From bc722623b3109abca1048da99cb7d1df18630674 Mon Sep 17 00:00:00 2001 From: mkljczk Date: Sun, 2 Mar 2025 16:43:34 +0100 Subject: remove changelog entries from changelog.d Signed-off-by: mkljczk --- changelog.d/301-small-image-redirect.change | 1 - changelog.d/actor-published-date.add | 1 - changelog.d/backup-links.add | 1 - changelog.d/c2s-update-verify.fix | 1 - changelog.d/description-update-suggestions.skip | 0 changelog.d/ensure-authorized-fetch.security | 1 - changelog.d/fix-mastodon-edits.fix | 1 - changelog.d/fix-wrong-config-section.skip | 0 changelog.d/follow-hashtags.add | 1 - changelog.d/incoming-scrobbles.fix | 1 - changelog.d/post-languages.add | 1 - changelog.d/retire_mrfs.remove | 1 - changelog.d/rich-media-ignore-host.fix | 1 - changelog.d/rich-media-twittercard.fix | 1 - changelog.d/twittercard-tag-order.fix | 1 - changelog.d/vips-blurhash.fix | 1 - 16 files changed, 14 deletions(-) delete mode 100644 changelog.d/301-small-image-redirect.change delete mode 100644 changelog.d/actor-published-date.add delete mode 100644 changelog.d/backup-links.add delete mode 100644 changelog.d/c2s-update-verify.fix delete mode 100644 changelog.d/description-update-suggestions.skip delete mode 100644 changelog.d/ensure-authorized-fetch.security delete mode 100644 changelog.d/fix-mastodon-edits.fix delete mode 100644 changelog.d/fix-wrong-config-section.skip delete mode 100644 changelog.d/follow-hashtags.add delete mode 100644 changelog.d/incoming-scrobbles.fix delete mode 100644 changelog.d/post-languages.add delete mode 100644 changelog.d/retire_mrfs.remove delete mode 100644 changelog.d/rich-media-ignore-host.fix delete mode 100644 changelog.d/rich-media-twittercard.fix delete mode 100644 changelog.d/twittercard-tag-order.fix delete mode 100644 changelog.d/vips-blurhash.fix (limited to 'changelog.d') diff --git a/changelog.d/301-small-image-redirect.change b/changelog.d/301-small-image-redirect.change deleted file mode 100644 index c5be80539..000000000 --- a/changelog.d/301-small-image-redirect.change +++ /dev/null @@ -1 +0,0 @@ -Performance: Use 301 (permanent) redirect instead of 302 (temporary) when redirecting small images in media proxy. This allows browsers to cache the redirect response. \ No newline at end of file diff --git a/changelog.d/actor-published-date.add b/changelog.d/actor-published-date.add deleted file mode 100644 index feac85894..000000000 --- a/changelog.d/actor-published-date.add +++ /dev/null @@ -1 +0,0 @@ -Include "published" in actor view diff --git a/changelog.d/backup-links.add b/changelog.d/backup-links.add deleted file mode 100644 index ff19e736b..000000000 --- a/changelog.d/backup-links.add +++ /dev/null @@ -1 +0,0 @@ -Link to exported outbox/followers/following collections in backup actor.json diff --git a/changelog.d/c2s-update-verify.fix b/changelog.d/c2s-update-verify.fix deleted file mode 100644 index a4dfe7c07..000000000 --- a/changelog.d/c2s-update-verify.fix +++ /dev/null @@ -1 +0,0 @@ -Verify a local Update sent through AP C2S so users can only update their own objects diff --git a/changelog.d/description-update-suggestions.skip b/changelog.d/description-update-suggestions.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/ensure-authorized-fetch.security b/changelog.d/ensure-authorized-fetch.security deleted file mode 100644 index 200abdae0..000000000 --- a/changelog.d/ensure-authorized-fetch.security +++ /dev/null @@ -1 +0,0 @@ -Require HTTP signatures (if enabled) for routes used by both C2S and S2S AP API \ No newline at end of file diff --git a/changelog.d/fix-mastodon-edits.fix b/changelog.d/fix-mastodon-edits.fix deleted file mode 100644 index 2e79977e0..000000000 --- a/changelog.d/fix-mastodon-edits.fix +++ /dev/null @@ -1 +0,0 @@ -Fix Mastodon incoming edits with inlined "likes" diff --git a/changelog.d/fix-wrong-config-section.skip b/changelog.d/fix-wrong-config-section.skip deleted file mode 100644 index e69de29bb..000000000 diff --git a/changelog.d/follow-hashtags.add b/changelog.d/follow-hashtags.add deleted file mode 100644 index a4994b92b..000000000 --- a/changelog.d/follow-hashtags.add +++ /dev/null @@ -1 +0,0 @@ -Hashtag following diff --git a/changelog.d/incoming-scrobbles.fix