Merge branch 'stable' into 'release/2.6.0'

# Conflicts: # .gitlab-ci.yml # lib/pleroma/web/common_api/utils.ex # lib/pleroma/web/xml.ex # mix.exs # test/pleroma/web/activity_pub/transmogrifier/emoji_react_handling_test.exs # test/pleroma/web/common_api/utils_test.exs # test/pleroma/web/mastodon_api/update_credentials_test.exs # test/pleroma/web/xml_test.exs
2023-10-31 01:07:43 +00:00 · 2023-10-31 01:07:43 +00:00 · ad45b06b3f
commit ad45b06b3f
parent ab894d98f4 f966abe4fb
5 changed files with 20 additions and 0 deletions
--- a/changelog.d/akkoma-xml-remote-entities.security
+++ b/changelog.d/akkoma-xml-remote-entities.security
@ -0,0 +1 @@
+Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
--- a/changelog.d/check-attachment-attribution.security
+++ b/changelog.d/check-attachment-attribution.security
@ -0,0 +1 @@
+CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID
--- a/changelog.d/emoji-pack-sanitization.security
+++ b/changelog.d/emoji-pack-sanitization.security
@ -0,0 +1 @@
+Emoji pack loader sanitizes pack names
--- a/changelog.d/otp_perms.security
+++ b/changelog.d/otp_perms.security
@ -0,0 +1 @@
+- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories
				`@ -0,0 +1 @@`
				`Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem`
				`@ -0,0 +1 @@`
				`CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID`
				`@ -0,0 +1 @@`
				`- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories`