diff --git a/.gitlab/merge_request_templates/Release.md b/.gitlab/merge_request_templates/Release.md index 9638d6d11..e57556e6c 100644 --- a/.gitlab/merge_request_templates/Release.md +++ b/.gitlab/merge_request_templates/Release.md @@ -1,6 +1,6 @@ ### Release checklist * [ ] Bump version in `mix.exs` -* [ ] Compile a changelog +* [ ] Compile a changelog with the `tools/collect-changelog` script * [ ] Create an MR with an announcement to pleroma.social #### post-merge * [ ] Tag the release on the merge commit diff --git a/CHANGELOG.md b/CHANGELOG.md index 65acfad3e..394eb5179 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,19 +4,65 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). -## Unreleased - -### Changed +## 2.6.0 +### Security +- Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes. +- CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID +- Disable XML entity resolution completely to fix a dos vulnerability ### Added - Support for Image activities, namely from Hubzilla +- Add OAuth scope descriptions +- Allow lang attribute in status text +- OnlyMedia Upload Filter +- Implement MRF policy to reject or delist according to emojis +- (hardening) Add no_new_privs=yes to OpenRC service files +- Implement quotes +- Add unified streaming endpoint ### Fixed - - rel="me" was missing its cache +- MediaProxy responses now return a sandbox CSP header +- Filter context activities using Visibility.visible_for_user? +- UploadedMedia: Add missing disposition_type to Content-Disposition +- fix not being able to fetch flash file from remote instance +- Fix abnormal behaviour when refetching a poll +- Allow non-HTTP(s) URIs in "url" fields for compatibility with "FEP-fffd: Proxy Objects" +- Fix opengraph and twitter card meta tags +- ForceMentionsInContent: fix double mentions for Mastodon/Misskey posts +- OEmbed HTML tags are now filtered +- Restrict attachments to only uploaded files only +- Fix error 404 when deleting status of a banned user +- Fix config ownership in dockerfile to pass restriction test +- Fix user fetch completely broken if featured collection is not in a supported form +- Correctly handle the situation when a poll has both "anyOf" and "oneOf" but one of them being empty +- Fix handling report from a deactivated user +- Prevent using the .json format to bypass authorized fetch mode +- Fix mentioning punycode domains when using Markdown +- Show more informative errors when profile exceeds char limits ### Removed - BREAKING: Support for passwords generated with `crypt(3)` (Gnu Social migration artifact) +- remove BBS/SSH feature, replaced by an external bridge. +- Remove a few unused indexes. +- Cleanup OStatus-era user upgrades and ap_enabled indicator +- Deprecate Pleroma's audio scrobbling + +## 2.5.4 + +## Security +- Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem + +## 2.5.3 + +### Security +- Emoji pack loader sanitizes pack names +- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories + +## 2.5.5 + +## Security +- Prevent users from accessing media of other users by creating a status with reused attachment ID ## 2.5.4 diff --git a/changelog.d/2023-06-deps-update.skip b/changelog.d/2.6.0-mergeback.skip similarity index 100% rename from changelog.d/2023-06-deps-update.skip rename to changelog.d/2.6.0-mergeback.skip diff --git a/changelog.d/3126.fix b/changelog.d/3126.fix deleted file mode 100644 index 91d396c89..000000000 --- a/changelog.d/3126.fix +++ /dev/null @@ -1 +0,0 @@ -MediaProxy responses now return a sandbox CSP header diff --git a/changelog.d/3739.skip b/changelog.d/3739.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3801.fix b/changelog.d/3801.fix deleted file mode 100644 index 8c2ec0199..000000000 --- a/changelog.d/3801.fix +++ /dev/null @@ -1 +0,0 @@ -Filter context activities using Visibility.visible_for_user? diff --git a/changelog.d/3831.skip b/changelog.d/3831.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3848.add b/changelog.d/3848.add deleted file mode 100644 index d7b1b0a84..000000000 --- a/changelog.d/3848.add +++ /dev/null @@ -1 +0,0 @@ -Add OAuth scope descriptions diff --git a/changelog.d/3870.skip b/changelog.d/3870.