b/changelog.d/incoming-scrobbles.fix deleted file mode 100644 index fb1e2581c..000000000 --- a/changelog.d/incoming-scrobbles.fix +++ /dev/null @@ -1 +0,0 @@ -Allow incoming "Listen" activities diff --git a/changelog.d/post-languages.add b/changelog.d/post-languages.add deleted file mode 100644 index 04b350f3f..000000000 --- a/changelog.d/post-languages.add +++ /dev/null @@ -1 +0,0 @@ -Allow to specify post language \ No newline at end of file diff --git a/changelog.d/retire_mrfs.remove b/changelog.d/retire_mrfs.remove deleted file mode 100644 index 2637f376a..000000000 --- a/changelog.d/retire_mrfs.remove +++ /dev/null @@ -1 +0,0 @@ -Retire MRFs DNSRBL, FODirectReply, and QuietReply diff --git a/changelog.d/rich-media-ignore-host.fix b/changelog.d/rich-media-ignore-host.fix deleted file mode 100644 index b70866ac7..000000000 --- a/changelog.d/rich-media-ignore-host.fix +++ /dev/null @@ -1 +0,0 @@ -Fix missing check for domain presence in rich media ignore_host configuration diff --git a/changelog.d/rich-media-twittercard.fix b/changelog.d/rich-media-twittercard.fix deleted file mode 100644 index 16da54874..000000000 --- a/changelog.d/rich-media-twittercard.fix +++ /dev/null @@ -1 +0,0 @@ -Fix Rich Media parsing of TwitterCards/OpenGraph to adhere to the spec and always choose the first image if multiple are provided. diff --git a/changelog.d/twittercard-tag-order.fix b/changelog.d/twittercard-tag-order.fix deleted file mode 100644 index f26fc5bb9..000000000 --- a/changelog.d/twittercard-tag-order.fix +++ /dev/null @@ -1 +0,0 @@ -Fix OpenGraph/TwitterCard meta tag ordering for posts with multiple attachments diff --git a/changelog.d/vips-blurhash.fix b/changelog.d/vips-blurhash.fix deleted file mode 100644 index 9e8951b15..000000000 --- a/changelog.d/vips-blurhash.fix +++ /dev/null @@ -1 +0,0 @@ -Fix blurhash generation crashes -- cgit v1.2.3 From 7bfa3bf282bf18eed190df6665157d4e886893e9 Mon Sep 17 00:00:00 2001 From: mkljczk Date: Sun, 2 Mar 2025 16:36:59 +0100 Subject: Include my frontend in available frontends Signed-off-by: mkljczk --- changelog.d/pl-fe.change | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/pl-fe.change (limited to 'changelog.d') diff --git a/changelog.d/pl-fe.change b/changelog.d/pl-fe.change new file mode 100644 index 000000000..7e3e4b59e --- /dev/null +++ b/changelog.d/pl-fe.change @@ -0,0 +1 @@ +Include `pl-fe` in available frontends -- cgit v1.2.3 From 5cf0321bc752dc729d21c56229026bec991be75e Mon Sep 17 00:00:00 2001 From: Mikka van der Velde Date: Sat, 8 Mar 2025 15:33:36 +0000 Subject: Add new file --- changelog.d/debian-distro-docs-pleromaBE.fix | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 changelog.d/debian-distro-docs-pleromaBE.fix (limited to 'changelog.d') diff --git a/changelog.d/debian-distro-docs-pleromaBE.fix b/changelog.d/debian-distro-docs-pleromaBE.fix new file mode 100644 index 000000000..e69de29bb -- cgit v1.2.3 From 35033b6f3e50a1aa38082f3a43a40560f9036d54 Mon Sep 17 00:00:00 2001 From: Mikka van der Velde Date: Sat, 8 Mar 2025 15:34:32 +0000 Subject: Edit debian-distro-docs-pleromaBE.fix --- changelog.d/debian-distro-docs-pleromaBE.fix | 1 + 1 file changed, 1 insertion(+) (limited to 'changelog.d') diff --git a/changelog.d/debian-distro-docs-pleromaBE.fix b/changelog.d/debian-distro-docs-pleromaBE.fix index e69de29bb..d43477ba9 100644 --- a/changelog.d/debian-distro-docs-pleromaBE.fix +++ b/changelog.d/debian-distro-docs-pleromaBE.fix @@ -0,0 +1 @@ +Remove trailing ` from end of line 75 which caused issues copy-pasting \ No newline at end of file -- cgit v1.2.3 From b469b9d9d358a30642d1221a01125af9b6399ff4 Mon Sep 17 00:00:00 2001 From: Lain Soykaf Date: Mon, 10 Mar 2025 16:48:54 +0400 Subject: . --- changelog.d/content-type-sanitize.security | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/content-type-sanitize.security (limited to 'changelog.d') diff --git a/changelog.d/content-type-sanitize.security b/changelog.d/content-type-sanitize.security new file mode 100644 index 000000000..a70b49f35 --- /dev/null +++ b/changelog.d/content-type-sanitize.security @@ -0,0 +1 @@ +Fix content-type spoofing vulnerability that could allow users to upload ActivityPub