Skip to content

Latest commit

 

History

History
33 lines (32 loc) · 9.86 KB

9.0.1.md

File metadata and controls

33 lines (32 loc) · 9.86 KB

Release notes

  • Security bug fixes
    • PR (backported): Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to timing attacks. A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays.
    • PR (backported): Because of a missing permission check, the branch used to propose a pull request to a repository can always be deleted by the user performing the merge. It was fixed so that such a deletion is only allowed if the user performing the merge has write permission to the repository from which the pull request was made.
  • Bug fixes
    • PR (backported): Fix boolean inputs in workflow_dispatch
    • PR (backported): package arch database not updating when uploading "any" architecture
    • PR (backported): correct SQL query for active issues
    • PR (backported): specify default value for EXPLORE_DEFAULT_SORT.
    • PR (backported): fix: Add recentupdated as recognized sort option
    • PR: Update dependency mermaid to v11.3.0 (v9.0/forgejo)
    • PR (backported): Dockerfile: use alpine:3.20 instead of golang:1.23-alpine3.20
    • PR (backported): Dockerfile: unnecessary container image layer duplication
    • PR: commit Always update expiration time when creating an artifact
    • PR: commit Update scheduled tasks even if changes are pushed by "ActionsUser"
    • PR: commit Fix disable 2fa bug
  • Localization
    • PR (backported): i18n: update of translations from Codeberg Translate
  • Included for completeness but not worth a release note
    • PR (backported): fix: use buffered iterate for debian searchpackages
    • PR (backported): fix: make branch protection work for new branches
    • PR (backported): link to security policy in security.txt
    • PR (backported): fix: don't show truncated comments in RSS/Atom feeds
    • PR (backported): fix: typo on releases for source code downloads
    • PR (backported): Revert "add gap between branch dropdown and PR button"
    • PR (backported): fix: Don't double escape delete branch text
    • PR (backported): fix: Add server logging for OAuth server errors
    • PR (backported): forgejo-cli is now a symlink and cannot be used for sanity checks
    • PR (backported): fix: correct documentation for non 200 responses in swagger