diff options
| author | rinpatch <rinpatch@sdf.org> | 2020-09-08 14:21:34 +0300 |
|---|---|---|
| committer | rinpatch <rinpatch@sdf.org> | 2020-09-08 19:45:44 +0300 |
| commit | e430e98e7dac24978e4f985948b7ae6847dfaee6 (patch) | |
| tree | 0d8e8bf8ca6b80d31f67bf5e3f2c1c4d9e97816a | |
| parent | 9c76769878784282d2a9bf42282dbc63420f882e (diff) | |
CHANGELOG.md: Add 2.1.1 entry
| -rw-r--r-- | CHANGELOG.md | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 01d7a7bc6..06a24a7e4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,24 +3,29 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). -## unreleased-patch - ??? +## [2.1.1] - 2020-09-08 ### Security -- Fix metadata leak for accounts and statuses on private instances +- Fix possible DoS in Mastodon API user search due to an error in match clauses, leading to an infinite recursion and subsequent OOM with certain inputs. +- Fix metadata leak for accounts and statuses on private instances. +- Fix possible DoS in Admin API search using an atom leak vulnerability. Authentication with admin rights was required to exploit. ### Changed - **Breaking:** The metadata providers RelMe and Feed are no longer configurable. RelMe should always be activated and Feed only provides a <link> header tag for the actual RSS/Atom feed when the instance is public. +- Improved error message when cmake is not available at build stage. ### Added -- Rich media failure tracking (along with `:failure_backoff` option) +- Rich media failure tracking (along with `:failure_backoff` option). ### Fixed -- Mastodon API: Search parameter `following` now correctly returns the followings rather than the followers +- Default HTTP adapter not respecting pool setting, leading to possible OOM. +- Mastodon API: Search parameter `following` now correctly returns the followings rather than the followers. - Mastodon API: Timelines hanging for (`number of posts with links * rich media timeout`) in the worst case. Reduced to just rich media timeout. -- Mastodon API: Cards being wrong for preview statuses due to cache key collision -- Password resets no longer processed for deactivated accounts +- Mastodon API: Cards being wrong for preview statuses due to cache key collision. +- Password resets no longer processed for deactivated accounts. +- Favicon scraper raising exceptions on URLs longer than 255 characters. ## [2.1.0] - 2020-08-28 |