From a2a69709b51692be307940c79d0befdd3c9678bb Mon Sep 17 00:00:00 2001 From: tusooa Date: Tue, 24 Oct 2023 19:57:31 -0400 Subject: [PATCH] Bump version to 2.6.0 --- CHANGELOG.md | 38 +++++++++++++++++-- changelog.d/2023-06-deps-update.skip | 0 changelog.d/3126.fix | 1 - changelog.d/3739.skip | 0 changelog.d/3801.fix | 1 - changelog.d/3831.skip | 0 changelog.d/3848.add | 1 - changelog.d/3870.skip | 0 changelog.d/3872.remove | 1 - changelog.d/3873.fix | 1 - changelog.d/3874.remove | 1 - changelog.d/3876.skip | 0 changelog.d/3877.skip | 0 changelog.d/3878.skip | 0 changelog.d/3879.fix | 1 - changelog.d/3880.remove | 1 - changelog.d/3882.add | 1 - changelog.d/3883.fix | 1 - changelog.d/3884.fix | 1 - changelog.d/3885.fix | 1 - changelog.d/3888.fix | 1 - changelog.d/3891.fix | 1 - changelog.d/3893.skip | 0 changelog.d/3897.add | 1 - changelog.d/3899.skip | 0 changelog.d/3901.security | 1 - changelog.d/3902.skip | 0 changelog.d/3909.skip | 0 .../akkoma-xml-remote-entities.security | 1 - changelog.d/amd64-runner.skip | 0 changelog.d/attachment-type-check.fix | 1 - changelog.d/changelog-improve.skip | 0 .../check-attachment-attribution.security | 1 - changelog.d/delete-status-of-banned-user.fix | 1 - changelog.d/deprecate-scrobbles.remove | 1 - .../disable-xml-entity-resolution.security | 1 - changelog.d/distro-docs-elixir-1.11.skip | 0 changelog.d/dockerfile-config-perms.fix | 1 - changelog.d/emoji-pack-sanitization.security | 1 - changelog.d/emoji-policy.add | 1 - ...d-collection-shouldnt-break-user-fetch.fix | 1 - changelog.d/fix-object-test.fix | 1 - changelog.d/gentoo_otp.skip | 0 changelog.d/gentoo_otp_hotfix.skip | 0 changelog.d/gentoo_otp_intro.skip | 0 .../handle-report-from-deactivated-user.fix | 1 - changelog.d/lint.skip | 0 changelog.d/media-altdomain.skip | 0 changelog.d/no_new_privs.add | 1 - changelog.d/otp_perms.security | 1 - changelog.d/pipeline-triggers.skip | 0 ...revent-bypassing-authorized-fetch-mode.fix | 1 - changelog.d/punycode-mention.fix | 1 - changelog.d/quote.add | 1 - changelog.d/testfix-system-config-use.skip | 0 changelog.d/unified-streaming.add | 1 - .../update-credentials-limit-error.fix | 1 - mix.exs | 2 +- 58 files changed, 35 insertions(+), 40 deletions(-) delete mode 100644 changelog.d/2023-06-deps-update.skip delete mode 100644 changelog.d/3126.fix delete mode 100644 changelog.d/3739.skip delete mode 100644 changelog.d/3801.fix delete mode 100644 changelog.d/3831.skip delete mode 100644 changelog.d/3848.add delete mode 100644 changelog.d/3870.skip delete mode 100644 changelog.d/3872.remove delete mode 100644 changelog.d/3873.fix delete mode 100644 changelog.d/3874.remove delete mode 100644 changelog.d/3876.skip delete mode 100644 changelog.d/3877.skip delete mode 100644 changelog.d/3878.skip delete mode 100644 changelog.d/3879.fix delete mode 100644 changelog.d/3880.remove delete mode 100644 changelog.d/3882.add delete mode 100644 changelog.d/3883.fix delete mode 100644 changelog.d/3884.fix delete mode 100644 changelog.d/3885.fix delete mode 100644 changelog.d/3888.fix delete mode 100644 changelog.d/3891.fix delete mode 100644 changelog.d/3893.skip delete mode 100644 changelog.d/3897.add delete mode 100644 changelog.d/3899.skip delete mode 100644 changelog.d/3901.security delete mode 100644 changelog.d/3902.skip delete mode 100644 changelog.d/3909.skip delete mode 100644 changelog.d/akkoma-xml-remote-entities.security delete mode 100644 changelog.d/amd64-runner.skip delete mode 100644 changelog.d/attachment-type-check.fix delete mode 100644 changelog.d/changelog-improve.skip delete mode 100644 changelog.d/check-attachment-attribution.security delete mode 100644 changelog.d/delete-status-of-banned-user.fix delete mode 100644 