peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore(release-notes): Forgejo v11.0.13 [skip ci] (#12312)

Browse source 
https://codeberg.org/forgejo/forgejo/milestone/75468
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12312
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
This commit is contained in:
forgejo-release-manager 2026-04-29 14:36:54 +02:00 committed by Michael Kriese
parent 733a390ecd
commit 7d2a9bb0fc
1 changed files with 15 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

15
release-notes-published/11.0.13.md Normal file
View file

@ -0,0 +1,15 @@
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/12295): <!--number 12295 --><!--line 0 --><!--description V2hlbiBhIHB1bGwgcmVxdWVzdCBpcyBvcGVuZWQsIHRoZSBhdXRob3IgaXMgYWJsZSB0byBtYXJrIHRoYXQgcHVsbCByZXF1ZXN0IHRvICJBbGxvdyBlZGl0cyBmcm9tIG1haW50YWluZXJzIiwgd2hpY2ggZ3JhbnRzIHRoZSBtYWludGFpbmVycyBvZiB0aGUgcHVsbCByZXF1ZXN0J3MgcmVwbyBhY2Nlc3MgdG8gZWRpdCB0aGUgcHVsbCByZXF1ZXN0IGJyYW5jaCBjb250ZW50cy4gIEl0IGlzIHBvc3NpYmxlIHRvIGNyZWF0ZSBhIHB1bGwgcmVxdWVzdCB3aGVyZSB0aGUgcHVsbCByZXF1ZXN0IGF1dGhvciBkb2VzIG5vdCBoYXZlIHRoZSBhYmlsaXR5IHRvIGVkaXQgdGhlIHB1bGwgcmVxdWVzdCBicmFuY2guICBEdWUgdG8gYSBtaXNzaW5nIHNlY3VyaXR5IGNoZWNrIGZvciB0aGlzIGNhc2UsIG1haW50YWluZXJzIG9mIHRoZSBwdWxsIHJlcXVlc3QgcmVwbyB3b3VsZCBiZSBncmFudGVkIHRoZSBhYmlsaXR5IHRvIGVkaXQgdGhlIHB1bGwgcmVxdWVzdCBicmFuY2gsIGV2ZW4gaWYgdGhlIGF1dGhvciBvZiB0aGUgcHVsbCByZXF1ZXN0IGRpZCBub3QgaGF2ZSB0aGF0IGFiaWxpdHkuICBCeSBleHBsb2l0aW5nIHRoaXMgbWlzc2luZyBzZWN1cml0eSBjaGVjaywgYSB1c2VyIGNhbiBlZGl0IGFueSBicmFuY2ggaW4gYSByZXBvc2l0b3J5IGlmIHRoZXkncmUgYWJsZSB0byBmb3JrIHRoYXQgcmVwb3NpdG9yeS4gIFRoZSBpc3N1ZSBpcyBiZWluZyBmaXhlZCBieSByZXN0cmljdGluZyB0aGUgc2NvcGUgb2YgIkFsbG93IGVkaXRzIGZyb20gbWFpbnRhaW5lcnMiIHRvIG9ubHkgZ3JhbnQgdGhhdCBhY2Nlc3MgaWYgdGhlIHB1bGwgcmVxdWVzdCBhdXRob3IgYWxzbyBoYWQgYWNjZXNzIHRvIGVkaXQgdGhlIGJyYW5jaC4=-->When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents. It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch. Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability. By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository. The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.<!--description-->
- Included for completeness but not user-facing (chores, etc.)
- [PR](https://codeberg.org/forgejo/forgejo/pulls/12156) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12315)): <!--number 12315 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9mb3JnZWpvL2Zvcmdlam8tYnVpbGQtcHVibGlzaCBhY3Rpb24gdG8gdjUuNi4wIChmb3JnZWpvKQ==-->Update https://data.forgejo.org/forgejo/forgejo-build-publish action to v5.6.0 (forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/12253): <!--number 12253 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgcG9zdGNzcyB0byB2OC41LjEwIFtTRUNVUklUWV0gKHYxMS4wL2Zvcmdlam8p-->Update dependency postcss to v8.5.10 [SECURITY] (v11.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/12222): <!--number 12222 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvaW1hZ2UgdG8gdjAuMzkuMCBbU0VDVVJJVFldICh2MTEuMC9mb3JnZWpvKQ==-->Update module golang.org/x/image to v0.39.0 [SECURITY] (v11.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/12175): <!--number 12175 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvLWdpdC9nby1naXQvdjUgdG8gdjUuMTguMCBbU0VDVVJJVFldICh2MTEuMC9mb3JnZWpvKSAtIGF1dG9jbG9zZWQ=-->Update module github.com/go-git/go-git/v5 to v5.18.0 [SECURITY] (v11.0/forgejo) - autoclosed<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/12144) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12148)): <!--number 12148 --><!--line 0 --><!--description Zml4OiBtYWtlIC9yZXBvcy9zZWFyY2g/dWlkPS0yIHJldHVybiB6ZXJvIHJlc3VsdHMsIG5vIHJlcG9zIHdpdGggdGhhdCBvd25lcg==-->fix: make /repos/search?uid=-2 return zero results, no repos with that owner<!--description-->
<!--end release-notes-assistant-->