mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-22 23:33:15 -05:00
403a81bdb5
https://codeberg.org/forgejo/forgejo/milestone/8832 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6255 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org> Co-committed-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
18 lines
3.3 KiB
Markdown
18 lines
3.3 KiB
Markdown
|
|
|
|
<!--start release-notes-assistant-->
|
|
|
|
## Release notes
|
|
<!--URL:https://codeberg.org/forgejo/forgejo-->
|
|
- Security bug fixes
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6248) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6252)): <!--number 6252 --><!--line 0 --><!--description Zml4OiBlbnN1cmUgY29ycmVjdCBzc2ggcHVibGljIGtleSBpcyB1c2VkIGZvciBhdXRoZW50aWNhdGlvbg==-->When Forgejo is configured to run the internal ssh server with `[server].START_SSH_SERVER=true`, it was possible for a registered user to impersonate another user. The rootless container image uses the internal ssh server by default and was vulnerable. A Forgejo instance running from a binary or from a root container image does not use the internal ssh server by default and was not vulnerable. The incorrect use of the crypto package is the root cause of the vulnerability and was fixed for the internal ssh server.<!--description-->
|
|
- Bug fixes
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6124) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6132)): <!--number 6132 --><!--line 0 --><!--description Zml4OiBkb2N0b3IgZmFpbHMgd2l0aCBwcTogc3ludGF4IGVycm9yIGF0IG9yIG5lYXIgIi4iIHdoaWxzdCBjb3VudGluZyBBdXRob3JpemF0aW9uIHRva2VuIHdpdGhvdXQgZXhpc3RpbmcgVXNlcg==-->fix: doctor fails with pq: syntax error at or near "." whilst counting Authorization token without existing User<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6054) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6056)): <!--number 6056 --><!--line 0 --><!--description Zml4OiBEbyBub3QgZGVsZXRlIGdsb2JhbCBPYXV0aDIgYXBwbGljYXRpb25z-->fix: Do not delete global Oauth2 applications<!--description-->
|
|
- Included for completeness but not worth a release note
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6246): <!--number 6246 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvY3J5cHRvIHRvIHYwLjMxLjAgKHY3LjAvZm9yZ2Vqbyk=-->Update module golang.org/x/crypto to v0.31.0 (v7.0/forgejo)<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6223) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6230)): <!--number 6230 --><!--line 0 --><!--description Y2hvcmUoY2kpOiBzZXQgdGhlIG1pbGVzdG9uZSB3aGVuIGEgcHVsbCByZXF1ZXN0IGlzIGNsb3NlZCAodGFrZSA0KQ==-->chore(ci): set the milestone when a pull request is closed (take 4)<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6219) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6224)): <!--number 6224 --><!--line 0 --><!--description Y2hvcmUoY2kpOiBzZXQgdGhlIG1pbGVzdG9uZSB3aGVuIGEgcHVsbCByZXF1ZXN0IGlzIG9wZW4gKHRha2UgMyk=-->chore(ci): set the milestone when a pull request is open (take 3)<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6211) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6216)): <!--number 6216 --><!--line 0 --><!--description Y2hvcmUoY2kpOiBzZXQgdGhlIG1pbGVzdG9uZSB3aGVuIGEgcHVsbCByZXF1ZXN0IGlzIG9wZW4=-->chore(ci): set the milestone when a pull request is open<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6034) ([backported](https://codeberg.org/forgejo/forgejo/pulls/6036)): <!--number 6036 --><!--line 0 --><!--description Y2hvcmUoY2kpOiByZW1vdmUgdW51c2VkIGV4cGVyaW1lbnRhbCBETlMgdXBkYXRlcw==-->chore(ci): remove unused experimental DNS updates<!--description-->
|
|
<!--end release-notes-assistant-->
|