changelog.d/deprecate-scrobbles.remove delete mode 100644 changelog.d/disable-xml-entity-resolution.security delete mode 100644 changelog.d/distro-docs-elixir-1.11.skip delete mode 100644 changelog.d/dockerfile-config-perms.fix delete mode 100644 changelog.d/emoji-pack-sanitization.security delete mode 100644 changelog.d/emoji-policy.add delete mode 100644 changelog.d/featured-collection-shouldnt-break-user-fetch.fix delete mode 100644 changelog.d/fix-object-test.fix delete mode 100644 changelog.d/gentoo_otp.skip delete mode 100644 changelog.d/gentoo_otp_hotfix.skip delete mode 100644 changelog.d/gentoo_otp_intro.skip delete mode 100644 changelog.d/handle-report-from-deactivated-user.fix delete mode 100644 changelog.d/lint.skip delete mode 100644 changelog.d/media-altdomain.skip delete mode 100644 changelog.d/no_new_privs.add delete mode 100644 changelog.d/otp_perms.security delete mode 100644 changelog.d/pipeline-triggers.skip delete mode 100644 changelog.d/prevent-bypassing-authorized-fetch-mode.fix delete mode 100644 changelog.d/punycode-mention.fix delete mode 100644 changelog.d/quote.add delete mode 100644 changelog.d/testfix-system-config-use.skip delete mode 100644 changelog.d/unified-streaming.add delete mode 100644 changelog.d/update-credentials-limit-error.fix diff --git a/CHANGELOG.md b/CHANGELOG.md index 65acfad3e..211e611ab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,19 +4,49 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). -## Unreleased - -### Changed +## 2.6.0 +### Security +- Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes. +- CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID +- Disable XML entity resolution completely to fix a dos vulnerability ### Added - Support for Image activities, namely from Hubzilla +- Add OAuth scope descriptions +- Allow lang attribute in status text +- OnlyMedia Upload Filter +- Implement MRF policy to reject or delist according to emojis +- (hardening) Add no_new_privs=yes to OpenRC service files +- Implement quotes +- Add unified streaming endpoint ### Fixed - - rel="me" was missing its cache +- MediaProxy responses now return a sandbox CSP header +- Filter context activities using Visibility.visible_for_user? +- UploadedMedia: Add missing disposition_type to Content-Disposition +- fix not being able to fetch flash file from remote instance +- Fix abnormal behaviour when refetching a poll +- Allow non-HTTP(s) URIs in "url" fields for compatibility with "FEP-fffd: Proxy Objects" +- Fix opengraph and twitter card meta tags +- ForceMentionsInContent: fix double mentions for Mastodon/Misskey posts +- OEmbed HTML tags are now filtered +- Restrict attachments to only uploaded files only +- Fix error 404 when deleting status of a banned user +- Fix config ownership in dockerfile to pass restriction test +- Fix user fetch completely broken if featured collection is not in a supported form +- Correctly handle the situation when a poll has both "anyOf" and "oneOf" but one of them being empty +- Fix handling report from a deactivated user +- Prevent using the .json format to bypass authorized fetch mode +- Fix mentioning punycode domains when using Markdown +- Show more informative errors when profile exceeds char limits ### Removed - BREAKING: Support for passwords generated with `crypt(3)` (Gnu Social migration artifact) +- remove BBS/SSH feature, replaced by an external bridge. +- Remove a few unused indexes. +- Cleanup OStatus-era user upgrades and ap_enabled indicator +- Deprecate Pleroma's audio scrobbling ## 2.5.4 diff --git a/changelog.d/2023-06-deps-update.skip b/changelog.d/2023-06-deps-update.