peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-15 15:30:26 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 11
jojo/release-notes-published/11.0.14.md
forgejo-release-manager a6e141f805 chore(release-notes): Forgejo v11.0.14 [skip ci] (#12535) 
https://codeberg.org/forgejo/forgejo/milestone/84476
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12535
Reviewed-by: Beowulf <beowulf@beocode.eu>
2026-05-12 09:08:47 +02:00

2.9 KiB
Raw Blame History

Release notes

  • Security bug fixes
    • PR: fix: prevent git write to wiki repo from unauthorized user via git HTTP
    • PR: fix: prevent LFS authorization token from being used for read/write access after user's access is restricted from Forgejo
    • PR: fix: prevent scoped API access (OAuth tokens, Access tokens) from accessing resources beyond their permitted scope via non-API endpoints (e.g. /user/repo/raw/...)
    • PR: fix: implementing missing OAuth validation checks, improve protections against race conditions
    • PR: fix: prevent OAuth redirect URI spoofing via non-ascii case collision
    • PR: fix: strengthen Actions Artifact V4 signature algorithm against spoofing attacks
  • Included for completeness but not user-facing (chores, etc.)
    • PR: Update dependency mermaid to v11.15.0 [SECURITY] (v11.0/forgejo)
    • PR: Update module golang.org/x/net to v0.53.0 [SECURITY] (v11.0/forgejo)