From a5da6ce58e241bc20fad5edd2612bb77f07c3992 Mon Sep 17 00:00:00 2001 From: Lain Soykaf Date: Wed, 31 Dec 2025 10:49:28 +0400 Subject: [PATCH] Changelog: Update changelog --- CHANGELOG.md | 2 ++ changelog.d/mastoapi-misatrribution.fix | 1 - changelog.d/restrict-unauthenticated-bypass.fix | 1 - 3 files changed, 2 insertions(+), 2 deletions(-) delete mode 100644 changelog.d/mastoapi-misatrribution.fix delete mode 100644 changelog.d/restrict-unauthenticated-bypass.fix diff --git a/CHANGELOG.md b/CHANGELOG.md index d6cdaa6a5..adc76c767 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Security - Admin API: Fixed self-revocation vulnerability where admins could accidentally revoke their own admin status via the single-user permission endpoint +- Fix bypass of the restrict unauthenticated setting by requesting local Activities ### Changed @@ -104,6 +105,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - ObjectView: Do not leak unsanitized internal representation of non-Create/non-Undo Activities on fetches - Fix WebFinger for split-domain setups - Enforce an exact domain match for WebFinger resolution +- MastodonAPI: Fix misattribution of statuses when fetched via non-Announce Activity ID ## 2.9.1 diff --git a/changelog.d/mastoapi-misatrribution.fix b/changelog.d/mastoapi-misatrribution.fix deleted file mode 100644 index ba744c62b..000000000 --- a/changelog.d/mastoapi-misatrribution.fix +++ /dev/null @@ -1 +0,0 @@ -MastodonAPI: Fix misattribution of statuses when fetched via non-Announce Activity ID diff --git a/changelog.d/restrict-unauthenticated-bypass.fix b/changelog.d/restrict-unauthenticated-bypass.fix deleted file mode 100644 index 974fa6df9..000000000 --- a/changelog.d/restrict-unauthenticated-bypass.fix +++ /dev/null @@ -1 +0,0 @@ -Fix bypass of the restrict unauthenticated setting by requesting local Activities