peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-14 23:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
jojo/release-notes-published/11.0.11.md
forgejo-release-manager 192052e3e4 chore(release-notes): Forgejo v11.0.11 [skip ci] (#11582) 
https://codeberg.org/forgejo/forgejo/milestone/47802
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11582
Reviewed-by: Beowulf <beowulf@beocode.eu>
Co-authored-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
Co-committed-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
2026-03-09 06:58:38 +01:00

32 lines
8 KiB
Markdown
Raw Blame History

<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/11515): <!--number 11515 --><!--line 0 --><!--description LSBmaXg6IFBLQ0UgY2hhbGxlbmdlcyB0byBGb3JnZWpvJ3MgT0F1dGggaWRlbnRpdHkgcHJvdmlkZXIgd2VyZSBub3QgdmFsaWRhdGVkIHdoZW4gdXNpbmcgdGhlIGBTMjU2YCBhbGdvcml0aG0=-->fix: PKCE challenges to Forgejo's OAuth identity provider were not validated when using the `S256` algorithm<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/11515): <!--number 11515 --><!--line 1 --><!--description LSBmaXg6IEZvcmdlam8gc3VwcG9ydHMgdXNpbmcgYW4gT0F1dGggQmVhcmVyIHRva2VuIHdpdGggSFRUUCBiYXNpYyBhdXRoZW50aWNhdGlvbiwgcmF0aGVyIHRoYW4gQmVhcmVyIHRva2VuIGF1dGhlbnRpY2F0aW9uLCBidXQgZGlkIG5vdCBwcm9wZXJseSBhcHBseSB0aGUgbGltaXRlZCBzY29wZXMgb2YgdGhlIE9BdXRoIGdyYW50-->fix: Forgejo supports using an OAuth Bearer token with HTTP basic authentication, rather than Bearer token authentication, but did not properly apply the limited scopes of the OAuth grant<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/11515): <!--number 11515 --><!--line 2 --><!--description LSBmaXg6IG1pc3NpbmcgcGVybWlzc2lvbiBjaGVja3MgaW4gYXR0YWNobWVudC1yZWxhdGVkIHdlYiBlbmRwb2ludHMgYWxsb3dlZCBtb2RpZnlpbmcgYXR0YWNobWVudHMgdGhhdCBhIHVzZXIgZGlkIG5vdCBvd24=-->fix: missing permission checks in attachment-related web endpoints allowed modifying attachments that a user did not own<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/11515): <!--number 11515 --><!--line 3 --><!--description LSBmaXg6IGVtYWlsIG5vdGlmaWNhdGlvbnMgZm9yIG5ldyByZWxlYXNlcyBjb3VsZCBiZSBzZW50IHRvIHVzZXJzIHRoYXQgbm8gbG9uZ2VyIGFjY2VzcyB0byB0aGUgcmVwb3NpdG9yeSwgb3IgdG8gaW5hY3RpdmUgdXNlcnM=-->fix: email notifications for new releases could be sent to users that no longer access to the repository, or to inactive users<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/11515): <!--number 11515 --><!--line 4 --><!--description LSBmaXg6IG1pc3NpbmcgcGVybWlzc2lvbiBjaGVja3MgaW4gdXNlci9vcmctb3duZWQgcHJvamVjdHMgd291bGQgYWxsb3cgbW9kaWZpY2F0aW9ucyBvZiB0aGUgb3Blbi9jbG9zZWQgc3RhdGUgdG8gYmUgbWFkZSB0byBwcm9qZWN0cyB2aWEgaW5zZWN1cmUgZGlyZWN0IG9iamVjdCByZWZlcmVuY2Vz-->fix: missing permission checks in user/org-owned projects would allow modifications of the open/closed state to be made to projects via insecure direct object references<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/11515): <!--number 11515 --><!--line 5 --><!--description LSBmaXg6IG1pc3NpbmcgcGVybWlzc2lvbiBjaGVja3MgaW4gYSB3ZWIgZW5kcG9pbnQgYWxsb3dlZCBjYW5jZWxsYXRpb24gb2YgdGhlIGF1dG9tZXJnZSBvZiBhIFBS-->fix: missing permission checks in a web endpoint allowed cancellation of the automerge of a PR<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/11515): <!--number 11515 --><!--line 6 --><!--description LSBmaXg6IHByZXZlbnQgYWRkaXRpb25hbCBwYXRoLXRyYXZlcnNhbHMgaW4gcG9zdC1sb2dpbiByZWRpcmVjdCBwYXJhbWV0ZXJzIHRoYXQgYWxsb3dlZCBmb3IgYXJiaXRyYXJ5IHJlZGlyZWN0cw==-->fix: prevent additional path-traversals in post-login redirect parameters that allowed for arbitrary redirects<!--description-->
- Included for completeness but not user-facing (chores, etc.)
