peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore(release-notes): Forgejo v14.0.5 [skip ci] (#12313)

Browse source 
https://codeberg.org/forgejo/forgejo/milestone/75498
Co-authored-by: viceice <michael.kriese@gmx.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12313
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
This commit is contained in:
forgejo-release-manager 2026-04-29 14:37:20 +02:00 committed by Michael Kriese
parent 7d2a9bb0fc
commit cc5f118af8
1 changed files with 17 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

17
release-notes-published/14.0.5.md Normal file
View file

@ -0,0 +1,17 @@
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/12294): <!--number 12294 --><!--line 0 --><!--description V2hlbiBhIHB1bGwgcmVxdWVzdCBpcyBvcGVuZWQsIHRoZSBhdXRob3IgaXMgYWJsZSB0byBtYXJrIHRoYXQgcHVsbCByZXF1ZXN0IHRvICJBbGxvdyBlZGl0cyBmcm9tIG1haW50YWluZXJzIiwgd2hpY2ggZ3JhbnRzIHRoZSBtYWludGFpbmVycyBvZiB0aGUgcHVsbCByZXF1ZXN0J3MgcmVwbyBhY2Nlc3MgdG8gZWRpdCB0aGUgcHVsbCByZXF1ZXN0IGJyYW5jaCBjb250ZW50cy4gIEl0IGlzIHBvc3NpYmxlIHRvIGNyZWF0ZSBhIHB1bGwgcmVxdWVzdCB3aGVyZSB0aGUgcHVsbCByZXF1ZXN0IGF1dGhvciBkb2VzIG5vdCBoYXZlIHRoZSBhYmlsaXR5IHRvIGVkaXQgdGhlIHB1bGwgcmVxdWVzdCBicmFuY2guICBEdWUgdG8gYSBtaXNzaW5nIHNlY3VyaXR5IGNoZWNrIGZvciB0aGlzIGNhc2UsIG1haW50YWluZXJzIG9mIHRoZSBwdWxsIHJlcXVlc3QgcmVwbyB3b3VsZCBiZSBncmFudGVkIHRoZSBhYmlsaXR5IHRvIGVkaXQgdGhlIHB1bGwgcmVxdWVzdCBicmFuY2gsIGV2ZW4gaWYgdGhlIGF1dGhvciBvZiB0aGUgcHVsbCByZXF1ZXN0IGRpZCBub3QgaGF2ZSB0aGF0IGFiaWxpdHkuICBCeSBleHBsb2l0aW5nIHRoaXMgbWlzc2luZyBzZWN1cml0eSBjaGVjaywgYSB1c2VyIGNhbiBlZGl0IGFueSBicmFuY2ggaW4gYSByZXBvc2l0b3J5IGlmIHRoZXkncmUgYWJsZSB0byBmb3JrIHRoYXQgcmVwb3NpdG9yeS4gIFRoZSBpc3N1ZSBpcyBiZWluZyBmaXhlZCBieSByZXN0cmljdGluZyB0aGUgc2NvcGUgb2YgIkFsbG93IGVkaXRzIGZyb20gbWFpbnRhaW5lcnMiIHRvIG9ubHkgZ3JhbnQgdGhhdCBhY2Nlc3MgaWYgdGhlIHB1bGwgcmVxdWVzdCBhdXRob3IgYWxzbyBoYWQgYWNjZXNzIHRvIGVkaXQgdGhlIGJyYW5jaC4=-->When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents. It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch. Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability. By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository. The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.<!--description-->
- Localization
- Backport of translations from Codeberg Translate: [#12305](https://codeberg.org/forgejo/forgejo/pulls/12305) (backport of [#12128](https://codeberg.org/forgejo/forgejo/pulls/12128))
- Included for completeness but not user-facing (chores, etc.)
- [PR](https://codeberg.org/forgejo/forgejo/pulls/12156) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12316)): <!--number 12316 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9mb3JnZWpvL2Zvcmdlam8tYnVpbGQtcHVibGlzaCBhY3Rpb24gdG8gdjUuNi4wIChmb3JnZWpvKQ==-->Update https://data.forgejo.org/forgejo/forgejo-build-publish action to v5.6.0 (forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/12254): <!--number 12254 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgcG9zdGNzcyB0byB2OC41LjEwIFtTRUNVUklUWV0gKHYxNC4wL2Zvcmdlam8p-->Update dependency postcss to v8.5.10 [SECURITY] (v14.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/12223): <!--number 12223 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvaW1hZ2UgdG8gdjAuMzkuMCBbU0VDVVJJVFldICh2MTQuMC9mb3JnZWpvKQ==-->Update module golang.org/x/image to v0.39.0 [SECURITY] (v14.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/12176): <!--number 12176 --><!--line 0 --><!--description VXBkYXRlIGdpdGh1Yi5jb20vZ28tZ2l0L2dvLWdpdC92NSAoaW5kaXJlY3QpIHRvIHY1LjE4LjAgW1NFQ1VSSVRZXSAodjE0LjAvZm9yZ2VqbykgLSBhdXRvY2xvc2Vk-->Update github.com/go-git/go-git/v5 (indirect) to v5.18.0 [SECURITY] (v14.0/forgejo) - autoclosed<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/12133): <!--number 12133 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2phY2tjL3BneC92NSB0byB2NS45LjAgW1NFQ1VSSVRZXSAodjE0LjAvZm9yZ2Vqbyk=-->Update module github.com/jackc/pgx/v5 to v5.9.0 [SECURITY] (v14.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/12144) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12149)): <!--number 12149 --><!--line 0 --><!--description Zml4OiBtYWtlIC9yZXBvcy9zZWFyY2g/dWlkPS0yIHJldHVybiB6ZXJvIHJlc3VsdHMsIG5vIHJlcG9zIHdpdGggdGhhdCBvd25lcg==-->fix: make /repos/search?uid=-2 return zero results, no repos with that owner<!--description-->
<!--end release-notes-assistant-->