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3126.fix b/changelog.d/3126.fix deleted file mode 100644 index 91d396c89..000000000 --- a/changelog.d/3126.fix +++ /dev/null @@ -1 +0,0 @@ -MediaProxy responses now return a sandbox CSP header diff --git a/changelog.d/3739.skip b/changelog.d/3739.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3801.fix b/changelog.d/3801.fix deleted file mode 100644 index 8c2ec0199..000000000 --- a/changelog.d/3801.fix +++ /dev/null @@ -1 +0,0 @@ -Filter context activities using Visibility.visible_for_user? diff --git a/changelog.d/3831.skip b/changelog.d/3831.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3848.add b/changelog.d/3848.add deleted file mode 100644 index d7b1b0a84..000000000 --- a/changelog.d/3848.add +++ /dev/null @@ -1 +0,0 @@ -Add OAuth scope descriptions diff --git a/changelog.d/3870.skip b/changelog.d/3870.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3872.remove b/changelog.d/3872.remove deleted file mode 100644 index 54cbb660e..000000000 --- a/changelog.d/3872.remove +++ /dev/null @@ -1 +0,0 @@ -remove BBS/SSH feature, replaced by an external bridge. \ No newline at end of file diff --git a/changelog.d/3873.fix b/changelog.d/3873.fix deleted file mode 100644 index 4699f7b58..000000000 --- a/changelog.d/3873.fix +++ /dev/null @@ -1 +0,0 @@ -UploadedMedia: Add missing disposition_type to Content-Disposition \ No newline at end of file diff --git a/changelog.d/3874.remove b/changelog.d/3874.remove deleted file mode 100644 index a81f744bf..000000000 --- a/changelog.d/3874.remove +++ /dev/null @@ -1 +0,0 @@ -Remove a few unused indexes. diff --git a/changelog.d/3876.skip b/changelog.d/3876.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3877.skip b/changelog.d/3877.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3878.skip b/changelog.d/3878.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3879.fix b/changelog.d/3879.fix deleted file mode 100644 index 7c58cc3c2..000000000 --- a/changelog.d/3879.fix +++ /dev/null @@ -1 +0,0 @@ -fix not being able to fetch flash file from remote instance \ No newline at end of file diff --git a/changelog.d/3880.remove b/changelog.d/3880.remove deleted file mode 100644 index 113c76c85..000000000 --- a/changelog.d/3880.remove +++ /dev/null @@ -1 +0,0 @@ -Cleanup OStatus-era user upgrades and ap_enabled indicator \ No newline at end of file diff --git a/changelog.d/3882.add b/changelog.d/3882.add deleted file mode 100644 index 4712de1dc..000000000 --- a/changelog.d/3882.add +++ /dev/null @@ -1 +0,0 @@ -Allow lang attribute in status text diff --git a/changelog.d/3883.fix b/changelog.d/3883.fix deleted file mode 100644 index 6824f2013..000000000 --- a/changelog.d/3883.fix +++ /dev/null @@ -1 +0,0 @@ -Fix abnormal behaviour when refetching a poll diff --git a/changelog.d/3884.fix b/changelog.d/3884.fix deleted file mode 100644 index f8dbb2bbf..000000000 --- a/changelog.d/3884.fix +++ /dev/null @@ -1 +0,0 @@ -Allow non-HTTP(s) URIs in "url" fields for compatibility with "FEP-fffd: Proxy Objects" \ No newline at end of file diff --git a/changelog.d/3885.fix b/changelog.d/3885.fix deleted file mode 100644 index c5fbb0ed4..000000000 --- a/changelog.d/3885.fix +++ /dev/null @@ -1 +0,0 @@ -Fix opengraph and twitter card meta tags diff --git a/changelog.d/3888.fix b/changelog.d/3888.fix deleted file mode 100644 index 886aa7b39..000000000 --- a/changelog.d/3888.fix +++ /dev/null @@ -1 +0,0 @@ -ForceMentionsInContent: fix double mentions for Mastodon/Misskey posts \ No newline at end of file diff --git a/changelog.d/3891.fix b/changelog.d/3891.fix deleted file mode 100644 index f1fb62d82..000000000 --- a/changelog.d/3891.fix +++ /dev/null @@ -1 +0,0 @@ -OEmbed HTML tags are now filtered diff --git a/changelog.d/3893.skip b/changelog.d/3893.