->Translation backports to v7<!--description-->
- Included for completeness but not worth a release note
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5725): <!--number 5725 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgbWVybWFpZCB0byB2MTAuOS4zIFtTRUNVUklUWV0gKHY3LjAvZm9yZ2Vqbyk=-->Update dependency mermaid to v10.9.3 [SECURITY] (v7.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/5241): <!--number 5241 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ28gdG8gdjEuMjIuNyAodjcuMC9mb3JnZWpvKQ==-->Update dependency go to v1.22.7 (v7.0/forgejo)<!--description-->
<!--end release-notes-assistant-->