Skip to content

v2.7.1

Latest
Compare
Choose a tag to compare
@ZeiP ZeiP released this 25 Jul 20:57
· 83 commits to master since this release

Security advisory CVE-2024-41805 (severity 6.1 / moderate)

This release fixes a few reflected XSS vulnerabilities which enabled execution
of malicious JavaScript in the context of a user’s browser if that user clicks
on a malicious link, possibly allowing retrieval or modification of the current
user's data. The issue is of moderate severity (score 6.1/10) with the CVSS
rating CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

I want to thank Alec Romano for reporting the issues.

New features

  • The test suite now uses always the same Dockerfile as the main build.
  • The Dockerfile now supports environment-specific builds via stages.
    Note: This requires slight changes to docker build commands, see documentation!

Deprecations

  • This will be the last release to support Ruby 3.0, which is already end-of-life.

Bug fixes

  • Lots of dependencies have been updated (including security updates).
  • Fixed Docker build not working on an archive version (ie. one not cloned with Git)
  • An error is shown if the user being created already exists.
  • The TOS error in user creation is now in template.
  • Schema.rb has been updated for Postgres support.

Updated translations

  • Spanish (thanks Gallegonovato!)
  • Finnish (by maintainer Jyri-Petteri ”ZeiP” Paloposki)