peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
jojo/release-notes-published/15.0.1.md
forgejo-release-manager 993b419fe3 chore(release-notes): Forgejo v15.0.1 (#12314) 
https://codeberg.org/forgejo/forgejo/milestone/76566
Co-authored-by: viceice <michael.kriese@gmx.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12314
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2026-04-29 14:37:45 +02:00

7.9 KiB
Raw Permalink Blame History

Release notes

  • Security bug fixes
    • PR: When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents. It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch. Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability. By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository. The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.
  • Localization
    • Backport of translations from Codeberg Translate: #12306 (backport of #12128)
  • Bug fixes
    • PR (backported): fix: always include files set to be detectable for language stats
    • PR (backported): Exclude SSH certificate principals from output when viewing user's SSH keys
  • Included for completeness but not user-facing (chores, etc.)
    • PR (backported): Update https://data.forgejo.org/forgejo/forgejo-build-publish action to v5.6.0 (forgejo)
    • PR (backported): fix: allow viewing Actions run triggered by deleted user
    • PR: Update dependency postcss to v8.5.10 [SECURITY] (v15.0/forgejo)
    • PR: Update module github.com/jackc/pgx/v5 to v5.9.2 [SECURITY] (v15.0/forgejo)
    • PR (backported): fix: compare branches with names diff or patch
    • PR (backported): fix: resolve outer workflow call to success, not failure, on inner job skip
    • PR: Update module golang.org/x/image to v0.39.0 (v15.0/forgejo)
    • PR (backported): fix: secret name-prefix regex
    • PR (backported): fix(ui): allow creating files with name starting with dash
    • PR (backported): fix: CodeMirror e2e test
    • PR (backported): fix(i18n): don't log harmless missing translations as errors
    • PR: Update github.com/go-git/go-git/v5 (indirect) to v5.18.0 [SECURITY] (v15.0/forgejo) - autoclosed
    • PR: chore: bump xorm to v1.3.9-forgejo.11
    • PR (backported): fix: make /repos/search?uid=-2 return zero results, no repos with that owner
    • PR (backported): fix: continued API response processing after error in /repos/search API