0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-21 23:03:04 -05:00

[DOCS] RELEASE-NOTES.md (squash) v1.21.3-0

Reword the security fix description.
This commit is contained in:
Earl Warren 2023-12-22 18:42:09 +01:00
parent 5b3d2ad25c
commit 142bed073d
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00

View file

@ -13,7 +13,7 @@ $ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.21.2-1..v1.21.3-0
```
This stable release includes bug fixes. It was built with an updated version of the [Go Cryptography](https://pkg.go.dev/golang.org/x/crypto) package that fixes [CVE-2023-48795](https://go.dev/issue/64784). The Forgejo security team analyzed the vulnerability and concluded it cannot be exploited when using an independent SSH server, which is the default in Forgejo. It could theoretically be exploited if Forgejo is configured to use the Go implementation with the `START_SSH_SERVER=true` setting.
This stable release includes bug fixes. It was built with an updated version of the [Go Cryptography](https://pkg.go.dev/golang.org/x/crypto) package that fixes [CVE-2023-48795](https://go.dev/issue/64784). As explained in the [corresponding Go issue](https://github.com/golang/vulndb/issues/2402): "The impact of this attack is relatively limited, as it does not compromise confidentiality of the channel."
* Recommended Action