From 4c8a8a4b62151ab86019cf92ffb67dc81e13cdd7 Mon Sep 17 00:00:00 2001 From: Lain Soykaf Date: Tue, 11 Mar 2025 18:06:43 +0400 Subject: [PATCH] Update changelog --- CHANGELOG.md | 17 +++++++++++++++++ changelog.d/c2s-update-authorization.security | 1 - changelog.d/content-type-sanitize.security | 1 - .../cross-domain-redirect-check.security | 1 - changelog.d/debian-distro-docs-pleromaBE.fix | 1 - changelog.d/emoji-shortcode-validation.security | 1 - changelog.d/local-fetch-prevention.security | 1 - changelog.d/media-proxy-sanitize.security | 1 - .../object-fetcher-content-type.security | 1 - changelog.d/pl-fe.change | 1 - 10 files changed, 17 insertions(+), 9 deletions(-) delete mode 100644 changelog.d/c2s-update-authorization.security delete mode 100644 changelog.d/content-type-sanitize.security delete mode 100644 changelog.d/cross-domain-redirect-check.security delete mode 100644 changelog.d/debian-distro-docs-pleromaBE.fix delete mode 100644 changelog.d/emoji-shortcode-validation.security delete mode 100644 changelog.d/local-fetch-prevention.security delete mode 100644 changelog.d/media-proxy-sanitize.security delete mode 100644 changelog.d/object-fetcher-content-type.security delete mode 100644 changelog.d/pl-fe.change diff --git a/CHANGELOG.md b/CHANGELOG.md index 657422689..19b87f09a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,23 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). +## 2.9.1 + +### Security +- Fix authorization checks for C2S Update activities to prevent unauthorized modifications of other users' content. +- Fix content-type spoofing vulnerability that could allow users to upload ActivityPub objects as attachments +- Reject cross-domain redirects when fetching ActivityPub objects to prevent bypassing domain-based security controls. +- Limit emoji shortcodes to alphanumeric, dash, or underscore characters to prevent potential abuse. +- Block attempts to fetch activities from the local instance to prevent spoofing. +- Sanitize Content-Type headers in media proxy to prevent serving malicious ActivityPub content through proxied media. +- Validate Content-Type headers when fetching remote ActivityPub objects to prevent spoofing attacks. + +### Changed +- Include `pl-fe` in available frontends + +### Fixed +- Remove trailing ` from end of line 75 which caused issues copy-pasting + ## 2.9.0 ### Security diff --git a/changelog.d/c2s-update-authorization.security b/changelog.d/c2s-update-authorization.security deleted file mode 100644 index 0fe7d97c9..000000000 --- a/changelog.d/c2s-update-authorization.security +++ /dev/null @@ -1 +0,0 @@ -Fix authorization checks for C2S Update activities to prevent unauthorized modifications of other users' content. \ No newline at end of file diff --git a/changelog.d/content-type-sanitize.security b/changelog.d/content-type-sanitize.security deleted file mode 100644 index a70b49f35..000000000 --- a/changelog.d/content-type-sanitize.security +++ /dev/null @@ -1 +0,0 @@ -Fix content-type spoofing vulnerability that could allow users to upload ActivityPub objects as attachments \ No newline at end of file diff --git a/changelog.d/cross-domain-redirect-check.security b/changelog.d/cross-domain-redirect-check.security deleted file mode 100644 index 9201de794..000000000 --- a/changelog.d/cross-domain-redirect-check.security +++ /dev/null @@ -1 +0,0 @@ -Reject cross-domain redirects when fetching ActivityPub objects to prevent bypassing domain-based security controls. \ No newline at end of file diff --git a/changelog.d/debian-distro-docs-pleromaBE.fix b/changelog.d/debian-distro-docs-pleromaBE.fix deleted file mode 100644 index d43477ba9..000000000 --- a/changelog.d/debian-distro-docs-pleromaBE.fix +++ /dev/null @@ -1 +0,0 @@ -Remove trailing ` from end of line 75 which caused issues copy-pasting \ No newline at end of file diff --git a/changelog.d/emoji-shortcode-validation.security b/changelog.d/emoji-shortcode-validation.security deleted file mode 100644 index 5a7d39279..000000000 --- a/changelog.d/emoji-shortcode-validation.security +++ /dev/null @@ -1 +0,0 @@ -Limit emoji shortcodes to alphanumeric, dash, or underscore characters to prevent potential abuse. \ No newline at end of file diff --git a/changelog.d/local-fetch-prevention.security b/changelog.d/local-fetch-prevention.security deleted file mode 100644 index e012abcd5..000000000 --- a/changelog.d/local-fetch-prevention.security +++ /dev/null @@ -1 +0,0 @@ -Block attempts to fetch activities from the local instance to prevent spoofing. \ No newline at end of file diff --git a/changelog.d/media-proxy-sanitize.security b/changelog.d/media-proxy-sanitize.security deleted file mode 100644 index b94348ea7..000000000 --- a/changelog.d/media-proxy-sanitize.security +++ /dev/null @@ -1 +0,0 @@ -Sanitize Content-Type headers in media proxy to prevent serving malicious ActivityPub content through proxied media. \ No newline at end of file diff --git a/changelog.d/object-fetcher-content-type.security b/changelog.d/object-fetcher-content-type.security deleted file mode 100644 index 2ef4aefe7..000000000 --- a/changelog.d/object-fetcher-content-type.security +++ /dev/null @@ -1 +0,0 @@ -Validate Content-Type headers when fetching remote ActivityPub objects to prevent spoofing attacks. \ No newline at end of file diff --git a/changelog.d/pl-fe.change b/changelog.d/pl-fe.change deleted file mode 100644 index 7e3e4b59e..000000000 --- a/changelog.d/pl-fe.change +++ /dev/null @@ -1 +0,0 @@ -Include `pl-fe` in available frontends