Update ChangeLog
This commit is contained in:
Frédéric Guillot
parent
11a352dcfd
commit
ab209df78f
1 changed files with 43 additions and 0 deletions
43
ChangeLog
43
ChangeLog
|
|
@ -1,3 +1,46 @@
|
||||||
|
Version 2.0.43 (March 16, 2023)
|
||||||
|
-------------------------------
|
||||||
|
|
||||||
|
* Avoid XSS when opening a broken image due to unescaped ServerError in proxy handler (CVE-2023-27592)
|
||||||
|
|
||||||
|
Creating an RSS feed item with the inline description containing an `<img>` tag
|
||||||
|
with a `srcset` attribute pointing to an invalid URL like
|
||||||
|
`http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error
|
||||||
|
condition where the invalid URL is returned unescaped and in full.
|
||||||
|
|
||||||
|
This results in JavaScript execution on the Miniflux instance as soon as the
|
||||||
|
user is convinced to open the broken image.
|
||||||
|
|
||||||
|
* Use `r.RemoteAddr` to check `/metrics` endpoint network access (CVE-2023-27591)
|
||||||
|
|
||||||
|
HTTP headers like `X-Forwarded-For` or `X-Real-Ip` can be easily spoofed. As
|
||||||
|
such, it cannot be used to test if the client IP is allowed.
|
||||||
|
|
||||||
|
The recommendation is to use HTTP Basic authentication to protect the
|
||||||
|
metrics endpoint, or run Miniflux behind a trusted reverse-proxy.
|
||||||
|
|
||||||
|
* Add HTTP Basic authentication for `/metrics` endpoint
|
||||||
|
* Add proxy support for several media types
|
||||||
|
* Parse feed categories from RSS, Atom and JSON feeds
|
||||||
|
* Ignore empty link when discovering feeds
|
||||||
|
* Disable CGO explicitly to make sure the binary is statically linked
|
||||||
|
* Add CSS classes to differentiate between category/feed/entry view and icons
|
||||||
|
* Add rewrite and scraper rules for `blog.cloudflare.com`
|
||||||
|
* Add `color-scheme` to themes
|
||||||
|
* Add new keyboard shortcut to toggle open/close entry attachments section
|
||||||
|
* Sanitizer: allow `id` attribute in `<sup>` element
|
||||||
|
* Add Indonesian Language
|
||||||
|
* Update translations
|
||||||
|
* Update Docker Compose examples:
|
||||||
|
- Run the application in one command
|
||||||
|
- Bring back the health check condition to `depends_on`
|
||||||
|
- Remove deprecated `version` element
|
||||||
|
* Update scraping rules for `ilpost.it`
|
||||||
|
* Bump `github.com/PuerkitoBio/goquery` from `1.8.0` to `1.8.1`
|
||||||
|
* Bump `github.com/tdewolff/minify/v2` from `2.12.4` to `2.12.5`
|
||||||
|
* Bump `github.com/yuin/goldmark` from `1.5.3` to `1.5.4`
|
||||||
|
* Bump `golang.org/x/*` dependencies
|
||||||
|
|
||||||
Version 2.0.42 (January 29, 2023)
|
Version 2.0.42 (January 29, 2023)
|
||||||
---------------------------------
|
---------------------------------
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue