upstream/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-03-25 09:13:03 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
forgejo/release-notes-published/11.0.11.md
forgejo-release-manager 192052e3e4 chore(release-notes): Forgejo v11.0.11 [skip ci] (#11582) 
https://codeberg.org/forgejo/forgejo/milestone/47802
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11582
Reviewed-by: Beowulf <beowulf@beocode.eu>
Co-authored-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
Co-committed-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
2026-03-09 06:58:38 +01:00

8 KiB
Raw Permalink Blame History

Release notes

  • Security bug fixes
    • PR: fix: PKCE challenges to Forgejo's OAuth identity provider were not validated when using the S256 algorithm
    • PR: fix: Forgejo supports using an OAuth Bearer token with HTTP basic authentication, rather than Bearer token authentication, but did not properly apply the limited scopes of the OAuth grant
    • PR: fix: missing permission checks in attachment-related web endpoints allowed modifying attachments that a user did not own
    • PR: fix: email notifications for new releases could be sent to users that no longer access to the repository, or to inactive users
    • PR: fix: missing permission checks in user/org-owned projects would allow modifications of the open/closed state to be made to projects via insecure direct object references
    • PR: fix: missing permission checks in a web endpoint allowed cancellation of the automerge of a PR
    • PR: fix: prevent additional path-traversals in post-login redirect parameters that allowed for arbitrary redirects
  • Included for completeness but not user-facing (chores, etc.)
    • PR: Update dependency go to v1.25.8 (v11.0/forgejo)
    • PR: Update dependency svgo to v3.3.3 [SECURITY] (v11.0/forgejo)
    • PR: Update github.com/golang-jwt/jwt/v4 (indirect) to v4.5.2 [SECURITY] (v11.0/forgejo)
    • PR: Update github.com/cloudflare/circl (indirect) to v1.6.3 [SECURITY] (v11.0/forgejo)
    • PR: Update https://data.forgejo.org/actions/cascading-pr action to v2.3.0 (v11.0/forgejo)
    • PR: Update https://data.forgejo.org/actions/setup-forgejo action to v3.1.7 (v11.0/forgejo)
    • PR: Update dependency minimatch to v10.2.3 [SECURITY] (v11.0/forgejo)
    • PR: Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (v11.0/forgejo)
    • PR: Update dependency webpack to v5.104.1 [SECURITY] (v11.0/forgejo)
    • PR: Update module github.com/go-chi/chi/v5 to v5.2.4 [SECURITY] (v11.0/forgejo)
    • PR: Update dependency go to v1.25.7 (v11.0/forgejo)
    • PR: Update https://data.forgejo.org/forgejo/forgejo-build-publish action to v5.5.1 (v11.0/forgejo)
    • PR: Update https://data.forgejo.org/infrastructure/issue-action action to v1.5.0 (v11.0/forgejo)
    • PR: Update dependency happy-dom to v20.0.2 [SECURITY] (v11.0/forgejo)
    • PR: Update dependency happy-dom to v20 [SECURITY] (v11.0/forgejo)
    • PR (backported): ci: tie go cache to go version and add Makefile to key hash