X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=CHANGELOG.md;h=2f85cc3024a22fffab7fbdfa0fe699be783a664e;hb=a0f5e8b27edbe2224d9c2c3997ad5b8ea484244b;hp=c87aff851e298ae2da8456ac6dc83cdc6d8bee1a;hpb=ea4b6c64d60d1dc3246f5a2f23a2e3a47e8fb476;p=akkoma diff --git a/CHANGELOG.md b/CHANGELOG.md index c87aff851..2f85cc302 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,22 +3,52 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). -## unreleased-patch - ??? +## [2.1.2] - 2020-09-17 ### Security -- Fix metadata leak for accounts and statuses on private instances + +- Fix most MRF rules either crashing or not being applied to objects passed into the Common Pipeline (ChatMessage, Question, Answer, Audio, Event). + +### Fixed + +- Welcome Chat messages preventing user registration with MRF Simple Policy applied to the local instance. +- Mastodon API: the public timeline returning an error when the `reply_visibility` parameter is set to `self` for an unauthenticated user. +- Mastodon Streaming API: Handler crashes on authentication failures, resulting in error logs. +- Mastodon Streaming API: Error logs on client pings. +- Rich media: Log spam on failures. Now the error is only logged once per attempt. + +### Changed + +- Rich Media: A HEAD request is now done to the url, to ensure it has the appropriate content type and size before proceeding with a GET. + +### Upgrade notes + +1. Restart Pleroma + +## [2.1.1] - 2020-09-08 + +### Security +- Fix possible DoS in Mastodon API user search due to an error in match clauses, leading to an infinite recursion and subsequent OOM with certain inputs. +- Fix metadata leak for accounts and statuses on private instances. +- Fix possible DoS in Admin API search using an atom leak vulnerability. Authentication with admin rights was required to exploit. ### Changed - **Breaking:** The metadata providers RelMe and Feed are no longer configurable. RelMe should always be activated and Feed only provides a header tag for the actual RSS/Atom feed when the instance is public. +- Improved error message when cmake is not available at build stage. ### Added -- Rich media failure tracking (along with `:failure_backoff` option) +- Rich media failure tracking (along with `:failure_backoff` option). ### Fixed +- Default HTTP adapter not respecting pool setting, leading to possible OOM. +- Fixed uploading webp images when the Exiftool Upload Filter is enabled by skipping them - Mastodon API: Search parameter `following` now correctly returns the followings rather than the followers - Mastodon API: Timelines hanging for (`number of posts with links * rich media timeout`) in the worst case. Reduced to just rich media timeout. +- Mastodon API: Cards being wrong for preview statuses due to cache key collision. +- Password resets no longer processed for deactivated accounts. +- Favicon scraper raising exceptions on URLs longer than 255 characters. ## [2.1.0] - 2020-08-28