| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2023-09-03 | CommonAPI: Prevent users from accessing media of other users | Mint | |
| 2023-08-30 | Skip changelog | tusooa | |
| 2023-08-16 | Merge branch 'csp-flash' into 'develop' | Haelwenn | |
| allow https: so that flash works across instances without need for media proxy See merge request pleroma/pleroma!3879 | |||
| 2023-08-11 | Implement api/v2/instance route | marcin mikołajczak | |
| Signed-off-by: marcin mikołajczak <git@mkljczk.pl> | |||
| 2023-08-10 | Merge branch 'fix-dockerfile-perms' into 'develop' | tusooa | |
| Fix config ownership in dockerfile to pass restriction test See merge request pleroma/pleroma!3931 | |||
| 2023-08-08 | Fix config ownership in dockerfile to pass restriction test | Cat pony Black | |
| 2023-08-05 | Completely disable xml entity resolution | mae | |
| 2023-08-05 | Merge branch 'docs/gentoo-otp-intro' into 'develop' | Haelwenn | |
| gentoo_otp_en.md: Indicate which install method it covers See merge request pleroma/pleroma!3928 | |||
| 2023-08-05 | Mergeback release 2.5.4 | Haelwenn (lanodan) Monnier | |
| 2023-08-05 | Release 2.5.4 | Haelwenn (lanodan) Monnier | |
| 2023-08-05 | Document and test that XXE processing is disabled | Mark Felder | |
| https://vuln.be/post/xxe-in-erlang-and-elixir/ | |||
| 2023-08-05 | Document and test that XXE processing is disabled | Mark Felder | |
| https://vuln.be/post/xxe-in-erlang-and-elixir/ | |||
| 2023-08-04 | gentoo_otp_en.md: Indicate which install method it covers | Haelwenn (lanodan) Monnier | |
| 2023-08-04 | changelog: Entry for config permissions restrictions | Haelwenn (lanodan) Monnier | |
| Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3135 | |||
| 2023-08-04 | changelog: Entry for config permissions restrictions | Haelwenn (lanodan) Monnier | |
| Closes: https://git.pleroma.social/pleroma/pleroma/-/issues/3135 | |||
| 2023-08-04 | Resolve information disclosure vulnerability through emoji pack archive ↵ | Mark Felder | |
| download endpoint The pack name has been sanitized so an attacker cannot upload a media file called pack.json with their own handcrafted list of emoji files as arbitrary files on the filesystem and then call the emoji pack archive download endpoint with a pack name crafted to the location of the media file they uploaded which tricks Pleroma into generating a zip file of the target files the attacker wants to download. The attack only works if the Pleroma instance does not have the AnonymizeFilename upload filter enabled, which is currently the default. Reported by: graf@poast.org | |||
| 2023-08-04 | Resolve information disclosure vulnerability through emoji pack archive ↵ | Mark Felder | |
| download endpoint The pack name has been sanitized so an attacker cannot upload a media file called pack.json with their own handcrafted list of emoji files as arbitrary files on the filesystem and then call the emoji pack archive download endpoint with a pack name crafted to the location of the media file they uploaded which tricks Pleroma into generating a zip file of the target files the attacker wants to download. The attack only works if the Pleroma instance does not have the AnonymizeFilename upload filter enabled, which is currently the default. Reported by: graf@poast.org | |||
| 2023-08-03 | Merge branch 'tusooa/3154-attachment-type-check' into 'develop' | Haelwenn | |
| Restrict attachments to only uploaded files only Closes #3154 See merge request pleroma/pleroma!3923 | |||
| 2023-07-28 | add changelog entry | faried nawaz | |
| 2023-07-18 | Restrict attachments to only uploaded files only | tusooa | |
| 2023-07-17 | Merge branch '2023-06-deps-update' into 'develop' | Haelwenn | |
| 2023-06 deps update + de-override plug See merge request pleroma/pleroma!3911 | |||
| 2023-07-07 | Add changelog | tusooa | |
| 2023-07-04 | Merge branch 'deprecate-scrobbles' into 'develop' | tusooa | |
| Deprecate audio scrobbling See merge request pleroma/pleroma!3919 | |||
