Release: v2024.1-beta4.security1
This commit is contained in:
Laura Hausmann
parent
da5dda40f0
commit
d42f4bc98e
2 changed files with 14 additions and 1 deletions
13
CHANGELOG.md
13
CHANGELOG.md
|
|
@ -1,3 +1,16 @@
|
||||||
|
## v2024.1-beta4.security1
|
||||||
|
This is a security hotfix release. It's identical to v2024.1-beta4, except for the security mitigations listed below. Upgrading is strongly recommended for all server operators.
|
||||||
|
|
||||||
|
### Backend
|
||||||
|
- ActivityPub actor and note validation has been improved & now protects against cross-origin identifiers in more places, resolving a database pollution vulnerability
|
||||||
|
- Cross-origin `url` properties on actor & note objects now get set to null before ingestion, resolving a clickjacking vulnerability
|
||||||
|
- User resolution when processing incoming notes is now limited
|
||||||
|
|
||||||
|
### Attribution
|
||||||
|
This release was made possible by project contributors: Laura Hausmann
|
||||||
|
|
||||||
|
Furthermore, I want to give special thanks to Hazel Koehler for the vulnerability disclosure.
|
||||||
|
|
||||||
## v2024.1-beta4
|
## v2024.1-beta4
|
||||||
This release contains lots of new features & bug fixes, including security fixes. Upgrading is strongly recommended for all server operators.
|
This release contains lots of new features & bug fixes, including security fixes. Upgrading is strongly recommended for all server operators.
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -32,7 +32,7 @@
|
||||||
<!-- Version metadata -->
|
<!-- Version metadata -->
|
||||||
<PropertyGroup>
|
<PropertyGroup>
|
||||||
<VersionPrefix>2024.1</VersionPrefix>
|
<VersionPrefix>2024.1</VersionPrefix>
|
||||||
<VersionSuffix>beta4</VersionSuffix>
|
<VersionSuffix>beta4.security1</VersionSuffix>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue