commit: a2a69709b51692be307940c79d0befdd3c9678bb parent e3ea311cd594d4f0bc8c4e05ca8eb1eee18ae6be Author: tusooa <tusooa@kazv.moe> Date: Tue, 24 Oct 2023 19:57:31 -0400 Bump version to 2.6.0Diffstat:
58 files changed, 35 insertions(+), 48 deletions(-)diff --git a/CHANGELOG.md b/CHANGELOG.md@@ -4,19 +4,49 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). -## Unreleased - -### Changed +## 2.6.0 +### Security +- Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes. +- CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID +- Disable XML entity resolution completely to fix a dos vulnerability ### Added - Support for Image activities, namely from Hubzilla +- Add OAuth scope descriptions +- Allow lang attribute in status text +- OnlyMedia Upload Filter +- Implement MRF policy to reject or delist according to emojis +- (hardening) Add no_new_privs=yes to OpenRC service files +- Implement quotes +- Add unified streaming endpoint ### Fixed - - rel="me" was missing its cache +- MediaProxy responses now return a sandbox CSP header +- Filter context activities using Visibility.visible_for_user? +- UploadedMedia: Add missing disposition_type to Content-Disposition +- fix not being able to fetch flash file from remote instance +- Fix abnormal behaviour when refetching a poll +- Allow non-HTTP(s) URIs in "url" fields for compatibility with "FEP-fffd: Proxy Objects" +- Fix opengraph and twitter card meta tags +- ForceMentionsInContent: fix double mentions for Mastodon/Misskey posts +- OEmbed HTML tags are now filtered +- Restrict attachments to only uploaded files only +- Fix error 404 when deleting status of a banned user +- Fix config ownership in dockerfile to pass restriction test +- Fix user fetch completely broken if featured collection is not in a supported form +- Correctly handle the situation when a poll has both "anyOf" and "oneOf" but one of them being empty +- Fix handling report from a deactivated user +- Prevent using the .json format to bypass authorized fetch mode +- Fix mentioning punycode domains when using Markdown +- Show more informative errors when profile exceeds char limits ### Removed - BREAKING: Support for passwords generated with `crypt(3)` (Gnu Social migration artifact) +- remove BBS/SSH feature, replaced by an external bridge. +- Remove a few unused indexes. +- Cleanup OStatus-era user upgrades and ap_enabled indicator +- Deprecate Pleroma's audio scrobbling ## 2.5.4diff --git a/changelog.d/2023-06-deps-update.skip b/changelog.d/2023-06-deps-update.skipdiff --git a/changelog.d/3126.fix b/changelog.d/3126.fix@@ -1 +0,0 @@ -MediaProxy responses now return a sandbox CSP headerdiff --git a/changelog.d/3739.skip b/changelog.d/3739.skipdiff --git a/changelog.d/3801.fix b/changelog.d/3801.fix@@ -1 +0,0 @@ -Filter context activities using Visibility.visible_for_user?diff --git a/changelog.d/3831.skip b/changelog.d/3831.skipdiff --git a/changelog.d/3848.add b/changelog.d/3848.add@@ -1 +0,0 @@ -Add OAuth scope descriptionsdiff --git a/changelog.d/3870.skip b/changelog.d/3870.skipdiff --git a/changelog.d/3872.remove b/changelog.d/3872.remove@@ -1 +0,0 @@ -remove BBS/SSH feature, replaced by an external bridge. -\ No newline at end of filediff --git a/changelog.d/3873.fix b/changelog.d/3873.fix@@ -1 +0,0 @@ -UploadedMedia: Add missing disposition_type to Content-Disposition -\ No newline at end of filediff --git a/changelog.d/3874.remove b/changelog.d/3874.remove@@ -1 +0,0 @@ -Remove a few unused indexes.diff --git a/changelog.d/3876.skip b/changelog.d/3876.skipdiff --git a/changelog.d/3877.skip b/changelog.d/3877.skipdiff --git a/changelog.d/3878.skip b/changelog.d/3878.skipdiff --git a/changelog.d/3879.fix b/changelog.d/3879.fix@@ -1 +0,0 @@ -fix not being able to fetch flash file from remote instance -\ No newline at end of filediff --git a/changelog.d/3880.remove b/changelog.d/3880.remove@@ -1 +0,0 @@ -Cleanup OStatus-era user upgrades and ap_enabled indicator -\ No newline at end of filediff --git a/changelog.d/3882.add b/changelog.d/3882.add@@ -1 +0,0 @@ -Allow lang attribute in status textdiff --git a/changelog.d/3883.fix b/changelog.d/3883.fix@@ -1 +0,0 @@ -Fix abnormal behaviour when refetching a polldiff --git a/changelog.d/3884.fix b/changelog.d/3884.fix@@ -1 +0,0 @@ -Allow non-HTTP(s) URIs in "url" fields for compatibility with "FEP-fffd: Proxy Objects" -\ No newline at end of filediff --git a/changelog.d/3885.fix b/changelog.d/3885.fix@@ -1 +0,0 @@ -Fix opengraph and twitter card meta tagsdiff --git a/changelog.d/3888.fix b/changelog.d/3888.fix@@ -1 +0,0 @@ -ForceMentionsInContent: fix double mentions for Mastodon/Misskey posts -\ No newline at end of filediff --git a/changelog.d/3891.fix b/changelog.d/3891.fix@@ -1 +0,0 @@ -OEmbed HTML tags are now