From 4c0c658152cc1db7153a4171deec250fde5c6e07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= Date: Sat, 6 May 2023 14:09:45 -0700 Subject: [PATCH] Update ChangeLog --- ChangeLog | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 98e81908..204249c4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,21 +1,44 @@ +Version 2.0.44 (May 6, 2023) +---------------------------- + +* Add link to the URL rewrite rules documentation +* Update scraping rules for `ilpost.it` +* Update rewrite rules for `theverge.com` +* Add a rewrite rule to remove clickbait titles +* Make sure `PROXY_IMAGES` option is backward compatible with `PROXY_OPTION` and `PROXY_MEDIA_TYPES` +* Add new rule to remove tables +* Add support for searching well-known URLs in subdirectory +* Add CSS `word-wrap` rule to break very long entry title into multiple lines +* Add swipe as option for gesture navigation between entries. There are now 3 possible choices: `none`, `double-tap`, and `swipe`. +* Prefer typographic punctuation in English translation +* Process older entries first: + - Feed entries are usually ordered from most to least recent. + - Processing older entries first ensures that their creation timestamp + is lower than that of newer entries. + - This is useful when we order by creation, because then we get a + consistent timeline. +* Fix Grafana dashboard +* Push Docker images to `Quay.io` (RedHat) +* Bump `golang.org/x/*`, `github.com/lib/pq`, `mvdan.cc/xurls/v2` and `github.com/prometheus/client_golang` dependencies + Version 2.0.43 (March 16, 2023) ------------------------------- * Avoid XSS when opening a broken image due to unescaped ServerError in proxy handler (CVE-2023-27592) - + Creating an RSS feed item with the inline description containing an `` tag with a `srcset` attribute pointing to an invalid URL like `http:a`, we can coerce the proxy handler into an error condition where the invalid URL is returned unescaped and in full. - + This results in JavaScript execution on the Miniflux instance as soon as the user is convinced to open the broken image. * Use `r.RemoteAddr` to check `/metrics` endpoint network access (CVE-2023-27591) - + HTTP headers like `X-Forwarded-For` or `X-Real-Ip` can be easily spoofed. As such, it cannot be used to test if the client IP is allowed. - + The recommendation is to use HTTP Basic authentication to protect the metrics endpoint, or run Miniflux behind a trusted reverse-proxy.