Update codeberg.org/forgejo/forgejo Docker tag to v7.0.4 #6

Merged
ada merged 1 commit from renovate/codeberg.org-forgejo-forgejo-7.x into main 2024-06-13 18:53:24 +02:00
Collaborator

This PR contains the following updates:

Package Type Update Change
codeberg.org/forgejo/forgejo (source) final patch 7.0.3 -> 7.0.4

Release Notes

forgejo/forgejo (codeberg.org/forgejo/forgejo)

v7.0.4

Compare Source

This is a security release. See the documentation for more information on the upgrade procedure.

In addition to the following notable bug fixes, you can browse the full list of commits included in this release.

  • Security:

    • PR. Fixed: CVE-2024-24789: the archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file.
    • PR - (fix & test). Fixed: the OAuth2 implementation does not always require authentication for public clients, a requirement of RFC 6749 Section 10.2. A malicious client can impersonate another client and obtain access to protected resources if the impersonated client fails to, or is unable to, keep its client credentials confidential.
  • Bug fixes:

    • backport - PR. Fixed: forgejo migrate-storage --type actions-artifacts always fails because it picks the wrong path.
    • backport - PR. Fixed: avatar files can be found in storage while they do not exist in the database.
    • backport - PR. Fixed: repository admins are always denied the right to force merge and instance admins are subject to restrictions to merge that must only apply to repository admins.
    • backport - PR. Fixed: non conformance with the Nix tarball fetcher immutable link protocol.
    • backport - PR. Fixed: migrated activities (such as reviews) are mapped to the user who initiated the migration rather than the Ghost user, if the external user cannot be mapped to a local one. This mapping mismatch leads to internal server errors in some cases.
    • backport - PR. Fixed: a v7.0.0 regression causes [admin].SEND_NOTIFICATION_EMAIL_ON_NEW_USER=true to always be ignored.
    • backport - PR. Fixed: using a subquery for user deletion is a performance bottleneck when using mariadb 10 because only mariadb 11 takes advantage of the available index.
    • backport - PR. Fixed: a v7.0.3 regression causes the expanding diffs in pull requests to fail with a 404 error.
    • backport - PR. Fixed: SourceHut Builds webhook fail when the triggers field is used.
    • backport - PR. Fixed: the label list rendering in the issue and pull request timeline is displayed on multiple lines instead of a single one.
    • backport - PR - commit. Fixed: NuGet Package fails choco info pkgname when pkgname is also a substring of another package Id.
    • backport - PR - commit. Fixed: "Git hooks of this repository seem to be broken." warning when pushing more than one branch at a time.
    • backport - PR - commit. Fixed: automerge does not happen when the approval count reaches the required threshold.
    • backport - PR - commit. Fixed: the FORCE_PRIVATE=true setting is not consistently enforced.
    • backport - PR - commit. Fixed: CSRF validation errors when OAuth is not enabled.
    • backport - PR. Fixed: headlines in rendered org-mode do not have a margin on the top
  • Localization:

    • Improvements to English locale: [1], [2].
    • Translation updates: [1], [2], [3].

