Merge branch 'stable' into stable-sync/2.1.1
This commit is contained in:
rinpatch
commit
5ef840ed9c
57 changed files with 73 additions and 72 deletions
23
CHANGELOG.md
23
CHANGELOG.md
|
|
@ -14,29 +14,30 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
|
||||
- **Breaking:** Removed `Pleroma.Workers.Cron.StatsWorker` setting from Oban `:crontab`.
|
||||
|
||||
## unreleased-patch - ???
|
||||
## [2.1.1] - 2020-09-08
|
||||
|
||||
### Security
|
||||
- Fix possible DoS in Mastodon API user search due to an error in match clauses, leading to an infinite recursion and subsequent OOM with certain inputs.
|
||||
- Fix metadata leak for accounts and statuses on private instances.
|
||||
- Fix possible DoS in Admin API search using an atom leak vulnerability. Authentication with admin rights was required to exploit.
|
||||
|
||||
### Changed
|
||||
|
||||
- **Breaking:** The metadata providers RelMe and Feed are no longer configurable. RelMe should always be activated and Feed only provides a <link> header tag for the actual RSS/Atom feed when the instance is public.
|
||||
|
||||
### Security
|
||||
- Fix metadata leak for accounts and statuses on private instances
|
||||
- Improved error message when cmake is not available at build stage.
|
||||
|
||||
### Added
|
||||
|
||||
- Rich media failure tracking (along with `:failure_backoff` option)
|
||||
- MRF policy to rewrite bot posts scope from public to unlisted
|
||||
- Rich media failure tracking (along with `:failure_backoff` option).
|
||||
|
||||
### Fixed
|
||||
|
||||
- Possible OOM errors with the default HTTP adapter
|
||||
- Default HTTP adapter not respecting pool setting, leading to possible OOM.
|
||||
- Fixed uploading webp images when the Exiftool Upload Filter is enabled by skipping them
|
||||
- Mastodon API: Search parameter `following` now correctly returns the followings rather than the followers
|
||||
- Mastodon API: Timelines hanging for (`number of posts with links * rich media timeout`) in the worst case.
|
||||
Reduced to just rich media timeout.
|
||||
- Mastodon API: Cards being wrong for preview statuses due to cache key collision
|
||||
- Password resets no longer processed for deactivated accounts
|
||||
- Mastodon API: Cards being wrong for preview statuses due to cache key collision.
|
||||
- Password resets no longer processed for deactivated accounts.
|
||||
- Favicon scraper raising exceptions on URLs longer than 255 characters.
|
||||
|
||||
## [2.1.0] - 2020-08-28
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue