From ab209df78f41cfd2e3b273682e29c492351575d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= Date: Thu, 16 Mar 2023 19:34:20 -0700 Subject: [PATCH] Update ChangeLog --- ChangeLog | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/ChangeLog b/ChangeLog index 37a11c22..98e81908 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,46 @@ +Version 2.0.43 (March 16, 2023) +------------------------------- + +* Avoid XSS when opening a broken image due to unescaped ServerError in proxy handler (CVE-2023-27592) + + Creating an RSS feed item with the inline description containing an `` tag + with a `srcset` attribute pointing to an invalid URL like + `http:a`, we can coerce the proxy handler into an error + condition where the invalid URL is returned unescaped and in full. + + This results in JavaScript execution on the Miniflux instance as soon as the + user is convinced to open the broken image. + +* Use `r.RemoteAddr` to check `/metrics` endpoint network access (CVE-2023-27591) + + HTTP headers like `X-Forwarded-For` or `X-Real-Ip` can be easily spoofed. As + such, it cannot be used to test if the client IP is allowed. + + The recommendation is to use HTTP Basic authentication to protect the + metrics endpoint, or run Miniflux behind a trusted reverse-proxy. + +* Add HTTP Basic authentication for `/metrics` endpoint +* Add proxy support for several media types +* Parse feed categories from RSS, Atom and JSON feeds +* Ignore empty link when discovering feeds +* Disable CGO explicitly to make sure the binary is statically linked +* Add CSS classes to differentiate between category/feed/entry view and icons +* Add rewrite and scraper rules for `blog.cloudflare.com` +* Add `color-scheme` to themes +* Add new keyboard shortcut to toggle open/close entry attachments section +* Sanitizer: allow `id` attribute in `` element +* Add Indonesian Language +* Update translations +* Update Docker Compose examples: + - Run the application in one command + - Bring back the health check condition to `depends_on` + - Remove deprecated `version` element +* Update scraping rules for `ilpost.it` +* Bump `github.com/PuerkitoBio/goquery` from `1.8.0` to `1.8.1` +* Bump `github.com/tdewolff/minify/v2` from `2.12.4` to `2.12.5` +* Bump `github.com/yuin/goldmark` from `1.5.3` to `1.5.4` +* Bump `golang.org/x/*` dependencies + Version 2.0.42 (January 29, 2023) ---------------------------------