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3872.remove b/changelog.d/3872.remove deleted file mode 100644 index 54cbb660e..000000000 --- a/changelog.d/3872.remove +++ /dev/null @@ -1 +0,0 @@ -remove BBS/SSH feature, replaced by an external bridge. \ No newline at end of file diff --git a/changelog.d/3873.fix b/changelog.d/3873.fix deleted file mode 100644 index 4699f7b58..000000000 --- a/changelog.d/3873.fix +++ /dev/null @@ -1 +0,0 @@ -UploadedMedia: Add missing disposition_type to Content-Disposition \ No newline at end of file diff --git a/changelog.d/3874.remove b/changelog.d/3874.remove deleted file mode 100644 index a81f744bf..000000000 --- a/changelog.d/3874.remove +++ /dev/null @@ -1 +0,0 @@ -Remove a few unused indexes. diff --git a/changelog.d/3876.skip b/changelog.d/3876.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3877.skip b/changelog.d/3877.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3878.skip b/changelog.d/3878.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3879.fix b/changelog.d/3879.fix deleted file mode 100644 index 7c58cc3c2..000000000 --- a/changelog.d/3879.fix +++ /dev/null @@ -1 +0,0 @@ -fix not being able to fetch flash file from remote instance \ No newline at end of file diff --git a/changelog.d/3880.remove b/changelog.d/3880.remove deleted file mode 100644 index 113c76c85..000000000 --- a/changelog.d/3880.remove +++ /dev/null @@ -1 +0,0 @@ -Cleanup OStatus-era user upgrades and ap_enabled indicator \ No newline at end of file diff --git a/changelog.d/3882.add b/changelog.d/3882.add deleted file mode 100644 index 4712de1dc..000000000 --- a/changelog.d/3882.add +++ /dev/null @@ -1 +0,0 @@ -Allow lang attribute in status text diff --git a/changelog.d/3883.fix b/changelog.d/3883.fix deleted file mode 100644 index 6824f2013..000000000 --- a/changelog.d/3883.fix +++ /dev/null @@ -1 +0,0 @@ -Fix abnormal behaviour when refetching a poll diff --git a/changelog.d/3884.fix b/changelog.d/3884.fix deleted file mode 100644 index f8dbb2bbf..000000000 --- a/changelog.d/3884.fix +++ /dev/null @@ -1 +0,0 @@ -Allow non-HTTP(s) URIs in "url" fields for compatibility with "FEP-fffd: Proxy Objects" \ No newline at end of file diff --git a/changelog.d/3885.fix b/changelog.d/3885.fix deleted file mode 100644 index c5fbb0ed4..000000000 --- a/changelog.d/3885.fix +++ /dev/null @@ -1 +0,0 @@ -Fix opengraph and twitter card meta tags diff --git a/changelog.d/3888.fix b/changelog.d/3888.fix deleted file mode 100644 index 886aa7b39..000000000 --- a/changelog.d/3888.fix +++ /dev/null @@ -1 +0,0 @@ -ForceMentionsInContent: fix double mentions for Mastodon/Misskey posts \ No newline at end of file diff --git a/changelog.d/3891.fix b/changelog.d/3891.fix deleted file mode 100644 index f1fb62d82..000000000 --- a/changelog.d/3891.fix +++ /dev/null @@ -1 +0,0 @@ -OEmbed HTML tags are now filtered diff --git a/changelog.d/3893.skip b/changelog.d/3893.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3897.add b/changelog.d/3897.add deleted file mode 100644 index 5c4402f45..000000000 --- a/changelog.d/3897.add +++ /dev/null @@ -1 +0,0 @@ -OnlyMedia Upload Filter diff --git a/changelog.d/3899.skip b/changelog.d/3899.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3901.security b/changelog.d/3901.security deleted file mode 100644 index a3d8bd01f..000000000 --- a/changelog.d/3901.security +++ /dev/null @@ -1 +0,0 @@ -Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes. diff --git a/changelog.d/3902.skip b/changelog.d/3902.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/3909.skip b/changelog.d/3909.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/amd64-runner.skip b/changelog.d/amd64-runner.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/attachment-type-check.fix b/changelog.d/attachment-type-check.fix deleted file mode 100644 index 9e14b75f1..000000000 --- a/changelog.d/attachment-type-check.fix +++ /dev/null @@ -1 +0,0 @@ -Restrict attachments to only uploaded files only diff --git a/changelog.d/changelog-improve.skip b/changelog.d/changelog-improve.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/delete-status-of-banned-user.fix b/changelog.d/delete-status-of-banned-user.fix deleted file mode 100644 index 1fa6a29d8..000000000 --- a/changelog.d/delete-status-of-banned-user.fix +++ /dev/null @@ -1 +0,0 @@ -Fix error 404 when deleting status of a banned user diff --git a/changelog.d/deprecate-scrobbles.remove b/changelog.d/deprecate-scrobbles.remove deleted file mode 100644 index c453a9784..000000000 --- a/changelog.d/deprecate-scrobbles.remove +++ /dev/null @@ -1 +0,0 @@ -Deprecate Pleroma's audio scrobbling diff --git a/changelog.d/disable-xml-entity-resolution.security b/changelog.d/disable-xml-entity-resolution.security deleted file mode 100644 index db8e12f67..000000000 --- a/changelog.d/disable-xml-entity-resolution.security +++ /dev/null @@ -1 +0,0 @@ -Disable XML entity resolution completely to fix a dos vulnerability diff --git a/changelog.d/distro-docs-elixir-1.11.skip b/changelog.d/distro-docs-elixir-1.11.