1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-26 13:29:12 -05:00
forgejo/release-notes-published/9.0.3.md
forgejo-release-manager 835e72b247 chore(release-notes): Forgejo v9.0.3 (#6256)
https://codeberg.org/forgejo/forgejo/milestone/8833
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6256
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
Co-committed-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
2024-12-12 18:13:29 +00:00

9.1 KiB

Release notes

  • Security bug fixes
    • PR (backported): When Forgejo is configured to run the internal ssh server with [server].START_SSH_SERVER=true, it was possible for a registered user to impersonate another user. The rootless container image uses the internal ssh server by default and was vulnerable. A Forgejo instance running from a binary or from a root container image does not use the internal ssh server by default and was not vulnerable. The incorrect use of the crypto package is the root cause of the vulnerability and was fixed for the internal ssh server.
    • PR (backported): Revert "allow synchronizing user status from OAuth2 login providers"
  • User Interface bug fixes
    • PR: Fix wiki search overflowing on wide screens (#6047)
  • Bug fixes
    • PR (backported): Do not rewrite ssh keys files when deleting a user without one
    • PR (backported): fix: doctor fails with pq: syntax error at or near "." whilst counting Authorization token without existing User
    • PR (backported): fix: Do not delete global Oauth2 applications
  • Other changes without a feature or bug label
    • PR: [gitea] week 2024-48-v9.0 cherry pick (gitea/main -> v9.0/forgejo)
    • PR: commit Strict matching of allowed content for sanitizer for asciicast and csv rendering
  • Included for completeness but not worth a release note
    • PR: Update module golang.org/x/crypto to v0.31.0 (v9.0/forgejo)
    • PR (backported): chore(ci): set the milestone when a pull request is closed (take 4)
    • PR (backported): chore(ci): set the milestone when a pull request is open (take 3)
    • PR (backported): chore(ci): set the milestone when a pull request is open
    • PR: Update dependency @github/relative-time-element to v4.4.4 (v9.0/forgejo)
    • PR (backported): fix: remove softbreak from github legacy callout
    • PR (backported): fix: correct permission loading for limited organisation
    • PR (backported): fix: clean up log files that no longer exist
    • PR (backported): fix: return correct type in GetSubModule
    • PR (backported): Improve Swagger documentation for user endpoints
    • PR (backported): fix: normalize guessed languages from enry
    • PR (backported): Show page titles in wiki search results (#6048)
    • PR: i18n: backport of translation updates 5754, 5845, 5960
    • PR (backported): chore(ci): remove unused experimental DNS updates
    • PR (backported): fix(test): TestGitAttributeCheckerError must allow broken pipe
    • PR (backported): fix: check read permissions for code owner review requests
    • PR (backported): fix: use better code to group UID and stopwatches
    • PR (backported): fix: api repo compare with commit hashes
    • PR (backported): bug: correctly generate oauth2 jwt signing key