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [codeberg.org/forgejo/forgejo](https://forgejo.org) ([source](https://codeberg.org/forgejo/forgejo)) | final | patch | `7.0.3` -> `7.0.4` | --- ### Release Notes <details> <summary>forgejo/forgejo (codeberg.org/forgejo/forgejo)</summary> ### [`v7.0.4`](https://codeberg.org/forgejo/forgejo/blob/HEAD/RELEASE-NOTES.md#704) [Compare Source](https://codeberg.org/forgejo/forgejo/compare/v7.0.3...v7.0.4) This is a security release. See the documentation for more information on the [upgrade procedure](https://forgejo.org/docs/v7.0/admin/upgrade/). In addition to the following notable bug fixes, you can browse the [full list of commits](https://codeberg.org/forgejo/forgejo/compare/v7.0.3...v7.0.4) included in this release. - **Security:** - [PR](https://codeberg.org/forgejo/forgejo/pulls/4054). Fixed: [CVE-2024-24789](https://pkg.go.dev/vuln/GO-2024-2888): the archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. - [PR](https://codeberg.org/forgejo/forgejo/pulls/3639) - ([fix](https://codeberg.org/forgejo/forgejo/commit/1b088fade6c69e63843d1bdf402454c363b22ce2) & [test](https://codeberg.org/forgejo/forgejo/pulls/4032)). Fixed: the OAuth2 implementation does not always require authentication for public clients, a requirement of [RFC 6749 Section 10.2](https://datatracker.ietf.org/doc/html/rfc6749#section-10.2). A malicious client can impersonate another client and obtain access to protected resources if the impersonated client fails to, or is unable to, keep its client credentials confidential. - **Bug fixes:** - [backport](https://codeberg.org/forgejo/forgejo/pulls/4086) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4085). Fixed: `forgejo migrate-storage --type actions-artifacts` always fails because it picks the wrong path. - [backport](https://codeberg.org/forgejo/forgejo/pulls/4017) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4015). Fixed: avatar files can be found in storage while they do not exist in the database. - [backport](https://codeberg.org/forgejo/forgejo/pulls/3997) - [PR](https://codeberg.org/forgejo/forgejo/pulls/3976). Fixed: repository admins are always denied the right to force merge and instance admins are subject to restrictions to merge that must only apply to repository admins. - [backport](https://codeberg.org/forgejo/forgejo/pulls/3946) - [PR](https://codeberg.org/forgejo/forgejo/pulls/3615). Fixed: non conformance with the [Nix tarball fetcher immutable link protocol](https://github.com/nixos/nix/blob/56763ff918eb308db23080e560ed2ea3e00c80a7/doc/manual/src/protocols/tarball-fetcher.md). - [backport](https://codeberg.org/forgejo/forgejo/pulls/3936) - [PR](https://codeberg.org/forgejo/forgejo/pulls/3935). Fixed: migrated activities (such as reviews) are mapped to the user who initiated the migration rather than the Ghost user, if the external user cannot be mapped to a local one. This mapping mismatch leads to internal server errors in some cases. - [backport](https://codeberg.org/forgejo/forgejo/pulls/3906) - [PR](https://codeberg.org/forgejo/forgejo/pulls/3904). Fixed: a v7.0.0 regression causes `[admin].SEND_NOTIFICATION_EMAIL_ON_NEW_USER=true` to always be ignored. - [backport](https://codeberg.org/forgejo/forgejo/pulls/3888) - [PR](https://codeberg.org/forgejo/forgejo/pulls/3865). Fixed: using a subquery for user deletion is a performance bottleneck when using mariadb 10 because only mariadb 11 takes advantage of the available index. - [backport](https://codeberg.org/forgejo/forgejo/pulls/3887) - [PR](https://codeberg.org/forgejo/forgejo/pulls/3885). Fixed: a v7.0.3 regression causes the expanding diffs in pull requests to fail with a 404 error. - [backport](https://codeberg.org/forgejo/forgejo/pulls/3881) - [PR](https://codeberg.org/forgejo/forgejo/pulls/3864). Fixed: SourceHut Builds webhook fail when the `triggers` field is used. - [backport](https://codeberg.org/forgejo/forgejo/pulls/3877) - [PR](https://codeberg.org/forgejo/forgejo/pulls/3242). Fixed: the label list rendering in the issue and pull request timeline is displayed on multiple lines instead of a single one. - [backport](https://codeberg.org/forgejo/forgejo/pulls/4084) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4083) - [commit](https://codeberg.org/forgejo/forgejo/commit/c6e04c3c9eddfa6c4bec541f681c8d300b157cdb). Fixed: NuGet Package fails `choco info pkgname` when `pkgname` is also a substring of another package Id. - [backport](https://codeberg.org/forgejo/forgejo/pulls/4004) - [PR](https://codeberg.org/forgejo/forgejo/pulls/3989) - [commit](https://codeberg.org/forgejo/forgejo/commit/62448bfb931882859388b2fd472cb89428c25323). Fixed: "Git hooks of this repository seem to be broken." warning when pushing more than one branch at a time. - [backport](https://codeberg.org/forgejo/forgejo/pulls/3942) - [PR](https://codeberg.org/forgejo/forgejo/pulls/3917) - [commit](https://codeberg.org/forgejo/forgejo/commit/7d7ea45465d6cd1ea0ec549a71f67b4a8ff930cf). Fixed: automerge does not happen when the approval count reaches the required threshold. - [backport](https://codeberg.org/forgejo/forgejo/pulls/3942) - [PR](https://codeberg.org/forgejo/forgejo/pulls/3917) - [commit](https://codeberg.org/forgejo/forgejo/commit/a649610d6175d1994b838f5672261400df9fdb92). Fixed: the `FORCE_PRIVATE=true` setting is not consistently enforced. - [backport](https://codeberg.org/forgejo/forgejo/pulls/3859) - [PR](https://codeberg.org/forgejo/forgejo/pulls/3838) - [commit](https://codeberg.org/forgejo/forgejo/commit/193ac67176afc72e9d108bc1730c354bfbf9a442). Fixed: CSRF validation errors when OAuth is not enabled. - [backport](https://codeberg.org/forgejo/forgejo/pulls/4107) - [PR](https://codeberg.org/forgejo/forgejo/pulls/4076). Fixed: headlines in rendered org-mode do not have a margin on the top - **Localization:** - Improvements to English locale: [\[1\]](https://codeberg.org/forgejo/forgejo/pulls/3914), [\[2\]](https://codeberg.org/forgejo/forgejo/pulls/4114). - Translation updates: [\[1\]](https://codeberg.org/forgejo/forgejo/pulls/3907), [\[2\]](https://codeberg.org/forgejo/forgejo/pulls/3990), [\[3\]](https://codeberg.org/forgejo/forgejo/pulls/4099). </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MDcuMSIsInVwZGF0ZWRJblZlciI6IjM3LjQwNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
renovate-bot added 1 commit 2024-06-13 18:35:26 +02:00
Update codeberg.org/forgejo/forgejo Docker tag to v7.0.4
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
ci/woodpecker/pr/woodpecker Pipeline was successful
ci/woodpecker/pull_request_closed/woodpecker Pipeline was successful
d61baa28b6
ada merged commit 669a596636 into main 2024-06-13 18:53:24 +02:00
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: enpls/forgejo-docker#6
No description provided.