diff options
| author | tusooa <tusooa@kazv.moe> | 2023-10-31 01:07:43 +0000 |
|---|---|---|
| committer | tusooa <tusooa@kazv.moe> | 2023-10-31 01:07:43 +0000 |
| commit | ad45b06b3f1d7dd4157a3fbc44dc1d2f07c98f35 (patch) | |
| tree | ec8b787417a236aca411f0697465caf51d2b61ed | |
| parent | ab894d98f4be5aadc033b71dacc499b85b579bc1 (diff) | |
| parent | f966abe4fbacf8fa91cf2b533f8abfb57d62f8b7 (diff) | |
Merge branch 'stable' into 'release/2.6.0'
# Conflicts:
# .gitlab-ci.yml
# lib/pleroma/web/common_api/utils.ex
# lib/pleroma/web/xml.ex
# mix.exs
# test/pleroma/web/activity_pub/transmogrifier/emoji_react_handling_test.exs
# test/pleroma/web/common_api/utils_test.exs
# test/pleroma/web/mastodon_api/update_credentials_test.exs
# test/pleroma/web/xml_test.exs
| -rw-r--r-- | CHANGELOG.md | 16 | ||||
| -rw-r--r-- | changelog.d/akkoma-xml-remote-entities.security | 1 | ||||
| -rw-r--r-- | changelog.d/check-attachment-attribution.security | 1 | ||||
| -rw-r--r-- | changelog.d/emoji-pack-sanitization.security | 1 | ||||
| -rw-r--r-- | changelog.d/otp_perms.security | 1 |
5 files changed, 20 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 211e611ab..394eb5179 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -59,6 +59,22 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Emoji pack loader sanitizes pack names - Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories +## 2.5.5 + +## Security +- Prevent users from accessing media of other users by creating a status with reused attachment ID + +## 2.5.4 + +## Security +- Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem + +## 2.5.3 + +### Security +- Emoji pack loader sanitizes pack names +- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories + ## 2.5.2 ### Security diff --git a/changelog.d/akkoma-xml-remote-entities.security b/changelog.d/akkoma-xml-remote-entities.security new file mode 100644 index 000000000..5e6725e5b --- /dev/null +++ b/changelog.d/akkoma-xml-remote-entities.security @@ -0,0 +1 @@ +Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem diff --git a/changelog.d/check-attachment-attribution.security b/changelog.d/check-attachment-attribution.security new file mode 100644 index 000000000..e0e46525b --- /dev/null +++ b/changelog.d/check-attachment-attribution.security @@ -0,0 +1 @@ +CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID diff --git a/changelog.d/emoji-pack-sanitization.security b/changelog.d/emoji-pack-sanitization.security new file mode 100644 index 000000000..f3218abd4 --- /dev/null +++ b/changelog.d/emoji-pack-sanitization.security @@ -0,0 +1 @@ +Emoji pack loader sanitizes pack names diff --git a/changelog.d/otp_perms.security b/changelog.d/otp_perms.security new file mode 100644 index 000000000..a3da1c677 --- /dev/null +++ b/changelog.d/otp_perms.security @@ -0,0 +1 @@ +- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories
\ No newline at end of file |