| 2023-07-04 | docs: Fix broken links | Haelwenn (lanodan) Monnier | |
| 2023-07-04 | Merge branch 'fix/pipeline-triggers' into 'develop' | Haelwenn | |
| CI: Fix pipeline tokens & exit status See merge request pleroma/pleroma!3918 | |||
| 2023-07-04 | Deprecate audio scrobbling | Haelwenn (lanodan) Monnier | |
| 2023-07-04 | CI: Use CI_JOB_TOKEN for cross-repo pipeline triggers | Haelwenn (lanodan) Monnier | |
| 2023-07-03 | Merge branch 'gentoo_otp' into 'develop' | Haelwenn | |
| Packaged installation guide for gentoo See merge request pleroma/pleroma!3906 | |||
| 2023-07-02 | Merge branch 'tusooa/media-altdomain' into 'develop' | Haelwenn | |
| Add instructions to serve media on another domain See merge request pleroma/pleroma!3892 | |||
| 2023-07-02 | Merge branch 'testfix/system-config-use' into 'develop' | Haelwenn | |
| release_runtime_provider_test: Explicitely use non-existant config file See merge request pleroma/pleroma!3910 | |||
| 2023-07-02 | Merge branch 'tusooa/3131-handle-report-from-deactivated-user' into 'develop' | Haelwenn | |
| Fix handling report from a deactivated user Closes #3131 See merge request pleroma/pleroma!3915 | |||
| 2023-07-02 | Merge branch 'tusooa/3142-featured-collection-shouldnt-break-user-fetch' ↵ | Haelwenn | |
| into 'develop' Fix user fetch completely broken if featured collection is not in a supported form See merge request pleroma/pleroma!3914 | |||
| 2023-07-02 | Fix handling report from a deactivated user | tusooa | |
| 2023-07-02 | Fix user fetch completely broken if featured collection is not in a ↵ | tusooa | |
| supported form | |||
| 2023-07-01 | Force the use of amd64 runners for jobs using ci-base | tusooa | |
| 2023-07-01 | Merge branch 'bugfix/full-revert-media-host-validation' into 'develop' | tusooa | |
| Merge Revert "Merge branch 'validate-host' into 'develop'" Closes #3136 See merge request pleroma/pleroma!3909 | |||
| 2023-06-27 | Merge branch 'tusooa/3119-bio-update' into 'develop' | Haelwenn | |
| Show more informative errors when profile exceeds char limits Closes #3119 See merge request pleroma/pleroma!3886 | |||
| 2023-06-27 | mix: 2023-06 deps update | Haelwenn (lanodan) Monnier | |
| this fixes compatibility with Erlang OTP 26 Related: https://git.pleroma.social/pleroma/pleroma/-/issues/2913 | |||
| 2023-06-27 | release_runtime_provider_test: Explicitely use non-existant config file | Haelwenn (lanodan) Monnier | |
| 2023-06-22 | Merge Revert "Merge branch 'validate-host' into 'develop'" | Haelwenn (lanodan) Monnier | |
| This reverts commit d998a114e26033e98e87778e5ca659aff91831bf, reversing changes made to da6b4003acad84b0f60ad8da6d08cfe13564b058. | |||
| 2023-06-21 | Add changelog entry | Sean King | |
| 2023-06-13 | changelog.d/gentoo_otp.skip: Doc-only MR | Haelwenn (lanodan) Monnier | |
| 2023-06-13 | Add no_new_privs to OpenRC service files | Haelwenn (lanodan) Monnier | |
| 2023-06-11 | Merge branch 'unused_indexes' into 'develop' | lain | |
| Remove unused indexes See merge request pleroma/pleroma!3874 | |||
| 2023-06-11 | Merge branch 'tusooa/3054-banned-delete' into 'develop' | lain | |
| Fix deleting banned users' statuses See merge request pleroma/pleroma!3889 | |||
| 2023-06-11 | Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into ↵ | Lain Soykaf | |
| pleroma-double_mentions | |||
| 2023-06-11 | Update changelog | Lain Soykaf | |
| 2023-06-11 | Merge branch 'fix/metadata-tags' into 'develop' | lain | |
| static frontend: fix meta tags See merge request pleroma/pleroma!3885 | |||
| 2023-06-11 | Merge branch 'cleanup/ostatus-user-upgrade' into 'develop' | lain | |
| Cleanup OStatus-era user upgrades and ap_enabled indicator See merge request pleroma/pleroma!3880 | |||
| 2023-06-11 | Merge branch 'revert-mediaproxy-host-validation' into 'develop' | feld | |
| Revert MediaProxy Host header validation See merge request pleroma/pleroma!3902 | |||
 |
index : pleroma | |
| Unnamed repository; edit this file 'description' to name the repository. |
| summaryrefslogtreecommitdiff |
path: root/changelog.d