------------------------------------------------------------------- Wed May 22 20:41:58 UTC 2024 - Richard Rahl - update to 7.0.3: * CVE-2024-24788: a malformed DNS message in response to a query can cause the lookup functions to get stuck in an infinite loop * backticks in mermaid block diagram labels are not sanitized properly * migration of a repository from gogs fails when it is hosted at a subpath. * when creating an OAuth2 application the redirect URLs are not enforced to be mandatory * the API incorrectly excludes repositories where code is not enabled * "Allow edits from maintainers" cannot be modified via the pull request web UI * repository activity feeds (including RSS and Atom feeds) contain repeated activities * uploading maven packages with metadata being uploaded separately will fail * the mail notification sent about commits pushed to pull requests are empty * inline emails attachments are not properly handled when commenting on an issue via email * the links to .zip and tar.gz on the tag list web UI fail * expanding code diff while previewing a pull request before it is created fails * the CLI is not able to migrate Forgejo Actions artifacts * when adopting a repository, the default branch is not taken into account * when using reverse proxy authentication, logout will not be taken into account when immediately trying to login afterwards * pushing to the master branch of a sha256 repository fails * a very long project column name will make the action menu inaccessible * a useless error is displayed when the title of a merged pull request is modified * workflow badges are not working for workflows that are not running on push (such as scheduled workflows, and ones that run on tags and pull requests) ------------------------------------------------------------------- Fri May 3 00:35:37 UTC 2024 - Richard Rahl - update to 7.0.2: * regression where subscribing to or unsubscribing from an issue in a repository with no code produced an internal server error. * regression makes all the refs sent in Gitea webhooks to be full refs and might break Woodpecker CI pipelines triggered on tag (CI_COMMIT_TAG contained the full ref). This issue has been fixed in the main branch of Woodpecker CI as well. * the webhook branch filter wrongly applied the match on the full ref for branch creation and deletion (wrongly skipping events). * toggling the WIP state of a pull request is possible from the sidebar, but not from the footer. * when mentioning a user, the markup post-processor does not handle the case where the mentioned user does not exist: it tries to skip to the next node, which in turn, ended up skipping the rest of the line. * excessive and unnecessary database queries when a user with no repositories is viewing their dashboard. * duplicate status check contexts show in the branch protection settings. * profile info fails to render german singular translation. * inline attachments of incoming emails (as they occur for example with Apple Mail) are not attached to comments. ------------------------------------------------------------------- Sat Apr 27 14:53:09 UTC 2024 - Richard Rahl - update to 7.0.1: * LFS data corruption when running the forgejo doctor check --fix CLI command or setting [cron.gc_lfs].ENABLED=true (the default is false) * non backward compatible change in the forgejo admin user create CLI command * error 500 because of an incorrect evaluation of the template when visiting the LFS settings of a repository * GET /repos/{owner}/{name} API endpoint always returns an empty string for the object_format_name field * fuzzy search may fail with bleve ------------------------------------------------------------------- Thu Apr 25 02:27:22 UTC 2024 - Richard Rahl - update to 7.0.0: This is only an excerpt from the full changelog, which you can find in your RELEASE-NOTES.md or at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-0 * MySQL 8.0 or PostgreSQL 12 are the minimum supported versions. The database must be migrated before upgrading. The requirements regarding SQLite did not change. * The per_page parameter is no longer a synonym for limit in the /repos/{owner}/{repo}/releases API endpoint. * The date format of the created and last_update fields of the /repos/{owner}/{repo}/push_mirrors and /repos/{owner}/{repo}/push_mirrors API endpoint changed to be timestamps instead of numbers. * Labels used by pprof endpoint have been changed * The fogejo admin user create CLI command requires a password change by default when creating the first user ------------------------------------------------------------------- Sat Apr 20 12:39:56 UTC 2024 - Richard Rahl - update to 1.21.11-1: * error 500 on tag creation when a workflow exists - update to 1.21.11-0: * Fixed a privilege escalation through git push options that allows any user to change the visibility of any repository they can see, regardless of their level of access. * Fixed a bug that allows user-supplied, non-sandboxed JavaScript to be run from the same domain as the forge, via /{owner}/{repo}/render/branch/{branch}/{filename} URLs. * Close file in upload function * Prevent registering runners for deleted repositories. Prevents 500 Internal Server Error in admin interface. * More reliable pagination support when migrating from gitbucket * Fix automerge when used with actions - fix apparmor profile ------------------------------------------------------------------- Fri Apr 5 18:39:07 UTC 2024 - Richard Rahl - update to 1.21.10-0: * CVE-2023-45288 which permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data * Fix to not remove repository avatars when the doctor runs with --fix on the repository archives. * Detect protected branch on branch rename. * Don't delete inactive emails explicitly. * Fix user interface when a review is deleted without refreshing. * Fix paths when finding files via the web interface that were not escaped. * Respect DEFAULT_ORG_MEMBER_VISIBLE setting when adding creator to org. * Fix duplicate migrated milestones. * Fix inline math blocks can't be preceeded/followed by alphanumerical characters. ------------------------------------------------------------------- Thu Mar 28 06:58:20 UTC 2024 - Richard Rahl - increase golang dep to 1.22, to imitate the CI/CD of forgejo - revise how the apparmor package gets build + add selinux ------------------------------------------------------------------- Sat Mar 23 21:21:28 UTC 2024 - Richard Rahl - update to 1.21.8-0: * Fix /api/v1/{owner}/{repo}/issue_templates which was always failing with a 500 error. * Prevent error 500 on /user/settings/security when SignedUser has a linked account from a deactivated authentication source. * Fix error 500 when pushing release to an empty repo. * Fix incorrect rendering csv file when file size is larger than UI.CSV.MaxFileSize. * Fix error 500 when deleting account with incorrect password or unsupported login type. * handle user-defined name anchors like [Link](#link) linking to Link. * Use correct head commit for CODEOWNER. * Fix manual merge button. * Make meilisearch do exact search for issues. * Fix PR creation via api between branches of same repo with head field namespaced. ------------------------------------------------------------------- Fri Mar 8 07:35:29 UTC 2024 - Richard Rahl - add apparmor profile leeched off of the gitea packaging - update to 1.21.7-0: * Fix tarball/zipball download bug. * Ensure HasIssueContentHistory takes into account comment_id. * The google.golang.org/protobuf module was bumped to version v1.33.0 to fix a bug in the google.golang.org/protobuf/encoding/protojson package which could cause the Unmarshal function to enter an infinite loop when handling some invalid inputs ------------------------------------------------------------------- Fri Feb 9 10:07:58 UTC 2024 - Richard Rahl - initial packaging