X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=CHANGELOG.md;h=75357f05edc20cf20cc62c471e1bc6e85fb687ac;hb=9733c9d06563a92e4c58ac906c5f98b617b9e731;hp=f57e191fa63f5869c564119c10c7d06f32938b19;hpb=21efda2edbfa74e80ad0df6f92b52a16880082e3;p=akkoma diff --git a/CHANGELOG.md b/CHANGELOG.md index f57e191fa..75357f05e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,24 +12,37 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Removed -- **Breaking:** Removed `Pleroma.Workers.Cron.StatsWorker` setting from Oban `:crontab`. +- **Breaking:** `Pleroma.Workers.Cron.StatsWorker` setting from Oban `:crontab` (moved to a simpler implementation). +- **Breaking:** `Pleroma.Workers.Cron.ClearOauthTokenWorker` setting from Oban `:crontab` (moved to scheduled jobs). +- **Breaking:** `Pleroma.Workers.Cron.PurgeExpiredActivitiesWorker` setting from Oban `:crontab` (moved to scheduled jobs). -## unreleased-patch - ??? +### Changed +- Minimum lifetime for ephmeral activities changed to 10 minutes and made configurable (`:min_lifetime` option). -### Added +## [2.1.1] - 2020-09-08 -- Rich media failure tracking (along with `:failure_backoff` option) -- MRF policy to rewrite bot posts scope from public to unlisted +### Security +- Fix possible DoS in Mastodon API user search due to an error in match clauses, leading to an infinite recursion and subsequent OOM with certain inputs. +- Fix metadata leak for accounts and statuses on private instances. +- Fix possible DoS in Admin API search using an atom leak vulnerability. Authentication with admin rights was required to exploit. -### Fixed +### Changed -- Possible OOM errors with the default HTTP adapter +- **Breaking:** The metadata providers RelMe and Feed are no longer configurable. RelMe should always be activated and Feed only provides a header tag for the actual RSS/Atom feed when the instance is public. +- Improved error message when cmake is not available at build stage. + +### Added +- Rich media failure tracking (along with `:failure_backoff` option). + +### Fixed +- Default HTTP adapter not respecting pool setting, leading to possible OOM. - Fixed uploading webp images when the Exiftool Upload Filter is enabled by skipping them - Mastodon API: Search parameter `following` now correctly returns the followings rather than the followers - Mastodon API: Timelines hanging for (`number of posts with links * rich media timeout`) in the worst case. Reduced to just rich media timeout. -- Mastodon API: Cards being wrong for preview statuses due to cache key collision -- Password resets no longer processed for deactivated accounts +- Mastodon API: Cards being wrong for preview statuses due to cache key collision. +- Password resets no longer processed for deactivated accounts. +- Favicon scraper raising exceptions on URLs longer than 255 characters. ## [2.1.0] - 2020-08-28