Update ChangeLog
This commit is contained in:
Frédéric Guillot
parent
11a352dcfd
commit
ab209df78f
1 changed files with 43 additions and 0 deletions
43
ChangeLog
43
ChangeLog
|
|
@ -1,3 +1,46 @@
|
|||
Version 2.0.43 (March 16, 2023)
|
||||
-------------------------------
|
||||
|
||||
* Avoid XSS when opening a broken image due to unescaped ServerError in proxy handler (CVE-2023-27592)
|
||||
|
||||
Creating an RSS feed item with the inline description containing an `<img>` tag
|
||||
with a `srcset` attribute pointing to an invalid URL like
|
||||
`http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error
|
||||
condition where the invalid URL is returned unescaped and in full.
|
||||
|
||||
This results in JavaScript execution on the Miniflux instance as soon as the
|
||||
user is convinced to open the broken image.
|
||||
|
||||
* Use `r.RemoteAddr` to check `/metrics` endpoint network access (CVE-2023-27591)
|
||||
|
||||
HTTP headers like `X-Forwarded-For` or `X-Real-Ip` can be easily spoofed. As
|
||||
such, it cannot be used to test if the client IP is allowed.
|
||||
|
||||
The recommendation is to use HTTP Basic authentication to protect the
|
||||
metrics endpoint, or run Miniflux behind a trusted reverse-proxy.
|
||||
|
||||
* Add HTTP Basic authentication for `/metrics` endpoint
|
||||
* Add proxy support for several media types
|
||||
* Parse feed categories from RSS, Atom and JSON feeds
|
||||
* Ignore empty link when discovering feeds
|
||||
* Disable CGO explicitly to make sure the binary is statically linked
|
||||
* Add CSS classes to differentiate between category/feed/entry view and icons
|
||||
* Add rewrite and scraper rules for `blog.cloudflare.com`
|
||||
* Add `color-scheme` to themes
|
||||
* Add new keyboard shortcut to toggle open/close entry attachments section
|
||||
* Sanitizer: allow `id` attribute in `<sup>` element
|
||||
* Add Indonesian Language
|
||||
* Update translations
|
||||
* Update Docker Compose examples:
|
||||
- Run the application in one command
|
||||
- Bring back the health check condition to `depends_on`
|
||||
- Remove deprecated `version` element
|
||||
* Update scraping rules for `ilpost.it`
|
||||
* Bump `github.com/PuerkitoBio/goquery` from `1.8.0` to `1.8.1`
|
||||
* Bump `github.com/tdewolff/minify/v2` from `2.12.4` to `2.12.5`
|
||||
* Bump `github.com/yuin/goldmark` from `1.5.3` to `1.5.4`
|
||||
* Bump `golang.org/x/*` dependencies
|
||||
|
||||
Version 2.0.42 (January 29, 2023)
|
||||
---------------------------------
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue