X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=CHANGELOG.md;h=47cab144bdbc20510b9973465c27a5d44df27fac;hb=34d7e864db8f9cc7fb73ce2fef8466ce8e09ed85;hp=f57e191fa63f5869c564119c10c7d06f32938b19;hpb=bf048ab72f3b0a994b5d8dd6c82bf30780468173;p=akkoma diff --git a/CHANGELOG.md b/CHANGELOG.md index f57e191fa..47cab144b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased +### Added +- Mix tasks for controlling user account confirmation status in bulk (`mix pleroma.user confirm_all` and `mix pleroma.user unconfirm_all`) +- Mix task for sending confirmation emails to all unconfirmed users (`mix pleroma.email send_confirmation_mails`) + ### Changed - Renamed `:await_up_timeout` in `:connections_pool` namespace to `:connect_timeout`, old name is deprecated. @@ -14,22 +18,30 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - **Breaking:** Removed `Pleroma.Workers.Cron.StatsWorker` setting from Oban `:crontab`. -## unreleased-patch - ??? +## [2.1.1] - 2020-09-08 -### Added +### Security +- Fix possible DoS in Mastodon API user search due to an error in match clauses, leading to an infinite recursion and subsequent OOM with certain inputs. +- Fix metadata leak for accounts and statuses on private instances. +- Fix possible DoS in Admin API search using an atom leak vulnerability. Authentication with admin rights was required to exploit. -- Rich media failure tracking (along with `:failure_backoff` option) -- MRF policy to rewrite bot posts scope from public to unlisted +### Changed -### Fixed +- **Breaking:** The metadata providers RelMe and Feed are no longer configurable. RelMe should always be activated and Feed only provides a header tag for the actual RSS/Atom feed when the instance is public. +- Improved error message when cmake is not available at build stage. + +### Added +- Rich media failure tracking (along with `:failure_backoff` option). -- Possible OOM errors with the default HTTP adapter +### Fixed +- Default HTTP adapter not respecting pool setting, leading to possible OOM. - Fixed uploading webp images when the Exiftool Upload Filter is enabled by skipping them - Mastodon API: Search parameter `following` now correctly returns the followings rather than the followers - Mastodon API: Timelines hanging for (`number of posts with links * rich media timeout`) in the worst case. Reduced to just rich media timeout. -- Mastodon API: Cards being wrong for preview statuses due to cache key collision -- Password resets no longer processed for deactivated accounts +- Mastodon API: Cards being wrong for preview statuses due to cache key collision. +- Password resets no longer processed for deactivated accounts. +- Favicon scraper raising exceptions on URLs longer than 255 characters. ## [2.1.0] - 2020-08-28