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3897.add b/changelog.d/3897.add deleted file mode 100644 index 5c4402f45..000000000 --- a/changelog.d/3897.add +++ /dev/null @@ -1 +0,0 @@ -OnlyMedia Upload Filter diff --git a/changelog.d/3899.skip b/changelog.d/3899.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3901.security b/changelog.d/3901.security deleted file mode 100644 index a3d8bd01f..000000000 --- a/changelog.d/3901.security +++ /dev/null @@ -1 +0,0 @@ -Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes. diff --git a/changelog.d/3902.skip b/changelog.d/3902.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3909.skip b/changelog.d/3909.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/akkoma-xml-remote-entities.security b/changelog.d/akkoma-xml-remote-entities.security deleted file mode 100644 index 5e6725e5b..000000000 --- a/changelog.d/akkoma-xml-remote-entities.security +++ /dev/null @@ -1 +0,0 @@ -Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem diff --git a/changelog.d/amd64-runner.skip b/changelog.d/amd64-runner.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/attachment-type-check.fix b/changelog.d/attachment-type-check.fix deleted file mode 100644 index 9e14b75f1..000000000 --- a/changelog.d/attachment-type-check.fix +++ /dev/null @@ -1 +0,0 @@ -Restrict attachments to only uploaded files only diff --git a/changelog.d/changelog-improve.skip b/changelog.d/changelog-improve.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/check-attachment-attribution.security b/changelog.d/check-attachment-attribution.security deleted file mode 100644 index e0e46525b..000000000 --- a/changelog.d/check-attachment-attribution.security +++ /dev/null @@ -1 +0,0 @@ -CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID diff --git a/changelog.d/delete-status-of-banned-user.fix b/changelog.d/delete-status-of-banned-user.fix deleted file mode 100644 index 1fa6a29d8..000000000 --- a/changelog.d/delete-status-of-banned-user.fix +++ /dev/null @@ -1 +0,0 @@ -Fix error 404 when deleting status of a banned user diff --git a/changelog.d/deprecate-scrobbles.remove b/changelog.d/deprecate-scrobbles.remove deleted file mode 100644 index c453a9784..000000000 --- a/changelog.d/deprecate-scrobbles.remove +++ /dev/null @@ -1 +0,0 @@ -Deprecate Pleroma's audio scrobbling diff --git a/changelog.d/disable-xml-entity-resolution.security b/changelog.d/disable-xml-entity-resolution.security deleted file mode 100644 index db8e12f67..000000000 --- a/changelog.d/disable-xml-entity-resolution.security +++ /dev/null @@ -1 +0,0 @@ -Disable XML entity resolution completely to fix a dos vulnerability diff --git a/changelog.d/distro-docs-elixir-1.11.skip b/changelog.d/distro-docs-elixir-1.11.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/dockerfile-config-perms.fix b/changelog.d/dockerfile-config-perms.fix deleted file mode 100644 index 49ea5becb..000000000 --- a/changelog.d/dockerfile-config-perms.fix +++ /dev/null @@ -1 +0,0 @@ -- Fix config ownership in dockerfile to pass restriction test diff --git a/changelog.d/emoji-pack-sanitization.security b/changelog.d/emoji-pack-sanitization.security deleted file mode 100644 index f3218abd4..000000000 --- a/changelog.d/emoji-pack-sanitization.security +++ /dev/null @@ -1 +0,0 @@ -Emoji pack loader sanitizes pack names diff --git a/changelog.d/emoji-policy.add b/changelog.d/emoji-policy.add deleted file mode 100644 index 45510c4f6..000000000 --- a/changelog.d/emoji-policy.add +++ /dev/null @@ -1 +0,0 @@ -Implement MRF policy to reject or delist according to emojis diff --git a/changelog.d/featured-collection-shouldnt-break-user-fetch.fix b/changelog.d/featured-collection-shouldnt-break-user-fetch.fix deleted file mode 100644 index e8ce288cc..000000000 --- a/changelog.d/featured-collection-shouldnt-break-user-fetch.fix +++ /dev/null @@ -1 +0,0 @@ -Fix user fetch completely broken if featured collection is not in a supported form diff --git a/changelog.d/fix-object-test.fix b/changelog.d/fix-object-test.fix deleted file mode 100644 index 5eea719f0..000000000 --- a/changelog.d/fix-object-test.fix +++ /dev/null @@ -1 +0,0 @@ -Correctly handle the situation when a poll has both "anyOf" and "oneOf" but one of them being empty diff --git a/changelog.d/gentoo_otp.skip b/changelog.d/gentoo_otp.