commit: a5da6ce58e241bc20fad5edd2612bb77f07c3992
parent 92fc8f00124417018067b1e965c7306661465e6a
Author: Lain Soykaf <lain@lain.com>
Date: Wed, 31 Dec 2025 10:49:28 +0400
Changelog: Update changelog
Diffstat:
3 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
### Security
- Admin API: Fixed self-revocation vulnerability where admins could accidentally revoke their own admin status via the single-user permission endpoint
+- Fix bypass of the restrict unauthenticated setting by requesting local Activities
### Changed
@@ -104,6 +105,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- ObjectView: Do not leak unsanitized internal representation of non-Create/non-Undo Activities on fetches
- Fix WebFinger for split-domain setups
- Enforce an exact domain match for WebFinger resolution
+- MastodonAPI: Fix misattribution of statuses when fetched via non-Announce Activity ID
## 2.9.1
diff --git a/changelog.d/mastoapi-misatrribution.fix b/changelog.d/mastoapi-misatrribution.fix
@@ -1 +0,0 @@
-MastodonAPI: Fix misattribution of statuses when fetched via non-Announce Activity ID
diff --git a/changelog.d/restrict-unauthenticated-bypass.fix b/changelog.d/restrict-unauthenticated-bypass.fix
@@ -1 +0,0 @@
-Fix bypass of the restrict unauthenticated setting by requesting local Activities