filtereddiff --git a/changelog.d/3893.skip b/changelog.d/3893.skipdiff --git a/changelog.d/3897.add b/changelog.d/3897.add@@ -1 +0,0 @@ -OnlyMedia Upload Filterdiff --git a/changelog.d/3899.skip b/changelog.d/3899.skipdiff --git a/changelog.d/3901.security b/changelog.d/3901.security@@ -1 +0,0 @@ -Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.diff --git a/changelog.d/3902.skip b/changelog.d/3902.skipdiff --git a/changelog.d/3909.skip b/changelog.d/3909.skipdiff --git a/changelog.d/akkoma-xml-remote-entities.security b/changelog.d/akkoma-xml-remote-entities.security@@ -1 +0,0 @@ -Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystemdiff --git a/changelog.d/amd64-runner.skip b/changelog.d/amd64-runner.skipdiff --git a/changelog.d/attachment-type-check.fix b/changelog.d/attachment-type-check.fix@@ -1 +0,0 @@ -Restrict attachments to only uploaded files onlydiff --git a/changelog.d/changelog-improve.skip b/changelog.d/changelog-improve.skipdiff --git a/changelog.d/check-attachment-attribution.security b/changelog.d/check-attachment-attribution.security@@ -1 +0,0 @@ -CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment IDdiff --git a/changelog.d/delete-status-of-banned-user.fix b/changelog.d/delete-status-of-banned-user.fix@@ -1 +0,0 @@ -Fix error 404 when deleting status of a banned userdiff --git a/changelog.d/deprecate-scrobbles.remove b/changelog.d/deprecate-scrobbles.remove@@ -1 +0,0 @@ -Deprecate Pleroma's audio scrobblingdiff --git a/changelog.d/disable-xml-entity-resolution.security b/changelog.d/disable-xml-entity-resolution.security@@ -1 +0,0 @@ -Disable XML entity resolution completely to fix a dos vulnerabilitydiff --git a/changelog.d/distro-docs-elixir-1.11.skip b/changelog.d/distro-docs-elixir-1.11.skipdiff --git a/changelog.d/dockerfile-config-perms.fix b/changelog.d/dockerfile-config-perms.fix@@ -1 +0,0 @@ -- Fix config ownership in dockerfile to pass restriction testdiff --git a/changelog.d/emoji-pack-sanitization.security b/changelog.d/emoji-pack-sanitization.security@@ -1 +0,0 @@ -Emoji pack loader sanitizes pack namesdiff --git a/changelog.d/emoji-policy.add b/changelog.d/emoji-policy.add@@ -1 +0,0 @@ -Implement MRF policy to reject or delist according to emojisdiff --git a/changelog.d/featured-collection-shouldnt-break-user-fetch.fix b/changelog.d/featured-collection-shouldnt-break-user-fetch.fix@@ -1 +0,0 @@ -Fix user fetch completely broken if featured collection is not in a supported formdiff --git a/changelog.d/fix-object-test.fix b/changelog.d/fix-object-test.fix@@ -1 +0,0 @@ -Correctly handle the situation when a poll has both "anyOf" and "oneOf" but one of them being emptydiff --git a/changelog.d/gentoo_otp.skip b/changelog.d/gentoo_otp.skipdiff --git a/changelog.d/gentoo_otp_hotfix.skip b/changelog.d/gentoo_otp_hotfix.skipdiff --git a/changelog.d/gentoo_otp_intro.skip b/changelog.d/gentoo_otp_intro.skipdiff --git a/changelog.d/handle-report-from-deactivated-user.fix b/changelog.d/handle-report-from-deactivated-user.fix@@ -1 +0,0 @@ -Fix handling report from a deactivated userdiff --git a/changelog.d/lint.skip b/changelog.d/lint.skipdiff --git a/changelog.d/media-altdomain.skip b/changelog.d/media-altdomain.skipdiff --git a/changelog.d/no_new_privs.add b/changelog.d/no_new_privs.add@@ -1 +0,0 @@ -(hardening) Add no_new_privs=yes to OpenRC service filesdiff --git a/changelog.d/otp_perms.security b/changelog.d/otp_perms.security@@ -1 +0,0 @@ -- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories -\ No newline at end of filediff --git a/changelog.d/pipeline-triggers.skip b/changelog.d/pipeline-triggers.skipdiff --git a/changelog.d/prevent-bypassing-authorized-fetch-mode.fix b/changelog.d/prevent-bypassing-authorized-fetch-mode.fix@@ -1 +0,0 @@ -Prevent using the .json format to bypass authorized fetch mode -\ No newline at end of filediff --git a/changelog.d/punycode-mention.fix b/changelog.d/punycode-mention.fix@@ -1 +0,0 @@ -Fix mentioning punycode domains when using Markdowndiff --git a/changelog.d/quote.add b/changelog.d/quote.add@@ -1 +0,0 @@ -Implement quotesdiff --git a/changelog.d/testfix-system-config-use.skip b/changelog.d/testfix-system-config-use.skipdiff --git a/changelog.d/unified-streaming.add b/changelog.d/unified-streaming.add@@ -1 +0,0 @@ -Add unified streaming endpointdiff --git a/changelog.d/update-credentials-limit-error.fix b/changelog.d/update-credentials-limit-error.fix@@ -1 +0,0 @@ -Show more informative errors when profile exceeds char limitsdiff --git a/mix.exs b/mix.exs@@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do def project do [ app: :pleroma, - version: version("2.5.54"), + version: version("2.6.0"), elixir: "~> 1.11", elixirc_paths: elixirc_paths(Mix.env()), compilers: [:phoenix] ++ Mix.compilers(),