commit: 4c8a8a4b62151ab86019cf92ffb67dc81e13cdd7 parent 0a93a7b0c9e4f05f2abd2079c976c0a4bf1b3d77 Author: Lain Soykaf <lain@lain.com> Date: Tue, 11 Mar 2025 18:06:43 +0400 Update changelogDiffstat:
10 files changed, 17 insertions(+), 17 deletions(-)diff --git a/CHANGELOG.md b/CHANGELOG.md@@ -4,6 +4,23 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). +## 2.9.1 + +### Security +- Fix authorization checks for C2S Update activities to prevent unauthorized modifications of other users' content. +- Fix content-type spoofing vulnerability that could allow users to upload ActivityPub objects as attachments +- Reject cross-domain redirects when fetching ActivityPub objects to prevent bypassing domain-based security controls. +- Limit emoji shortcodes to alphanumeric, dash, or underscore characters to prevent potential abuse. +- Block attempts to fetch activities from the local instance to prevent spoofing. +- Sanitize Content-Type headers in media proxy to prevent serving malicious ActivityPub content through proxied media. +- Validate Content-Type headers when fetching remote ActivityPub objects to prevent spoofing attacks. + +### Changed +- Include `pl-fe` in available frontends + +### Fixed +- Remove trailing ` from end of line 75 which caused issues copy-pasting + ## 2.9.0 ### Securitydiff --git a/changelog.d/c2s-update-authorization.security b/changelog.d/c2s-update-authorization.security@@ -1 +0,0 @@ -Fix authorization checks for C2S Update activities to prevent unauthorized modifications of other users' content. -\ No newline at end of filediff --git a/changelog.d/content-type-sanitize.security b/changelog.d/content-type-sanitize.security@@ -1 +0,0 @@ -Fix content-type spoofing vulnerability that could allow users to upload ActivityPub objects as attachments -\ No newline at end of filediff --git a/changelog.d/cross-domain-redirect-check.security b/changelog.d/cross-domain-redirect-check.security@@ -1 +0,0 @@ -Reject cross-domain redirects when fetching ActivityPub objects to prevent bypassing domain-based security controls. -\ No newline at end of filediff --git a/changelog.d/debian-distro-docs-pleromaBE.fix b/changelog.d/debian-distro-docs-pleromaBE.fix@@ -1 +0,0 @@ -Remove trailing ` from end of line 75 which caused issues copy-pasting -\ No newline at end of filediff --git a/changelog.d/emoji-shortcode-validation.security b/changelog.d/emoji-shortcode-validation.security@@ -1 +0,0 @@ -Limit emoji shortcodes to alphanumeric, dash, or underscore characters to prevent potential abuse. -\ No newline at end of filediff --git a/changelog.d/local-fetch-prevention.security b/changelog.d/local-fetch-prevention.security@@ -1 +0,0 @@ -Block attempts to fetch activities from the local instance to prevent spoofing. -\ No newline at end of filediff --git a/changelog.d/media-proxy-sanitize.security b/changelog.d/media-proxy-sanitize.security@@ -1 +0,0 @@ -Sanitize Content-Type headers in media proxy to prevent serving malicious ActivityPub content through proxied media. -\ No newline at end of filediff --git a/changelog.d/object-fetcher-content-type.security b/changelog.d/object-fetcher-content-type.security@@ -1 +0,0 @@ -Validate Content-Type headers when fetching remote ActivityPub objects to prevent spoofing attacks. -\ No newline at end of filediff --git a/changelog.d/pl-fe.change b/changelog.d/pl-fe.change@@ -1 +0,0 @@ -Include `pl-fe` in available frontends