Update ChangeLog
This commit is contained in:
Frédéric Guillot
parent
88062ab9f9
commit
4c0c658152
1 changed files with 27 additions and 4 deletions
31
ChangeLog
31
ChangeLog
|
|
@ -1,21 +1,44 @@
|
|||
Version 2.0.44 (May 6, 2023)
|
||||
----------------------------
|
||||
|
||||
* Add link to the URL rewrite rules documentation
|
||||
* Update scraping rules for `ilpost.it`
|
||||
* Update rewrite rules for `theverge.com`
|
||||
* Add a rewrite rule to remove clickbait titles
|
||||
* Make sure `PROXY_IMAGES` option is backward compatible with `PROXY_OPTION` and `PROXY_MEDIA_TYPES`
|
||||
* Add new rule to remove tables
|
||||
* Add support for searching well-known URLs in subdirectory
|
||||
* Add CSS `word-wrap` rule to break very long entry title into multiple lines
|
||||
* Add swipe as option for gesture navigation between entries. There are now 3 possible choices: `none`, `double-tap`, and `swipe`.
|
||||
* Prefer typographic punctuation in English translation
|
||||
* Process older entries first:
|
||||
- Feed entries are usually ordered from most to least recent.
|
||||
- Processing older entries first ensures that their creation timestamp
|
||||
is lower than that of newer entries.
|
||||
- This is useful when we order by creation, because then we get a
|
||||
consistent timeline.
|
||||
* Fix Grafana dashboard
|
||||
* Push Docker images to `Quay.io` (RedHat)
|
||||
* Bump `golang.org/x/*`, `github.com/lib/pq`, `mvdan.cc/xurls/v2` and `github.com/prometheus/client_golang` dependencies
|
||||
|
||||
Version 2.0.43 (March 16, 2023)
|
||||
-------------------------------
|
||||
|
||||
* Avoid XSS when opening a broken image due to unescaped ServerError in proxy handler (CVE-2023-27592)
|
||||
|
||||
|
||||
Creating an RSS feed item with the inline description containing an `<img>` tag
|
||||
with a `srcset` attribute pointing to an invalid URL like
|
||||
`http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error
|
||||
condition where the invalid URL is returned unescaped and in full.
|
||||
|
||||
|
||||
This results in JavaScript execution on the Miniflux instance as soon as the
|
||||
user is convinced to open the broken image.
|
||||
|
||||
* Use `r.RemoteAddr` to check `/metrics` endpoint network access (CVE-2023-27591)
|
||||
|
||||
|
||||
HTTP headers like `X-Forwarded-For` or `X-Real-Ip` can be easily spoofed. As
|
||||
such, it cannot be used to test if the client IP is allowed.
|
||||
|
||||
|
||||
The recommendation is to use HTTP Basic authentication to protect the
|
||||
metrics endpoint, or run Miniflux behind a trusted reverse-proxy.
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue