0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-22 15:23:14 -05:00
forgejo/release-notes-published/7.0.11.md
Earl Warren 8dbd2da593
chore(release-notes): keep release notes in release-notes-published
As of Forgejo 8.0.1 the release notes were only available in the
description of the corresponding milestone which is problematic for:

- searching
- safekeeping

The release-notes-published directory is created to remedy those problems:

- a copy of all those release notes from the milestones descriptions
  is added.
- a reference is added to the RELEASE-NOTES.md file which will no
  longer be used.
- a symbolic link to the RELEASE-NOTES.md is added for completeness.
- the release process will be updated to populate release-notes-published.

The RELEASE-NOTES.md file is kept where it is because it is referenced
by a number of URLs.

The release-notes directory would have been a better name but it is
already used for in flight release notes waiting for the next
release. Renaming this directory or changing it is rather involved.
2024-12-05 17:46:14 +01:00

8.5 KiB

Release notes

  • Security bug fixes
    • PR (backported): commit it was possible to use a token sent via email for secondary email validation to reset the password instead. In other words, a token sent for a given action (registration, password reset or secondary email validation) could be used to perform a different action. It is no longer possible to use a token for an action that is different from its original purpose.
    • PR (backported): commit a fork of a public repository would show in the list of forks, even if its owner was not a public user or organization. Such a fork is now hidden from the list of forks of the public repository.
    • PR (backported): commit the members of an organization team with read access to a repository (e.g. to read issues) but no read access to the code could read the RSS or atom feeds which include the commit activity. Reading the RSS or atom feeds is now denied unless the team has read permissions on the code.
    • PR (backported): commit the tokens used when replying by email to issues or pull requests were weaker than the rfc2104 recommendations. The tokens are now truncated to 128 bits instead of 80 bits. It is no longer possible to reply to emails sent before the upgrade because the weaker tokens are invalid.
    • PR (backported): commit a registered user could modify the update frequency of any push mirror (e.g. every 4h instead of every 8h). They are now only able to do that if they have administrative permissions on the repository.
    • PR (backported): commit it was possible to use basic authorization (i.e. user:password) for requests to the API even when security keys were enrolled for a user. It is no longer possible, an application token must be used instead.
    • PR (backported): commit some markup sanitation rules were not as strong as they could be (e.g. allowing emoji somethingelse as well as emoji). The rules are now stricter and do not allow for such cases.
    • PR (backported): commit when Forgejo is configured to enable instance wide search (e.g. with bleve), results found in the repositories of private or limited users were displayed to anonymous visitors. The results found in private or limited organizations were not displayed. The search results found in the repositories of private or limited user are no longer displayed to anonymous visitors.