0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-21 23:03:04 -05:00

[DOCS] RELEASE-NOTES.md (squash) 1.20.5-0 is a security release

This commit is contained in:
Loïc Dachary 2023-10-05 09:53:42 +02:00
parent ce5541c78b
commit 5dd66c06e3
No known key found for this signature in database
GPG key ID: 992D23B392F9E4F2

View file

@ -36,16 +36,20 @@ $ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.20.4-1..v1.20.5-0
```
This stable release includes bug fixes.
This stable release contains **important security fixes**, as explained in the [v1.20.5-0 companion blog post](https://forgejo.org/2023-10-release-v1205-0/).
* Recommended Action
We recommend that all Forgejo installations are [upgraded](https://forgejo.org/docs/v1.20/admin/upgrade/) to the latest version.
We **strongly recommend** that all Forgejo installations are [upgraded](https://forgejo.org/docs/v1.20/admin/upgrade/) to the latest version as soon as possible.
* [Forgejo Semantic Version](https://forgejo.org/docs/v1.20/user/semver/)
The semantic version was updated to `5.0.5+0-gitea-1.20.5`
* Security fix
* When a user logs into Forgejo, they can click the **Remember This Device** checkbox and their browser will store a **Long-term authentication** token provided by the server, in a cookie that will allow them to stay logged in for an extended period of time. The implementation was inherently insecure and was [reworked](https://codeberg.org/forgejo/forgejo/commit/51988ef52bc93b63184d28395d10bf3b76914ad0). Read more about this issue in the [v1.20.5-0 blog post](https://forgejo.org/2023-10-release-v1205-0/).
* Bug fixes
The most prominent ones are described here, others can be found in the list of commits included in the release as described above.