Merge branch 'stable' into 'release/2.6.0'

# Conflicts:
#   .gitlab-ci.yml
#   lib/pleroma/web/common_api/utils.ex
#   lib/pleroma/web/xml.ex
#   mix.exs
#   test/pleroma/web/activity_pub/transmogrifier/emoji_react_handling_test.exs
#   test/pleroma/web/common_api/utils_test.exs
#   test/pleroma/web/mastodon_api/update_credentials_test.exs
#   test/pleroma/web/xml_test.exs

CHANGELOG.md

@@ -59,6 +59,22 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Emoji pack loader sanitizes pack names
 - Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories
 
+## 2.5.5
+
+## Security
+- Prevent users from accessing media of other users by creating a status with reused attachment ID
+
+## 2.5.4
+
+## Security
+- Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
+
+## 2.5.3
+
+### Security
+- Emoji pack loader sanitizes pack names
+- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories
+
 ## 2.5.2
 
 ### Security

changelog.d/akkoma-xml-remote-entities.security

@@ -0,0 +1 @@
+Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem

changelog.d/check-attachment-attribution.security

@@ -0,0 +1 @@
+CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID

changelog.d/emoji-pack-sanitization.security

@@ -0,0 +1 @@
+Emoji pack loader sanitizes pack names

changelog.d/otp_perms.security

@@ -0,0 +1 @@
+- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories