ccfa715678
* Overflow for images on project cards. * Allow unreacting from comment popover. * The scope of application tokens is not verified when writing containers or Conan packages. * When a Forgejo Actions workflow includes a workflow_dispatch with inputs and other events (for instance push), it is silently ignored because of a parsing error. * Automerge on AGit pull requests is ignored. * Show lock owner instead of repo owner on LFS setting page. * Render plain text file if the LFS object doesn't exist. * Panic of ssh public key page after deletion of an auth source. * Add missing repository type filter parameters to pager. * Reverted a change from Gitea which prevented allow/reject reviews on merged or closed PRs. This change was not considered by the Forgejo UI team and there is a consensus that it feels like a regression, since it interferes with workflows known to be used by Forgejo users without providing a tangible benefit. * Run full PR checks on AGit push. * Updated translations OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=33
341 lines
17 KiB
Plaintext
341 lines
17 KiB
Plaintext
-------------------------------------------------------------------
|
|
Thu Aug 29 16:06:05 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
|
|
|
|
- update to 8.0.2:
|
|
* Overflow for images on project cards.
|
|
* Allow unreacting from comment popover.
|
|
* The scope of application tokens is not verified when writing
|
|
containers or Conan packages.
|
|
* When a Forgejo Actions workflow includes a workflow_dispatch with
|
|
inputs and other events (for instance push), it is silently ignored
|
|
because of a parsing error.
|
|
* Automerge on AGit pull requests is ignored.
|
|
* Show lock owner instead of repo owner on LFS setting page.
|
|
* Render plain text file if the LFS object doesn't exist.
|
|
* Panic of ssh public key page after deletion of an auth source.
|
|
* Add missing repository type filter parameters to pager.
|
|
* Reverted a change from Gitea which prevented allow/reject reviews on
|
|
merged or closed PRs. This change was not considered by the Forgejo
|
|
UI team and there is a consensus that it feels like a regression,
|
|
since it interferes with workflows known to be used by Forgejo users
|
|
without providing a tangible benefit.
|
|
* Run full PR checks on AGit push.
|
|
* Updated translations
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 9 21:25:45 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
|
|
|
|
- update to 8.0.1:
|
|
* A change introduced in Forgejo v1.21 allows a Forgejo user with write
|
|
permission on a repository description to inject a client-side script into
|
|
the web page viewed by the visitor. This XSS allows for href in anchor
|
|
elements to be set to a javascript: URI in the repository description,
|
|
which will execute the specified script upon clicking (and not upon
|
|
loading). AllowStandardURLs is now called for the repository description
|
|
policy, which ensures that URIs in anchor elements are mailto:, http://
|
|
or https:// and thereby disallowing the javascript: URI.
|
|
* Do not include trailing EOL character when counting lines
|
|
* Add background to reactions on hover
|
|
* Prevent uppercase in header of dashboard context selector
|
|
* Fix page layout in admin settings
|
|
* Ensure all filters are persistent in issue filters
|
|
* Allow 4 charachter SHA in /src/commit
|
|
- update to 8.0.0:
|
|
full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0
|
|
|
|
Highlights:
|
|
* remove Microsoft SQL Server support
|
|
* introduce a branch/tag dropdown in the code search page
|
|
* added support for fuzzy searching in /user/repo/issues and /user/repo/pulls
|
|
* API endpoints for managing tag protection.
|
|
* add Reviewed-on and Reviewed-by variables to the merge template
|
|
* display an error when an issue comment is edited simultaneously by
|
|
two users instead of silently overriding one of them
|
|
* when installing Forgejo through the built-in installer, open
|
|
(self-) registration is now disabled by default
|
|
* add support for the reddit and Hubspot OAuth providers.
|
|
* CERT management was improved when ENABLE_ACME=true
|
|
* language detection in the repository got additional languages
|
|
* add an immutable tarball link to archive download headers for Nix
|
|
* Show the AGit label on merged pull requests
|
|
- fix apparmor profile
|
|
- set sqlite3 as the default installation database
|
|
- add a rule for firewalld
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 9 18:13:59 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
|
|
|
|
- update to 7.0.7:
|
|
This is a security release. See the documentation for more
|
|
information on the upgrade procedure.
|
|
* Security
|
|
- A change introduced in Forgejo v1.21 allows a Forgejo user
|
|
with write permission on a repository description to inject a
|
|
client-side script into the web page viewed by the visitor.
|
|
This XSS allows for href in anchor elements to be set to a
|
|
javascript: URI in the repository description, which will
|
|
execute the specified script upon clicking (and not upon
|
|
loading). AllowStandardURLs is now called for the repository
|
|
description policy, which ensures that URIs in anchor
|
|
elements are mailto:, http:// or https:// and thereby
|
|
disallowing the javascript: URI.
|
|
* Bug fixes
|
|
- PR (backported): disallow javascript: URI in the repository
|
|
description
|
|
* Localization
|
|
- PR (backported): i18n: backport of #4568 #4668 and #4783 to
|
|
v7
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 1 10:50:53 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
|
|
|
|
- update to 7.0.6:
|
|
* Two frontend features were removed because a license
|
|
incompatibility was discovered. Read more in the companion blog
|
|
post.
|
|
- PR (backported from): Mermaid rendering: %%{init:
|
|
{"flowchart": {"defaultRenderer": "elk"}} }%% will now fail
|
|
because ELK is no longer included.
|
|
- PR (backported from): Repository citation: Removed the
|
|
ability to export citations in APA format.
|
|
* User Interface bug fixes
|
|
- PR (backported from): Replace vue-bar-graph with chart.js
|
|
- PR (backported from): Show AGit label on merged PR
|
|
- PR (backported from): Fix mobile UI for organisation creation
|
|
* Bug fixes
|
|
- PR (backported from): fix(api): issue state change is not
|
|
idempotent
|
|
- PR (backported from): Reserve the devtest username
|
|
- PR (backported from): fix(actions): no edited event triggered
|
|
when a title is changed
|
|
- PR (backported from): Load attachments for
|
|
/issues/comments/{id}
|
|
- PR (backported from): When searching for users, page the
|
|
results by default, and respect the default paging limits
|
|
- PR (backported from): the "View command line instructions"
|
|
link in pull requests and the "Copy content" button in file
|
|
editor are not accessible
|
|
- PR (backported from): Use correct SHA in GetCommitPullRequest
|
|
* Localization
|
|
- PR (backported from): Update of translations from Weblate
|
|
- PR: Update of translations from Weblate
|
|
- PR (backported from): 3 translation updates from Weblate - PR
|
|
1, PR 2, PR 3
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 15 06:28:18 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
|
|
|
|
- fix typo Environemnt in forgejo.service
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 5 07:13:38 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
|
|
|
|
- update to 7.0.5:
|
|
* Fixed: CVE-2024-24791 - GO-2024-2963 Denial of service due to improper
|
|
100-continue handling in net/http
|
|
* Fixed: authentication Source Administration page wrongfully handles the "Custom URLs Instead
|
|
of Default URLs" checkbox (missing checkbox, irrelevant fields).
|
|
* Fixed: git push to an adopted repository fails.
|
|
* Fixed: markdown doesn't render math within brackets
|
|
* Fixed: selecting the "No Project" filter in the issue/pull request list has no effect
|
|
* Fixed: error 500 when processing crafted TIFF files.
|
|
* Fixed: wrong placeholder text in the form for adding repository collaborator.
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Jun 16 12:52:27 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
|
|
|
|
- update to 7.0.4:
|
|
* Fixed: CVE-2024-24789: the archive/zip package's handling of certain types
|
|
of invalid zip files differs from the behavior of most zip implementations.
|
|
This misalignment could be exploited to create an zip file with contents that
|
|
vary depending on the implementation reading the file.
|
|
* the OAuth2 implementation does not always require authentication for public
|
|
clients, a requirement of RFC 6749 Section 10.2
|
|
* forgejo migrate-storage --type actions-artifacts always fails because it picks the wrong path.
|
|
* avatar files can be found in storage while they do not exist in the database.
|
|
* repository admins are always denied the right to force merge and instance admins
|
|
are subject to restrictions to merge that must only apply to repository admins.
|
|
* non conformance with the Nix tarball fetcher immutable link protocol.
|
|
* migrated activities (such as reviews) are mapped to the user who initiated the
|
|
migration rather than the Ghost user, if the external user cannot be mapped to a
|
|
local one. This mapping mismatch leads to internal server errors in some cases.
|
|
* a v7.0.0 regression causes [admin].SEND_NOTIFICATION_EMAIL_ON_NEW_USER=true to always be ignored.
