mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-21 12:44:49 -05:00
8dbd2da593
As of Forgejo 8.0.1 the release notes were only available in the description of the corresponding milestone which is problematic for: - searching - safekeeping The release-notes-published directory is created to remedy those problems: - a copy of all those release notes from the milestones descriptions is added. - a reference is added to the RELEASE-NOTES.md file which will no longer be used. - a symbolic link to the RELEASE-NOTES.md is added for completeness. - the release process will be updated to populate release-notes-published. The RELEASE-NOTES.md file is kept where it is because it is referenced by a number of URLs. The release-notes directory would have been a better name but it is already used for in flight release notes waiting for the next release. Renaming this directory or changing it is rather involved.
9.9 KiB
9.9 KiB
Release notes
- Security bug fixes
- PR (backported): Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to timing attacks. A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays.
- PR (backported): Because of a missing permission check, the branch used to propose a pull request to a repository can always be deleted by the user performing the merge. It was fixed so that such a deletion is only allowed if the user performing the merge has write permission to the repository from which the pull request was made.
- Bug fixes
- PR (backported): Fix boolean inputs in workflow_dispatch
- PR (backported): package arch database not updating when uploading "any" architecture
- PR (backported): correct SQL query for active issues
- PR (backported): specify default value for
EXPLORE_DEFAULT_SORT. - PR (backported): fix: Add
recentupdatedas recognized sort option - PR: Update dependency mermaid to v11.3.0 (v9.0/forgejo)
- PR (backported): Dockerfile: use alpine:3.20 instead of golang:1.23-alpine3.20
- PR (backported): Dockerfile: unnecessary container image layer duplication
- PR: commit Always update expiration time when creating an artifact
- PR: commit Update scheduled tasks even if changes are pushed by "ActionsUser"
- PR: commit Fix disable 2fa bug
- Localization
- PR (backported): i18n: update of translations from Codeberg Translate
- Included for completeness but not worth a release note
- PR (backported): fix: use buffered iterate for debian searchpackages
- PR (backported): fix: make branch protection work for new branches
- PR (backported): link to security policy in security.txt
- PR (backported): fix: don't show truncated comments in RSS/Atom feeds
- PR (backported): fix: typo on releases for source code downloads
- PR (backported): Revert "add gap between branch dropdown and PR button"
- PR (backported): fix: Don't double escape delete branch text
- PR (backported): fix: Add server logging for OAuth server errors
- PR (backported): forgejo-cli is now a symlink and cannot be used for sanity checks
- PR (backported): fix: correct documentation for non 200 responses in swagger