objects as attachments \ No newline at end of file -- cgit v1.2.3 From 51c1d6fb2dd91a1a1ac11fed0f0a4211719e30b8 Mon Sep 17 00:00:00 2001 From: Lain Soykaf Date: Tue, 11 Mar 2025 16:37:17 +0400 Subject: Containment: Never fetch locally --- changelog.d/local-fetch-prevention.security | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/local-fetch-prevention.security (limited to 'changelog.d') diff --git a/changelog.d/local-fetch-prevention.security b/changelog.d/local-fetch-prevention.security new file mode 100644 index 000000000..f72342316 --- /dev/null +++ b/changelog.d/local-fetch-prevention.security @@ -0,0 +1 @@ +Security: Block attempts to fetch activities from the local instance to prevent spoofing. \ No newline at end of file -- cgit v1.2.3 From 3c2b51c7cb249e7c0fc92023ac556d324ac3d774 Mon Sep 17 00:00:00 2001 From: Lain Soykaf Date: Tue, 11 Mar 2025 17:57:45 +0400 Subject: Changelog: Add missing changelog entries --- changelog.d/c2s-update-authorization.security | 1 + changelog.d/cross-domain-redirect-check.security | 1 + changelog.d/emoji-shortcode-validation.security | 1 + changelog.d/local-fetch-prevention.security | 2 +- changelog.d/media-proxy-sanitize.security | 1 + changelog.d/object-fetcher-content-type.security | 1 + 6 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 changelog.d/c2s-update-authorization.security create mode 100644 changelog.d/cross-domain-redirect-check.security create mode 100644 changelog.d/emoji-shortcode-validation.security create mode 100644 changelog.d/media-proxy-sanitize.security create mode 100644 changelog.d/object-fetcher-content-type.security (limited to 'changelog.d') diff --git a/changelog.d/c2s-update-authorization.security b/changelog.d/c2s-update-authorization.security new file mode 100644 index 000000000..0fe7d97c9 --- /dev/null +++ b/changelog.d/c2s-update-authorization.security @@ -0,0 +1 @@ +Fix authorization checks for C2S Update activities to prevent unauthorized modifications of other users' content. \ No newline at end of file diff --git a/changelog.d/cross-domain-redirect-check.security b/changelog.d/cross-domain-redirect-check.security new file mode 100644 index 000000000..9201de794 --- /dev/null +++ b/changelog.d/cross-domain-redirect-check.security @@ -0,0 +1 @@ +Reject cross-domain redirects when fetching ActivityPub objects to prevent bypassing domain-based security controls. \ No newline at end of file diff --git a/changelog.d/emoji-shortcode-validation.security b/changelog.d/emoji-shortcode-validation.security new file mode 100644 index 000000000..5a7d39279 --- /dev/null +++ b/changelog.d/emoji-shortcode-validation.security @@ -0,0 +1 @@ +Limit emoji shortcodes to alphanumeric, dash, or underscore characters to prevent potential abuse. \ No newline at end of file diff --git a/changelog.d/local-fetch-prevention.security b/changelog.d/local-fetch-prevention.security index f72342316..e012abcd5 100644 --- a/changelog.d/local-fetch-prevention.security +++ b/changelog.d/local-fetch-prevention.security @@ -1 +1 @@ -Security: Block attempts to fetch activities from the local instance to prevent spoofing. \ No newline at end of file +Block attempts to fetch activities from the local instance to prevent spoofing. \ No newline at end of file diff --git a/changelog.d/media-proxy-sanitize.security b/changelog.d/media-proxy-sanitize.security new file mode 100644 index 000000000..b94348ea7 --- /dev/null +++ b/changelog.d/media-proxy-sanitize.security @@ -0,0 +1 @@ +Sanitize Content-Type headers in media proxy to prevent serving malicious ActivityPub content through proxied media. \ No newline at end of file diff --git a/changelog.d/object-fetcher-content-type.security b/changelog.d/object-fetcher-content-type.security new file mode 100644 index 000000000..2ef4aefe7 --- /dev/null +++ b/changelog.d/object-fetcher-content-type.security @@ -0,0 +1 @@ +Validate Content-Type headers when fetching remote ActivityPub objects to prevent spoofing attacks. \ No newline at end of file -- cgit v1.2.3 From 4c8a8a4b62151ab86019cf92ffb67dc81e13cdd7 Mon Sep 17 00:00:00 2001 From: Lain Soykaf Date: Tue, 11 Mar 2025 18:06:43 +0400 Subject: Update changelog --- changelog.d/c2s-update-authorization.security | 1 - changelog.d/content-type-sanitize.security | 1 - changelog.d/cross-domain-redirect-check.security | 1 - changelog.d/debian-distro-docs-pleromaBE.fix | 1 - changelog.d/emoji-shortcode-validation.security | 1 - changelog.d/local-fetch-prevention.security | 1 - changelog.d/media-proxy-sanitize.security | 1 - changelog.d/object-fetcher-content-type.security | 1 - changelog.d/pl-fe.change | 1 - 9 files changed, 9 deletions(-) delete mode 100644 changelog.d/c2s-update-authorization.security delete mode 100644 changelog.d/content-type-sanitize.security delete mode 100644 changelog.d/cross-domain-redirect-check.security delete mode 100644 changelog.d/debian-distro-docs-pleromaBE.fix delete mode 100644 changelog.d/emoji-shortcode-validation.security delete mode 100644 changelog.d/local-fetch-prevention.security delete mode 100644 changelog.d/media-proxy-sanitize.security delete mode 100644 changelog.d/object-fetcher-content-type.security delete mode 100644 changelog.d/pl-fe.change (limited to 'changelog.d') diff --git a/changelog.d/c2s-update-authorization.security b/changelog.d/c2s-update-authorization.security deleted file mode 100644 index 0fe7d97c9..000000000 --- a/changelog.d/c2s-update-authorization.security +++ /dev/null @@ -1 +0,0 @@ -Fix authorization checks for C2S Update activities to prevent unauthorized modifications of other users' content. \ No newline at end of file diff --git a/changelog.d/content-type-sanitize.security b/changelog.d/content-type-sanitize.security deleted file mode 100644 index a70b49f35..000000000 --- a/changelog.d/content-type-sanitize.security +++ /dev/null @@ -1 +0,0 @@ -Fix content-type spoofing vulnerability that could allow users to upload ActivityPub objects as attachments \ No newline at end of file diff --git a/changelog.d/cross-domain-redirect-check.security b/changelog.d/cross-domain-redirect-check.security deleted file mode 100644 index 9201de794..000000000 --- a/changelog.d/cross-domain-redirect-check.security +++ /dev/null @@ -1 +0,0 @@ -Reject cross-domain redirects when fetching ActivityPub objects to prevent bypassing domain-based security controls. \ No newline at end of file diff --git a/changelog.d/debian-distro-docs-pleromaBE.fix b/changelog.d/debian-distro-docs-pleromaBE.fix deleted file mode 100644 index d43477ba9..000000000 --- a/changelog.d/debian-distro-docs-pleromaBE.fix +++ /dev/null @@ -1 +0,0 @@ -Remove trailing ` from end of line 75 which caused issues copy-pasting \ No newline at end of file diff --git a/changelog.d/emoji-shortcode-validation.security b/changelog.d/emoji-shortcode-validation.security deleted file mode 100644 index 5a7d39279..000000000 --- a/changelog.d/emoji-shortcode-validation.security +++ /dev/null @@ -1 +0,0 @@ -Limit emoji shortcodes to alphanumeric, dash, or underscore characters to prevent potential abuse. \ No newline at end of file diff --git a/changelog.d/local-fetch-prevention.security b/changelog.d/local-fetch-prevention.security deleted file mode 100644 index e012abcd5..000000000 --- a/changelog.d/local-fetch-prevention.security +++ /dev/null @@ -1 +0,0 @@ -Block attempts to fetch activities from the local instance to prevent spoofing. \ No newline at end of file diff --git a/changelog.d/media-proxy-sanitize.security b/changelog.d/media-proxy-sanitize.security deleted file mode 100644 index b94348ea7..000000000 --- a/changelog.d/media-proxy-sanitize.security +++ /dev/null @@ -1 +0,0 @@ -Sanitize Content-Type headers in media proxy to prevent serving malicious ActivityPub content through proxied media. \ No newline at end of file diff --git a/changelog.d/object-fetcher-content-type.security b/changelog.d/object-fetcher-content-type.security deleted file mode 100644 index 2ef4aefe7..000000000 --- a/changelog.d/object-fetcher-content-type.security +++ /dev/null @@ -1 +0,0 @@ -Validate Content-Type headers when fetching remote ActivityPub objects to prevent spoofing attacks. \ No newline at end of file diff --git a/changelog.d/pl-fe.change b/changelog.d/pl-fe.change deleted file mode 100644 index 7e3e4b59e..000000000 --- a/changelog.d/pl-fe.change +++ /dev/null @@ -1 +0,0 @@ -Include `pl-fe` in available frontends -- cgit v1.2.3