Bump version to 2.6.0

This commit is contained in:
tusooa 2023-10-24 19:57:31 -04:00
parent e3ea311cd5
commit a2a69709b5
No known key found for this signature in database
GPG Key ID: 42AEC43D48433C51
58 changed files with 35 additions and 40 deletions

View File

@ -4,19 +4,49 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## Unreleased
### Changed
## 2.6.0
### Security
- Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.
- CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID
- Disable XML entity resolution completely to fix a dos vulnerability
### Added
- Support for Image activities, namely from Hubzilla
- Add OAuth scope descriptions
- Allow lang attribute in status text
- OnlyMedia Upload Filter
- Implement MRF policy to reject or delist according to emojis
- (hardening) Add no_new_privs=yes to OpenRC service files
- Implement quotes
- Add unified streaming endpoint
### Fixed
- rel="me" was missing its cache
- MediaProxy responses now return a sandbox CSP header
- Filter context activities using Visibility.visible_for_user?
- UploadedMedia: Add missing disposition_type to Content-Disposition
- fix not being able to fetch flash file from remote instance
- Fix abnormal behaviour when refetching a poll
- Allow non-HTTP(s) URIs in "url" fields for compatibility with "FEP-fffd: Proxy Objects"
- Fix opengraph and twitter card meta tags
- ForceMentionsInContent: fix double mentions for Mastodon/Misskey posts
- OEmbed HTML tags are now filtered
- Restrict attachments to only uploaded files only
- Fix error 404 when deleting status of a banned user
- Fix config ownership in dockerfile to pass restriction test
- Fix user fetch completely broken if featured collection is not in a supported form
- Correctly handle the situation when a poll has both "anyOf" and "oneOf" but one of them being empty
- Fix handling report from a deactivated user
- Prevent using the .json format to bypass authorized fetch mode
- Fix mentioning punycode domains when using Markdown
- Show more informative errors when profile exceeds char limits
### Removed
- BREAKING: Support for passwords generated with `crypt(3)` (Gnu Social migration artifact)
- remove BBS/SSH feature, replaced by an external bridge.
- Remove a few unused indexes.
- Cleanup OStatus-era user upgrades and ap_enabled indicator
- Deprecate Pleroma's audio scrobbling
## 2.5.4

View File

@ -1 +0,0 @@
MediaProxy responses now return a sandbox CSP header

View File

View File

@ -1 +0,0 @@
Filter context activities using Visibility.visible_for_user?

View File

View File

@ -1 +0,0 @@
Add OAuth scope descriptions

View File

View File

@ -1 +0,0 @@
remove BBS/SSH feature, replaced by an external bridge.

View File

@ -1 +0,0 @@
UploadedMedia: Add missing disposition_type to Content-Disposition

View File

@ -1 +0,0 @@
Remove a few unused indexes.

View File

View File

View File

View File

@ -1 +0,0 @@
fix not being able to fetch flash file from remote instance

View File

@ -1 +0,0 @@
Cleanup OStatus-era user upgrades and ap_enabled indicator

View File

@ -1 +0,0 @@
Allow lang attribute in status text

View File

@ -1 +0,0 @@
Fix abnormal behaviour when refetching a poll

View File

@ -1 +0,0 @@
Allow non-HTTP(s) URIs in "url" fields for compatibility with "FEP-fffd: Proxy Objects"

View File

@ -1 +0,0 @@
Fix opengraph and twitter card meta tags

View File

@ -1 +0,0 @@
ForceMentionsInContent: fix double mentions for Mastodon/Misskey posts

View File

@ -1 +0,0 @@
OEmbed HTML tags are now filtered

View File

View File

@ -1 +0,0 @@
OnlyMedia Upload Filter

View File

View File

@ -1 +0,0 @@
Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.

View File

View File

View File

@ -1 +0,0 @@
Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem

View File

@ -1 +0,0 @@
Restrict attachments to only uploaded files only

View File

@ -1 +0,0 @@
CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID

View File

@ -1 +0,0 @@
Fix error 404 when deleting status of a banned user

View File

@ -1 +0,0 @@
Deprecate Pleroma's audio scrobbling

View File

@ -1 +0,0 @@
Disable XML entity resolution completely to fix a dos vulnerability

View File

@ -1 +0,0 @@
- Fix config ownership in dockerfile to pass restriction test

View File

@ -1 +0,0 @@
Emoji pack loader sanitizes pack names

View File

@ -1 +0,0 @@
Implement MRF policy to reject or delist according to emojis

View File

@ -1 +0,0 @@
Fix user fetch completely broken if featured collection is not in a supported form

View File

@ -1 +0,0 @@
Correctly handle the situation when a poll has both "anyOf" and "oneOf" but one of them being empty

View File

@ -1 +0,0 @@
Fix handling report from a deactivated user

View File

View File

@ -1 +0,0 @@
(hardening) Add no_new_privs=yes to OpenRC service files

View File

@ -1 +0,0 @@
- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories

View File

@ -1 +0,0 @@
Prevent using the .json format to bypass authorized fetch mode

View File

@ -1 +0,0 @@
Fix mentioning punycode domains when using Markdown

View File

@ -1 +0,0 @@
Implement quotes

View File

@ -1 +0,0 @@
Add unified streaming endpoint

View File

@ -1 +0,0 @@
Show more informative errors when profile exceeds char limits

View File

@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
def project do
[
app: :pleroma,
version: version("2.5.54"),
version: version("2.6.0"),
elixir: "~> 1.11",
elixirc_paths: elixirc_paths(Mix.env()),
compilers: [:phoenix] ++ Mix.compilers(),