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/dockerfile-config-perms.fix b/changelog.d/dockerfile-config-perms.fix deleted file mode 100644 index 49ea5becb..000000000 --- a/changelog.d/dockerfile-config-perms.fix +++ /dev/null @@ -1 +0,0 @@ -- Fix config ownership in dockerfile to pass restriction test diff --git a/changelog.d/emoji-policy.add b/changelog.d/emoji-policy.add deleted file mode 100644 index 45510c4f6..000000000 --- a/changelog.d/emoji-policy.add +++ /dev/null @@ -1 +0,0 @@ -Implement MRF policy to reject or delist according to emojis diff --git a/changelog.d/featured-collection-shouldnt-break-user-fetch.fix b/changelog.d/featured-collection-shouldnt-break-user-fetch.fix deleted file mode 100644 index e8ce288cc..000000000 --- a/changelog.d/featured-collection-shouldnt-break-user-fetch.fix +++ /dev/null @@ -1 +0,0 @@ -Fix user fetch completely broken if featured collection is not in a supported form diff --git a/changelog.d/fix-object-test.fix b/changelog.d/fix-object-test.fix deleted file mode 100644 index 5eea719f0..000000000 --- a/changelog.d/fix-object-test.fix +++ /dev/null @@ -1 +0,0 @@ -Correctly handle the situation when a poll has both "anyOf" and "oneOf" but one of them being empty diff --git a/changelog.d/gentoo_otp.skip b/changelog.d/gentoo_otp.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/gentoo_otp_hotfix.skip b/changelog.d/gentoo_otp_hotfix.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/gentoo_otp_intro.skip b/changelog.d/gentoo_otp_intro.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/handle-report-from-deactivated-user.fix b/changelog.d/handle-report-from-deactivated-user.fix deleted file mode 100644 index 6692d1aa8..000000000 --- a/changelog.d/handle-report-from-deactivated-user.fix +++ /dev/null @@ -1 +0,0 @@ -Fix handling report from a deactivated user diff --git a/changelog.d/lint.skip b/changelog.d/lint.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/media-altdomain.skip b/changelog.d/media-altdomain.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/no_new_privs.add b/changelog.d/no_new_privs.add deleted file mode 100644 index b67396a4b..000000000 --- a/changelog.d/no_new_privs.add +++ /dev/null @@ -1 +0,0 @@ -(hardening) Add no_new_privs=yes to OpenRC service files diff --git a/changelog.d/pipeline-triggers.skip b/changelog.d/pipeline-triggers.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/prevent-bypassing-authorized-fetch-mode.fix b/changelog.d/prevent-bypassing-authorized-fetch-mode.fix deleted file mode 100644 index 12f7260d7..000000000 --- a/changelog.d/prevent-bypassing-authorized-fetch-mode.fix +++ /dev/null @@ -1 +0,0 @@ -Prevent using the .json format to bypass authorized fetch mode \ No newline at end of file diff --git a/changelog.d/punycode-mention.fix b/changelog.d/punycode-mention.fix deleted file mode 100644 index f013c2dac..000000000 --- a/changelog.d/punycode-mention.fix +++ /dev/null @@ -1 +0,0 @@ -Fix mentioning punycode domains when using Markdown diff --git a/changelog.d/quote.add b/changelog.d/quote.add deleted file mode 100644 index 1c368ae75..000000000 --- a/changelog.d/quote.add +++ /dev/null @@ -1 +0,0 @@ -Implement quotes diff --git a/changelog.d/testfix-system-config-use.skip b/changelog.d/testfix-system-config-use.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/unified-streaming.add b/changelog.d/unified-streaming.add deleted file mode 100644 index 84821fcc8..000000000 --- a/changelog.d/unified-streaming.add +++ /dev/null @@ -1 +0,0 @@ -Add unified streaming endpoint diff --git a/changelog.d/update-credentials-limit-error.fix b/changelog.d/update-credentials-limit-error.fix deleted file mode 100644 index 7682f958e..000000000 --- a/changelog.d/update-credentials-limit-error.fix +++ /dev/null @@ -1 +0,0 @@ -Show more informative errors when profile exceeds char limits diff --git a/mix.exs b/mix.exs index b071e7c7b..3c1ce1f7e 100644 --- a/mix.exs +++ b/mix.exs @@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do def project do [ app: :pleroma, - version: version("2.5.54"), + version: version("2.6.50"), elixir: "~> 1.11", elixirc_paths: elixirc_paths(Mix.env()), compilers: [:phoenix] ++ Mix.compilers(), diff --git a/priv/static/index.html b/priv/static/index.html index 7dd5d0b78..52ff685c0 100644 --- a/priv/static/index.html +++ b/priv/static/index.html @@ -1 +1 @@ -