0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-22 23:33:15 -05:00
forgejo/release-notes-published/9.0.1.md
Earl Warren 8dbd2da593
chore(release-notes): keep release notes in release-notes-published
As of Forgejo 8.0.1 the release notes were only available in the
description of the corresponding milestone which is problematic for:

- searching
- safekeeping

The release-notes-published directory is created to remedy those problems:

- a copy of all those release notes from the milestones descriptions
  is added.
- a reference is added to the RELEASE-NOTES.md file which will no
  longer be used.
- a symbolic link to the RELEASE-NOTES.md is added for completeness.
- the release process will be updated to populate release-notes-published.

The RELEASE-NOTES.md file is kept where it is because it is referenced
by a number of URLs.

The release-notes directory would have been a better name but it is
already used for in flight release notes waiting for the next
release. Renaming this directory or changing it is rather involved.
2024-12-05 17:46:14 +01:00

9.9 KiB

Release notes

  • Security bug fixes
    • PR (backported): Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to timing attacks. A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays.
    • PR (backported): Because of a missing permission check, the branch used to propose a pull request to a repository can always be deleted by the user performing the merge. It was fixed so that such a deletion is only allowed if the user performing the merge has write permission to the repository from which the pull request was made.
  • Bug fixes
    • PR (backported): Fix boolean inputs in workflow_dispatch
    • PR (backported): package arch database not updating when uploading "any" architecture
    • PR (backported): correct SQL query for active issues
    • PR (backported): specify default value for EXPLORE_DEFAULT_SORT.
    • PR (backported): fix: Add recentupdated as recognized sort option
    • PR: Update dependency mermaid to v11.3.0 (v9.0/forgejo)
    • PR (backported): Dockerfile: use alpine:3.20 instead of golang:1.23-alpine3.20
    • PR (backported): Dockerfile: unnecessary container image layer duplication
    • PR: commit Always update expiration time when creating an artifact
    • PR: commit Update scheduled tasks even if changes are pushed by "ActionsUser"
    • PR: commit Fix disable 2fa bug
  • Localization
    • PR (backported): i18n: update of translations from Codeberg Translate
  • Included for completeness but not worth a release note
    • PR (backported): fix: use buffered iterate for debian searchpackages
    • PR (backported): fix: make branch protection work for new branches
    • PR (backported): link to security policy in security.txt
    • PR (backported): fix: don't show truncated comments in RSS/Atom feeds
    • PR (backported): fix: typo on releases for source code downloads
    • PR (backported): Revert "add gap between branch dropdown and PR button"
    • PR (backported): fix: Don't double escape delete branch text
    • PR (backported): fix: Add server logging for OAuth server errors
    • PR (backported): forgejo-cli is now a symlink and cannot be used for sanity checks
    • PR (backported): fix: correct documentation for non 200 responses in swagger