|
|
* using a subquery for user deletion is a performance bottleneck when using mariadb 10
|
|
because only mariadb 11 takes advantage of the available index.
|
|
* a v7.0.3 regression causes the expanding diffs in pull requests to fail with a 404 error.
|
|
* SourceHut Builds webhook fail when the triggers field is used.
|
|
* the label list rendering in the issue and pull request timeline is displayed on
|
|
multiple lines instead of a single one.
|
|
* Git hooks of this repository seem to be broken." warning when pushing more than one branch at a time.
|
|
* automerge does not happen when the approval count reaches the required threshold.
|
|
* the FORCE_PRIVATE=true setting is not consistently enforced.
|
|
* CSRF validation errors when OAuth is not enabled.
|
|
* headlines in rendered org-mode do not have a margin on the top
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 22 20:41:58 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
|
|
|
|
- update to 7.0.3:
|
|
* CVE-2024-24788: a malformed DNS message in response to a query can
|
|
cause the lookup functions to get stuck in an infinite loop
|
|
* backticks in mermaid block diagram labels are not sanitized properly
|
|
* migration of a repository from gogs fails when it is hosted at a subpath.
|
|
* when creating an OAuth2 application the redirect URLs are not enforced to
|
|
be mandatory
|
|
* the API incorrectly excludes repositories where code is not enabled
|
|
* "Allow edits from maintainers" cannot be modified via the pull request web UI
|
|
* repository activity feeds (including RSS and Atom feeds) contain
|
|
repeated activities
|
|
* uploading maven packages with metadata being uploaded separately will fail
|
|
* the mail notification sent about commits pushed to pull requests are empty
|
|
* inline emails attachments are not properly handled when commenting on an
|
|
issue via email
|
|
* the links to .zip and tar.gz on the tag list web UI fail
|
|
* expanding code diff while previewing a pull request before it is created fails
|
|
* the CLI is not able to migrate Forgejo Actions artifacts
|
|
* when adopting a repository, the default branch is not taken into account
|
|
* when using reverse proxy authentication, logout will not be taken into
|
|
account when immediately trying to login afterwards
|
|
* pushing to the master branch of a sha256 repository fails
|
|
* a very long project column name will make the action menu inaccessible
|
|
* a useless error is displayed when the title of a merged pull request is
|
|
modified
|
|
* workflow badges are not working for workflows that are not running on push
|
|
(such as scheduled workflows, and ones that run on tags and pull requests)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 3 00:35:37 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
|
|
|
|
- update to 7.0.2:
|
|
* regression where subscribing to or unsubscribing from an issue in a
|
|
repository with no code produced an internal server error.
|
|
* regression makes all the refs sent in Gitea webhooks to be full refs and
|
|
might break Woodpecker CI pipelines triggered on tag (CI_COMMIT_TAG
|
|
contained the full ref). This issue has been fixed in the main branch of
|
|
Woodpecker CI as well.
|
|
* the webhook branch filter wrongly applied the match on the full ref for
|
|
branch creation and deletion (wrongly skipping events).
|
|
* toggling the WIP state of a pull request is possible from the sidebar,
|
|
but not from the footer.
|
|
* when mentioning a user, the markup post-processor does not handle the case
|
|
where the mentioned user does not exist: it tries to skip to the next node,
|
|
which in turn, ended up skipping the rest of the line.
|
|
* excessive and unnecessary database queries when a user with no repositories
|
|
is viewing their dashboard.
|
|
* duplicate status check contexts show in the branch protection settings.
|
|
* profile info fails to render german singular translation.
|
|
* inline attachments of incoming emails (as they occur for example with Apple
|
|
Mail) are not attached to comments.
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Apr 27 14:53:09 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
|
|
|
|
- update to 7.0.1:
|
|
* LFS data corruption when running the forgejo doctor check --fix CLI command
|
|
or setting [cron.gc_lfs].ENABLED=true (the default is false)
|
|
* non backward compatible change in the forgejo admin user create CLI command
|
|
* error 500 because of an incorrect evaluation of the template when visiting
|
|
the LFS settings of a repository
|
|
* GET /repos/{owner}/{name} API endpoint always returns an empty string for
|
|
the object_format_name field
|
|
* fuzzy search may fail with bleve
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 25 02:27:22 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
|
|
|
|
- update to 7.0.0:
|
|
This is only an excerpt from the full changelog, which you can find
|
|
in your RELEASE-NOTES.md or at
|
|
https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-0
|
|
* MySQL 8.0 or PostgreSQL 12 are the minimum supported versions.
