mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-15 07:20:26 +00:00
0e577ed6c9
https://codeberg.org/forgejo/forgejo/milestone/84479 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12536 Reviewed-by: Beowulf <beowulf@beocode.eu>
9 KiB
9 KiB
Release notes
- Security bug fixes
- PR: fix: prevent git write to wiki repo from unauthorized user via git HTTP
- PR: fix: prevent LFS authorization token from being used for read/write access after user's access is restricted from Forgejo
- PR: fix: prevent scoped API access (OAuth tokens, Access tokens) from accessing resources beyond their permitted scope via non-API endpoints (e.g. /user/repo/raw/...)
- PR: fix: implementing missing OAuth validation checks, improve protections against race conditions
- PR: fix: prevent OAuth redirect URI spoofing via non-ascii case collision
- PR: fix: strengthen Actions Artifact V4 signature algorithm against spoofing attacks
- User Interface bug fixes
- PR (backported): When the author of a pull request is denied the right to run Actions by clicking on the "Deny" button on the pull request trust management panel, the workflow runs created for all commits pushed to the pull request are cancelled. Before that, runs that were automatically cancelled because a newer commit was pushed to the pull request were stuck in a state waiting for approval.
- PR (backported): fix: paginate team members list
- Bug fixes
- PR (backported): When a review was created as pending and then submitted, the review request wasn't deleted. These review requests couldn't be removed, as the now existing review shadowed the review request. Now, review requests get deleted when a pending review from that reviewer gets submitted, and broken review requests in already existing data can be normally removed via the UI.
- PR (backported): fix: make package cleanup work again
- PR (backported): fix: cleanup data before migration retry
- Included for completeness but not user-facing (chores, etc.)
- PR (backported): fix(activitypub): only return public activities on request (#12382)
- PR: Update dependency mermaid to v11.15.0 [SECURITY] (v15.0/forgejo)
- PR: chore: PGP sign .well-known/security.txt [skip ci]
- PR: Update module golang.org/x/net to v0.53.0 [SECURITY] (v15.0/forgejo)
- PR (backported): [pagure] ensure moving all commits in a pull request
- PR (backported): refactor: clarify four different outputs that authentication methods provide
- PR (backported): refactor: change authentication to return structured data
- PR: Update go toolchain directive to v1.26.3 (v15.0/forgejo)
- PR (backported): fix: get tag must return the tag signature instead of commit signature
- PR (backported): fix: set
repo_idfor migrated attachment - PR (backported): fix(oauth): only accept refresh tokens as refresh tokens