jojo/services at 32b8d732b81f8fffdea787bee044b59a03d10547 - peezy-tech/jojo

mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00

History

Mathieu Fenniak 32b8d732b8 2026-05-12 security patches (#12493 ) - fix: prevent git write to wiki repo from unauthorized user via git HTTP - fix: prevent LFS authorization token from being used for read/write access after user's access is restricted from Forgejo - fix: prevent scoped API access (OAuth tokens, Access tokens) from accessing resources beyond their permitted scope via non-API endpoints (e.g. /user/repo/raw/...) - fix: implementing missing OAuth validation checks, improve protections against race conditions - fix: prevent OAuth redirect URI spoofing via non-ascii case collision - fix: strengthen Actions Artifact V4 signature algorithm against spoofing attacks <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Security bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/12493): <!--number 12493 --><!--line 0 --><!--description MjAyNi0wNS0xMiBzZWN1cml0eSBwYXRjaGVz-->2026-05-12 security patches<!--description--> <!--end release-notes-assistant--> Co-authored-by: Derzsi Dániel <daniel@tohka.us> Co-authored-by: jvoisin <julien.voisin@dustri.org> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12493		2026-05-12 04:54:25 +02:00
..
actions	fix: wipe run artifacts before rerun (#12523 )	2026-05-11 21:45:56 +02:00
agit	chore: fix typos throughout the codebase (#10753 )	2026-01-26 22:57:33 +01:00
asymkey	fix: cleanup data before migration retry (#12370 )	2026-05-05 12:41:42 +02:00
attachment	fix: check that attachments belong to correct resource	2026-03-06 11:21:07 -07:00
auth	feat: allow Authorized Integrations to have multiple values for a claim match (#12482 )	2026-05-10 04:52:02 +02:00
authz	feat: add CLI command 'admin user create-authorized-integration' (#12299 )	2026-04-28 21:32:45 +02:00
automerge	fix: apply signed-merge checks by merge style (#11403 )	2026-04-09 20:26:27 +02:00
context	2026-05-12 security patches (#12493 )	2026-05-12 04:54:25 +02:00
contexttest	feat: add more filters to actions run and tasks api (#11584 )	2026-03-10 01:20:00 +01:00
convert	fix(activitypub): only return public activities on request (#12382 )	2026-05-09 05:02:57 +02:00
cron	fix: cleanup data before migration retry (#12370 )	2026-05-05 12:41:42 +02:00
doctor	fix: cleanup data before migration retry (#12370 )	2026-05-05 12:41:42 +02:00
externalaccount	chore(cleanup): replaces unnecessary calls to formatting functions by non-formatting equivalents (#7994 )	2025-05-29 17:34:29 +02:00
f3	chore: update gof3/v3 v3.11.15 (#10673 )	2026-01-13 16:59:56 +01:00
federation	fix(activitypub): only return public activities on request (#12382 )	2026-05-09 05:02:57 +02:00
feed	chore: fix typos throughout the codebase (#10753 )	2026-01-26 22:57:33 +01:00
forgejo	chore: move all test blank imports in a single package (#10662 )	2026-01-02 05:32:32 +01:00
forms	fix: when reviewing in PRs, make comments relative to viewed base & head, not just viewed head (#12107 )	2026-04-14 17:18:14 +02:00
gitdiff	fix: relocate PR review comments using `git blame --reverse`, improving comment placement (#12015 )	2026-04-11 21:45:39 +02:00
indexer	fix(issue-search): delete issue from indexer on DeleteIssue (#11585 )	2026-03-09 18:51:18 +01:00
issue	chore: add modernizer linter (#11936 )	2026-04-02 03:29:37 +02:00
lfs	2026-05-12 security patches (#12493 )	2026-05-12 04:54:25 +02:00
mailer	fix: when reviewing in PRs, make comments relative to viewed base & head, not just viewed head (#12107 )	2026-04-14 17:18:14 +02:00
markup	chore: remove branding from context imports (#9628 )	2025-10-11 01:52:51 +02:00
migrations	fix: ensure moving all commits in a pull request for pagure migration (#12433 )	2026-05-08 04:43:33 +02:00
mirror	fix: store pull mirror creds encrypted with keying (#11909 )	2026-04-04 13:53:22 +02:00
moderation	chore: move all test blank imports in a single package (#10662 )	2026-01-02 05:32:32 +01:00
notify	fix(issue-search): delete issue from indexer on DeleteIssue (#11585 )	2026-03-09 18:51:18 +01:00
org	fix: add missing deleting beans for organizations (#11699 )	2026-03-17 09:11:52 +01:00
packages	fix: make package cleanup work again (#12446 )	2026-05-07 18:10:02 +02:00
pull	fix: verify PR author has write access to head to support allow maintainers edit (#12292 )	2026-04-29 05:26:22 +02:00
redirect	chore: move all test blank imports in a single package (#10662 )	2026-01-02 05:32:32 +01:00
release	fix: don't trip deleting attachment with missing permission error (#11642 )	2026-03-12 20:29:10 +01:00
remote	chore: fix typos throughout the codebase (#10753 )	2026-01-26 22:57:33 +01:00
repository	fix: cleanup data before migration retry (#12370 )	2026-05-05 12:41:42 +02:00
secrets	feat: allow renaming and replacing secrets (#11732 )	2026-03-23 03:30:02 +01:00
shared/automerge	fix: suppress false-positive error log when PR is already in the automerge queue (#9784 )	2025-10-21 08:19:33 +02:00
stats	chore: fix typos throughout the codebase (#10753 )	2026-01-26 22:57:33 +01:00
task	fix: cleanup data before migration retry (#12370 )	2026-05-05 12:41:42 +02:00
uinotification	chore: branding import path (#7337 )	2025-03-27 19:40:14 +00:00
user	refactor: replace ActionRunnerToken.OwnerID & RepoID with optional.Option[int64] (#11601 )	2026-03-10 03:19:16 +01:00
webhook	chore: add modernizer linter (#11936 )	2026-04-02 03:29:37 +02:00
wiki	feat: replace repo based server-side hooks with centralised hooks (#10397 )	2026-04-27 22:34:46 +02:00