hj/pleroma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Update changelog

Browse source
This commit is contained in:
Lain Soykaf 2025-03-11 18:06:43 +04:00
commit 4c8a8a4b62
10 changed files with 17 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

17
CHANGELOG.md
View file

@ -4,6 +4,23 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## 2.9.1
### Security
- Fix authorization checks for C2S Update activities to prevent unauthorized modifications of other users' content.
- Fix content-type spoofing vulnerability that could allow users to upload ActivityPub objects as attachments
- Reject cross-domain redirects when fetching ActivityPub objects to prevent bypassing domain-based security controls.
- Limit emoji shortcodes to alphanumeric, dash, or underscore characters to prevent potential abuse.
- Block attempts to fetch activities from the local instance to prevent spoofing.
- Sanitize Content-Type headers in media proxy to prevent serving malicious ActivityPub content through proxied media.
- Validate Content-Type headers when fetching remote ActivityPub objects to prevent spoofing attacks.
### Changed
- Include `pl-fe` in available frontends
### Fixed
- Remove trailing ` from end of line 75 which caused issues copy-pasting
## 2.9.0 ## 2.9.0
### Security ### Security

1
changelog.d/c2s-update-authorization.security
View file

@ -1 +0,0 @@
Fix authorization checks for C2S Update activities to prevent unauthorized modifications of other users' content.

1
changelog.d/content-type-sanitize.security
View file

@ -1 +0,0 @@
Fix content-type spoofing vulnerability that could allow users to upload ActivityPub objects as attachments

1
changelog.d/cross-domain-redirect-check.security
View file

@ -1 +0,0 @@
Reject cross-domain redirects when fetching ActivityPub objects to prevent bypassing domain-based security controls.

1
changelog.d/debian-distro-docs-pleromaBE.fix
View file

@ -1 +0,0 @@
Remove trailing ` from end of line 75 which caused issues copy-pasting

1
changelog.d/emoji-shortcode-validation.security
View file

@ -1 +0,0 @@
Limit emoji shortcodes to alphanumeric, dash, or underscore characters to prevent potential abuse.

1
changelog.d/local-fetch-prevention.security
View file

@ -1 +0,0 @@
Block attempts to fetch activities from the local instance to prevent spoofing.

1
changelog.d/media-proxy-sanitize.security
View file

@ -1 +0,0 @@
Sanitize Content-Type headers in media proxy to prevent serving malicious ActivityPub content through proxied media.

1
changelog.d/object-fetcher-content-type.security
View file

@ -1 +0,0 @@
Validate Content-Type headers when fetching remote ActivityPub objects to prevent spoofing attacks.

1
changelog.d/pl-fe.change
View file

@ -1 +0,0 @@
Include `pl-fe` in available frontends