X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=CHANGELOG.md;h=19b2596cc32aa640263a8fe9cef104585f2714ac;hb=5ef840ed9ce277ebaf6367f2529cc686b8d6404b;hp=51254742713a95b03dd8b533f22b209bd498d80c;hpb=0d2814ec8e41942cd5b056d9c1ed902be1e1773c;p=akkoma

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 512547427..19b2596cc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,29 +14,30 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 - **Breaking:** Removed `Pleroma.Workers.Cron.StatsWorker` setting from Oban `:crontab`.
 
-## unreleased-patch - ???
+## [2.1.1] - 2020-09-08
+
+### Security
+- Fix possible DoS in Mastodon API user search due to an error in match clauses, leading to an infinite recursion and subsequent OOM with certain inputs.
+- Fix metadata leak for accounts and statuses on private instances.
+- Fix possible DoS in Admin API search using an atom leak vulnerability. Authentication with admin rights was required to exploit.
 
 ### Changed
 
 - **Breaking:** The metadata providers RelMe and Feed are no longer configurable. RelMe should always be activated and Feed only provides a <link> header tag for the actual RSS/Atom feed when the instance is public.
-
-### Security
-- Fix metadata leak for accounts and statuses on private instances
+- Improved error message when cmake is not available at build stage.
 
 ### Added
-
-- Rich media failure tracking (along with `:failure_backoff` option)
-- MRF policy to rewrite bot posts scope from public to unlisted
+- Rich media failure tracking (along with `:failure_backoff` option).
 
 ### Fixed
-
-- Possible OOM errors with the default HTTP adapter
+- Default HTTP adapter not respecting pool setting, leading to possible OOM.
 - Fixed uploading webp images when the Exiftool Upload Filter is enabled by skipping them
 - Mastodon API: Search parameter `following` now correctly returns the followings rather than the followers
 - Mastodon API: Timelines hanging for (`number of posts with links * rich media timeout`) in the worst case.
   Reduced to just rich media timeout.
-- Mastodon API: Cards being wrong for preview statuses due to cache key collision
-- Password resets no longer processed for deactivated accounts
+- Mastodon API: Cards being wrong for preview statuses due to cache key collision.
+- Password resets no longer processed for deactivated accounts.
+- Favicon scraper raising exceptions on URLs longer than 255 characters.
 
 ## [2.1.0] - 2020-08-28