- [PR](https://codeberg.org/forgejo/forgejo/pulls/11526): <!--number 11526 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ28gdG8gdjEuMjUuOCAodjExLjAvZm9yZ2Vqbyk=-->Update dependency go to v1.25.8 (v11.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/11509): <!--number 11509 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgc3ZnbyB0byB2My4zLjMgW1NFQ1VSSVRZXSAodjExLjAvZm9yZ2Vqbyk=-->Update dependency svgo to v3.3.3 [SECURITY] (v11.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/11496): <!--number 11496 --><!--line 0 --><!--description VXBkYXRlIGdpdGh1Yi5jb20vZ29sYW5nLWp3dC9qd3QvdjQgKGluZGlyZWN0KSB0byB2NC41LjIgW1NFQ1VSSVRZXSAodjExLjAvZm9yZ2Vqbyk=-->Update github.com/golang-jwt/jwt/v4 (indirect) to v4.5.2 [SECURITY] (v11.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/11495): <!--number 11495 --><!--line 0 --><!--description VXBkYXRlIGdpdGh1Yi5jb20vY2xvdWRmbGFyZS9jaXJjbCAoaW5kaXJlY3QpIHRvIHYxLjYuMyBbU0VDVVJJVFldICh2MTEuMC9mb3JnZWpvKQ==-->Update github.com/cloudflare/circl (indirect) to v1.6.3 [SECURITY] (v11.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/11473): <!--number 11473 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL2Nhc2NhZGluZy1wciBhY3Rpb24gdG8gdjIuMy4wICh2MTEuMC9mb3JnZWpvKQ==-->Update https://data.forgejo.org/actions/cascading-pr action to v2.3.0 (v11.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/11474): <!--number 11474 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL3NldHVwLWZvcmdlam8gYWN0aW9uIHRvIHYzLjEuNyAodjExLjAvZm9yZ2Vqbyk=-->Update https://data.forgejo.org/actions/setup-forgejo action to v3.1.7 (v11.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/11414): <!--number 11414 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgbWluaW1hdGNoIHRvIHYxMC4yLjMgW1NFQ1VSSVRZXSAodjExLjAvZm9yZ2Vqbyk=-->Update dependency minimatch to v10.2.3 [SECURITY] (v11.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/11396): <!--number 11396 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvLWdpdC9nby1naXQvdjUgdG8gdjUuMTYuNSBbU0VDVVJJVFldICh2MTEuMC9mb3JnZWpvKQ==-->Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (v11.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/11395): <!--number 11395 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgd2VicGFjayB0byB2NS4xMDQuMSBbU0VDVVJJVFldICh2MTEuMC9mb3JnZWpvKQ==-->Update dependency webpack to v5.104.1 [SECURITY] (v11.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/11394): <!--number 11394 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvLWNoaS9jaGkvdjUgdG8gdjUuMi40IFtTRUNVUklUWV0gKHYxMS4wL2Zvcmdlam8p-->Update module github.com/go-chi/chi/v5 to v5.2.4 [SECURITY] (v11.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/11167): <!--number 11167 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ28gdG8gdjEuMjUuNyAodjExLjAvZm9yZ2Vqbyk=-->Update dependency go to v1.25.7 (v11.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/10981): <!--number 10981 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9mb3JnZWpvL2Zvcmdlam8tYnVpbGQtcHVibGlzaCBhY3Rpb24gdG8gdjUuNS4xICh2MTEuMC9mb3JnZWpvKQ==-->Update https://data.forgejo.org/forgejo/forgejo-build-publish action to v5.5.1 (v11.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/10982): <!--number 10982 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9pbmZyYXN0cnVjdHVyZS9pc3N1ZS1hY3Rpb24gYWN0aW9uIHRvIHYxLjUuMCAodjExLjAvZm9yZ2Vqbyk=-->Update https://data.forgejo.org/infrastructure/issue-action action to v1.5.0 (v11.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/10907): <!--number 10907 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgaGFwcHktZG9tIHRvIHYyMC4wLjIgW1NFQ1VSSVRZXSAodjExLjAvZm9yZ2Vqbyk=-->Update dependency happy-dom to v20.0.2 [SECURITY] (v11.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/10879): <!--number 10879 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgaGFwcHktZG9tIHRvIHYyMCBbU0VDVVJJVFldICh2MTEuMC9mb3JnZWpvKQ==-->Update dependency happy-dom to v20 [SECURITY] (v11.0/forgejo)<!--description-->
- [PR](https://codeberg.org/forgejo/forgejo/pulls/10883) ([backported](https://codeberg.org/forgejo/forgejo/pulls/10885)): <!--number 10885 --><!--line 0 --><!--description Y2k6IHRpZSBnbyBjYWNoZSB0byBnbyB2ZXJzaW9uIGFuZCBhZGQgYE1ha2VmaWxlYCB0byBrZXkgaGFzaA==-->ci: tie go cache to go version and add `Makefile` to key hash<!--description-->
<!--end release-notes-assistant-->
Reference in a new issue View git blame Copy permalink