From 403a81bdb50db190fb1374396d4768d753e0f3cd Mon Sep 17 00:00:00 2001 From: forgejo-release-manager Date: Thu, 12 Dec 2024 18:13:38 +0000 Subject: [PATCH] chore(release-notes): Forgejo v7.0.12 (#6255) https://codeberg.org/forgejo/forgejo/milestone/8832 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6255 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: forgejo-release-manager Co-committed-by: forgejo-release-manager --- release-notes-published/7.0.12.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 release-notes-published/7.0.12.md diff --git a/release-notes-published/7.0.12.md b/release-notes-published/7.0.12.md new file mode 100644 index 0000000000..b382d82bbe --- /dev/null +++ b/release-notes-published/7.0.12.md @@ -0,0 +1,18 @@ + + + + +## Release notes + +- Security bug fixes + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6248) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6252)): When Forgejo is configured to run the internal ssh server with `[server].START_SSH_SERVER=true`, it was possible for a registered user to impersonate another user. The rootless container image uses the internal ssh server by default and was vulnerable. A Forgejo instance running from a binary or from a root container image does not use the internal ssh server by default and was not vulnerable. The incorrect use of the crypto package is the root cause of the vulnerability and was fixed for the internal ssh server. +- Bug fixes + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6124) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6132)): fix: doctor fails with pq: syntax error at or near "." whilst counting Authorization token without existing User + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6054) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6056)): fix: Do not delete global Oauth2 applications +- Included for completeness but not worth a release note + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6246): Update module golang.org/x/crypto to v0.31.0 (v7.0/forgejo) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6223) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6230)): chore(ci): set the milestone when a pull request is closed (take 4) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6219) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6224)): chore(ci): set the milestone when a pull request is open (take 3) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6211) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6216)): chore(ci): set the milestone when a pull request is open + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6034) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6036)): chore(ci): remove unused experimental DNS updates +