|
|
The database must be migrated before upgrading.
|
|
The requirements regarding SQLite did not change.
|
|
* The per_page parameter is no longer a synonym for limit in the
|
|
/repos/{owner}/{repo}/releases API endpoint.
|
|
* The date format of the created and last_update fields of the
|
|
/repos/{owner}/{repo}/push_mirrors and /repos/{owner}/{repo}/push_mirrors
|
|
API endpoint changed to be timestamps instead of numbers.
|
|
* Labels used by pprof endpoint have been changed
|
|
* The fogejo admin user create CLI command requires a password change
|
|
by default when creating the first user
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Apr 20 12:39:56 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
|
|
|
|
- update to 1.21.11-1:
|
|
* error 500 on tag creation when a workflow exists
|
|
|
|
- update to 1.21.11-0:
|
|
* Fixed a privilege escalation through git push options that
|
|
allows any user to change the visibility of any repository they can see,
|
|
regardless of their level of access.
|
|
* Fixed a bug that allows user-supplied, non-sandboxed JavaScript to be run
|
|
from the same domain as the forge, via
|
|
/{owner}/{repo}/render/branch/{branch}/{filename} URLs.
|
|
* Close file in upload function
|
|
* Prevent registering runners for deleted repositories.
|
|
Prevents 500 Internal Server Error in admin interface.
|
|
* More reliable pagination support when migrating from gitbucket
|
|
* Fix automerge when used with actions
|
|
|
|
- fix apparmor profile
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Apr 5 18:39:07 UTC 2024 - Richard Rahl <rrahl0@proton.me>
|
|
|
|
- update to 1.21.10-0:
|
|
* CVE-2023-45288 which permits an attacker to cause an HTTP/2 endpoint to
|
|
read arbitrary amounts of header data
|
|
* Fix to not remove repository avatars when the doctor runs with --fix
|
|
on the repository archives.
|
|
* Detect protected branch on branch rename.
|
|
* Don't delete inactive emails explicitly.
|
|
* Fix user interface when a review is deleted without refreshing.
|
|
* Fix paths when finding files via the web interface that were not escaped.
|
|
* Respect DEFAULT_ORG_MEMBER_VISIBLE setting when adding creator to org.
|
|
* Fix duplicate migrated milestones.
|
|
* Fix inline math blocks can't be preceeded/followed by alphanumerical
|
|
characters.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 28 06:58:20 UTC 2024 - Richard Rahl <rrahl0@proton.me>
|
|
|
|
- increase golang dep to 1.22, to imitate the CI/CD of forgejo
|
|
- revise how the apparmor package gets build + add selinux
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Mar 23 21:21:28 UTC 2024 - Richard Rahl <user@localhost>
|
|
|
|
- update to 1.21.8-0:
|
|
* Fix /api/v1/{owner}/{repo}/issue_templates which was always failing with a
|
|
500 error.
|
|
* Prevent error 500 on /user/settings/security when SignedUser has a linked
|
|
account from a deactivated authentication source.
|
|
* Fix error 500 when pushing release to an empty repo.
|
|
* Fix incorrect rendering csv file when file size is larger than UI.CSV.MaxFileSize.
|
|
* Fix error 500 when deleting account with incorrect password or unsupported login type.
|
|
* handle user-defined name anchors like [Link](#link) linking to <a name="link"></a>Link.
|
|
* Use correct head commit for CODEOWNER.
|
|
* Fix manual merge button.
|
|
* Make meilisearch do exact search for issues.
|
|
* Fix PR creation via api between branches of same repo with head field namespaced.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 8 07:35:29 UTC 2024 - Richard Rahl <rrahl0@proton.me>
|
|
|
|
- add apparmor profile leeched off of the gitea packaging
|
|
|
|
- update to 1.21.7-0:
|
|
* Fix tarball/zipball download bug.
|
|
* Ensure HasIssueContentHistory takes into account comment_id.
|
|
* The google.golang.org/protobuf module was bumped to version v1.33.0 to fix
|
|
a bug in the google.golang.org/protobuf/encoding/protojson package which
|
|
could cause the Unmarshal function to enter an infinite loop when handling
|
|
some invalid inputs
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 9 10:07:58 UTC 2024 - Richard Rahl <rrahl0@proton.me>
|
|
|
|
- initial packaging
|