Merge branch 'stable' into 'release/2.6.0' - pleroma - My custom branche(s) on git.pleroma.social/pleroma/pleroma

commit: ad45b06b3f1d7dd4157a3fbc44dc1d2f07c98f35
parent ab894d98f4be5aadc033b71dacc499b85b579bc1
Author: tusooa <tusooa@kazv.moe>
Date:   Tue, 31 Oct 2023 01:07:43 +0000

Merge branch 'stable' into 'release/2.6.0'

# Conflicts:
#   .gitlab-ci.yml
#   lib/pleroma/web/common_api/utils.ex
#   lib/pleroma/web/xml.ex
#   mix.exs
#   test/pleroma/web/activity_pub/transmogrifier/emoji_react_handling_test.exs
#   test/pleroma/web/common_api/utils_test.exs
#   test/pleroma/web/mastodon_api/update_credentials_test.exs
#   test/pleroma/web/xml_test.exs
Diffstat:
M CHANGELOG.md 16 ++++++++++++++++
A changelog.d/akkoma-xml-remote-entities.security 1 +
A changelog.d/check-attachment-attribution.security 1 +
A changelog.d/emoji-pack-sanitization.security 1 +
A changelog.d/otp_perms.security 2 ++

5 files changed, 21 insertions(+), 0 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -59,6 +59,22 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Emoji pack loader sanitizes pack names
 - Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories
 
+## 2.5.5
+
+## Security
+- Prevent users from accessing media of other users by creating a status with reused attachment ID
+
+## 2.5.4
+
+## Security
+- Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
+
+## 2.5.3
+
+### Security
+- Emoji pack loader sanitizes pack names
+- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories
+
 ## 2.5.2
 
 ### Security
diff --git a/changelog.d/akkoma-xml-remote-entities.security b/changelog.d/akkoma-xml-remote-entities.security
@@ -0,0 +1 @@
+Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
diff --git a/changelog.d/check-attachment-attribution.security b/changelog.d/check-attachment-attribution.security
@@ -0,0 +1 @@
+CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID
diff --git a/changelog.d/emoji-pack-sanitization.security b/changelog.d/emoji-pack-sanitization.security
@@ -0,0 +1 @@
+Emoji pack loader sanitizes pack names
diff --git a/changelog.d/otp_perms.security b/changelog.d/otp_perms.security
@@ -0,0 +1 @@
+- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories
+\ No newline at end of file

M	CHANGELOG.md	16	++++++++++++++++
A	changelog.d/akkoma-xml-remote-entities.security	1	+
A	changelog.d/check-attachment-attribution.security	1	+
A	changelog.d/emoji-pack-sanitization.security	1	+
A	changelog.d/otp_perms.security	2	++