CatAClock/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-05-20 03:02:38 +00:00
Code Issues Projects Releases Packages Wiki Activity
forgejo/release-notes-published/11.0.1.md
forgejo-release-manager 481c7aaf19 chore(release-notes): Forgejo v11.0.1 (#7764) 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7764
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
Co-committed-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
2025-05-02 14:42:26 +00:00

6.9 KiB
Raw Blame History

Release notes

  • Security bug fixes
    • PR (backported): If LFS is enabled on a Forgejo instance with [server].LFS_START_SERVER = true (this is not the default), it was possible for a registered user to upload LFS files to a repository to which they only had read access. It was not possible for an anonymous user to do the same, even if they had read access to a public repository. The permissions are now correctly enforced and uploading LFS files is only allowed for registered users with write permission to the associated repository. Files that were uploaded to LFS in this way will not be obtained when someone does a git clone or git fetch on the associated repository. It was also not possible to exploit the incorrect permission check to delete or override an existing LFS file. These are orphaned LFS files that can be removed from the /settings/lfs panel of the associated repository.
  • Security features
    • PR (backported): A user account with 2fa (two factor authentication) enrolled with a security key was not enforced when using an external account (e.g. Codeberg or GitHub). The security key is now required even when login in from an external account or linking a new external account to an existing local account, just as it is required when login in with a user and password. This problem did not exist with 2fa enrolled with TOTP.
  • User Interface bug fixes
    • PR (backported): fix: display the list of tasks in the runner edit page
    • PR (backported): fix(ui): use gap in switch items
    • PR (backported): fix(ui/pr): use eye icon for reviews
    • PR: fix(ui): rescope menu height patch to overflow menu
    • PR: fix(ui): show commit icon in branch dropdown button when viewing a commit
  • Localization
    • PR: i18n: backport of translation updates
  • Bug fixes
    • PR (backported): fix(i18n): prevent incorrect logging on strings missing in JSON locales
  • Included for completeness but not worth a release note
    • PR (backported): chore: replace github.com/go-testfixtures/testfixtures
    • PR (backported): chore(release): next-digest moved to invisible.forgejo.org
    • PR (backported): fix: use linguist-generated for language stats
    • PR (backported): chore: tune down remote user promotion debug message shown as error
    • PR (backported): fix: set default restricted for OAuth2 user
    • PR (backported): chore: merge tests.AddFixtures and unittest.OverrideFixtures
    • PR (backported): fix(ui): make pagination labels always visible to screenreader
    • PR (backported): fix: delay-write trace.dat for forgejo diagnosis
    • PR: Update module github.com/mattn/go-sqlite3 to v1.14.28 (v11.0/forgejo)