From 835e72b247935b9f40d7e6251a70b173918b7498 Mon Sep 17 00:00:00 2001 From: forgejo-release-manager Date: Thu, 12 Dec 2024 18:13:29 +0000 Subject: [PATCH] chore(release-notes): Forgejo v9.0.3 (#6256) https://codeberg.org/forgejo/forgejo/milestone/8833 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6256 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: forgejo-release-manager Co-committed-by: forgejo-release-manager --- release-notes-published/9.0.3.md | 39 ++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 release-notes-published/9.0.3.md diff --git a/release-notes-published/9.0.3.md b/release-notes-published/9.0.3.md new file mode 100644 index 0000000000..06ab9f152a --- /dev/null +++ b/release-notes-published/9.0.3.md @@ -0,0 +1,39 @@ + + + + +## Release notes + +- Security bug fixes + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6248) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6253)): When Forgejo is configured to run the internal ssh server with `[server].START_SSH_SERVER=true`, it was possible for a registered user to impersonate another user. The rootless container image uses the internal ssh server by default and was vulnerable. A Forgejo instance running from a binary or from a root container image does not use the internal ssh server by default and was not vulnerable. The incorrect use of the crypto package is the root cause of the vulnerability and was fixed for the internal ssh server. + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6249) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6251)): Revert "allow synchronizing user status from OAuth2 login providers" +- User Interface bug fixes + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6104): Fix wiki search overflowing on wide screens (#6047) +- Bug fixes + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6097) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6168)): Do not rewrite ssh keys files when deleting a user without one + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6124) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6129)): fix: doctor fails with pq: syntax error at or near "." whilst counting Authorization token without existing User + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6054) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6057)): fix: Do not delete global Oauth2 applications +- Other changes without a feature or bug label + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6064): [gitea] week 2024-48-v9.0 cherry pick (gitea/main -> v9.0/forgejo) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/5998): [commit](https://codeberg.org/forgejo/forgejo/commit/53c546951115d9e269a2778f90e43b0cb413eab6) Strict matching of allowed content for sanitizer for asciicast and csv rendering +- Included for completeness but not worth a release note + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6247): Update module golang.org/x/crypto to v0.31.0 (v9.0/forgejo) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6223) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6231)): chore(ci): set the milestone when a pull request is closed (take 4) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6219) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6225)): chore(ci): set the milestone when a pull request is open (take 3) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6211) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6217)): chore(ci): set the milestone when a pull request is open + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6176): Update dependency @github/relative-time-element to v4.4.4 (v9.0/forgejo) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6152) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6155)): fix: remove softbreak from github legacy callout + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6144) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6149)): fix: correct permission loading for limited organisation + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6128) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6131)): fix: clean up log files that no longer exist + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6114) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6127)): fix: return correct type in `GetSubModule` + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6050) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6092)): Improve Swagger documentation for user endpoints + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6084) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6085)): fix: normalize guessed languages from enry + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6052) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6070)): Show page titles in wiki search results (#6048) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6060): i18n: backport of translation updates 5754, 5845, 5960 + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6034) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6035)): chore(ci): remove unused experimental DNS updates + - [PR](https://codeberg.org/forgejo/forgejo/pulls/6013) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6016)): fix(test): TestGitAttributeCheckerError must allow broken pipe + - [PR](https://codeberg.org/forgejo/forgejo/pulls/5996) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6005)): fix: check read permissions for code owner review requests + - [PR](https://codeberg.org/forgejo/forgejo/pulls/5989) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6004)): fix: use better code to group UID and stopwatches + - [PR](https://codeberg.org/forgejo/forgejo/pulls/5991) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5993)): fix: api repo compare with commit hashes + - [PR](https://codeberg.org/forgejo/forgejo/pulls/5986) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5992)): bug: correctly generate oauth2 jwt signing key +