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/gentoo_otp_hotfix.skip b/changelog.d/gentoo_otp_hotfix.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/gentoo_otp_intro.skip b/changelog.d/gentoo_otp_intro.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/handle-report-from-deactivated-user.fix b/changelog.d/handle-report-from-deactivated-user.fix deleted file mode 100644 index 6692d1aa8..000000000 --- a/changelog.d/handle-report-from-deactivated-user.fix +++ /dev/null @@ -1 +0,0 @@ -Fix handling report from a deactivated user diff --git a/changelog.d/lint.skip b/changelog.d/lint.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/media-altdomain.skip b/changelog.d/media-altdomain.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/no_new_privs.add b/changelog.d/no_new_privs.add deleted file mode 100644 index b67396a4b..000000000 --- a/changelog.d/no_new_privs.add +++ /dev/null @@ -1 +0,0 @@ -(hardening) Add no_new_privs=yes to OpenRC service files diff --git a/changelog.d/otp_perms.security b/changelog.d/otp_perms.security deleted file mode 100644 index a3da1c677..000000000 --- a/changelog.d/otp_perms.security +++ /dev/null @@ -1 +0,0 @@ -- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories \ No newline at end of file diff --git a/changelog.d/pipeline-triggers.skip b/changelog.d/pipeline-triggers.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/prevent-bypassing-authorized-fetch-mode.fix b/changelog.d/prevent-bypassing-authorized-fetch-mode.fix deleted file mode 100644 index 12f7260d7..000000000 --- a/changelog.d/prevent-bypassing-authorized-fetch-mode.fix +++ /dev/null @@ -1 +0,0 @@ -Prevent using the .json format to bypass authorized fetch mode \ No newline at end of file diff --git a/changelog.d/punycode-mention.fix b/changelog.d/punycode-mention.fix deleted file mode 100644 index f013c2dac..000000000 --- a/changelog.d/punycode-mention.fix +++ /dev/null @@ -1 +0,0 @@ -Fix mentioning punycode domains when using Markdown diff --git a/changelog.d/quote.add b/changelog.d/quote.add deleted file mode 100644 index 1c368ae75..000000000 --- a/changelog.d/quote.add +++ /dev/null @@ -1 +0,0 @@ -Implement quotes diff --git a/changelog.d/testfix-system-config-use.skip b/changelog.d/testfix-system-config-use.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/unified-streaming.add b/changelog.d/unified-streaming.add deleted file mode 100644 index 84821fcc8..000000000 --- a/changelog.d/unified-streaming.add +++ /dev/null @@ -1 +0,0 @@ -Add unified streaming endpoint diff --git a/changelog.d/update-credentials-limit-error.fix b/changelog.d/update-credentials-limit-error.fix deleted file mode 100644 index 7682f958e..000000000 --- a/changelog.d/update-credentials-limit-error.fix +++ /dev/null @@ -1 +0,0 @@ -Show more informative errors when profile exceeds char limits diff --git a/mix.exs b/mix.exs index b071e7c7b..082b39e55 100644 --- a/mix.exs +++ b/mix.exs @@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do def project do [ app: :pleroma, - version: version("2.5.54"), + version: version("2.6.0"), elixir: "~> 1.11", elixirc_paths: elixirc_paths(Mix.env()), compilers: [:phoenix] ++ Mix.compilers(),