Forgejo v7.0.10

New issue

Release notes

• Security bug fixes
  • PR (backported): Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to timing attacks. A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays.
  • PR (backported): Because of a missing permission check, the branch used to propose a pull request to a repository can always be deleted by the user performing the merge. It was fixed so that such a deletion is only allowed if the user performing the merge has write permission to the repository from which the pull request was made.
• Localization
  • PR (backported): Translation backports to v7
• Included for completeness but not worth a release note
  • PR: Update dependency mermaid to v10.9.3 [SECURITY] (v7.0/forgejo)
  • PR: Update dependency go to v1.22.7 (v7.0/forgejo)

2024-10-29

100% Completed

0 Open 4 Closed 4 All

Label

Show archived labels

Use Alt + Click to exclude labels

All labels No label

arch

riscv64

Archived

backport/v1.19

Archived

backport/v1.20

Archived

backport/v1.21/forgejo

Archived

backport/v10.0/forgejo

Archived

backport/v11.0/forgejo

backport/v12.0/forgejo

Archived

backport/v13.0/forgejo

Archived

backport/v14.0/forgejo

backport/v7.0/forgejo

Archived

backport/v8.0/forgejo

Archived

backport/v9.0/forgejo

Archived

breaking

bug

Archived

bug

confirmed

bug

duplicate

bug

needs-more-info

bug

new-report

bug

reported-upstream

code/actions

code/api

code/auth

code/auth/faidp

code/auth/farp

code/email

code/federation

code/git

code/migrations

code/packages

code/wiki

database

MySQL

database

PostgreSQL

database

SQLite

dependency-upgrade

dependency

certmagic

Archived

dependency

chart.js

Archived

dependency

Chi

Archived

dependency

Chroma

Archived

dependency

citation.js

Archived

dependency

codespell

Archived

dependency

css-loader

Archived

dependency

devcontainers

Archived

dependency

dropzone

Archived

dependency

editorconfig-checker

Archived

dependency

elasticsearch

Archived

dependency

enmime

Archived

dependency

F3

dependency

ForgeFed

dependency

garage

dependency

Git

Archived

dependency

git-backporting

Archived

dependency

Gitea

dependency

gitignore

Archived

dependency

go-ap

Archived

dependency

go-enry

Archived

dependency

go-gitlab

Archived

dependency

Go-org

Archived

dependency

go-rpmutils

Archived

dependency

go-sql-driver mysql

Archived

dependency

go-swagger

Archived

dependency

go-version

Archived

dependency

go-webauthn

Archived

dependency

gocron

Archived

dependency

Golang

dependency

goldmark

Archived

dependency

goquery

Archived

dependency

Goth

Archived

dependency

grpc-go

Archived

dependency

happy-dom

Archived

dependency

Helm

Archived

dependency

image-spec

Archived

dependency

jsonschema

Archived

dependency

KaTeX

Archived

dependency

lint

Archived

dependency

MariaDB

Archived

dependency

Mermaid

Archived

dependency

minio-go

Archived

dependency

misspell

Archived

dependency

Monaco

Archived

dependency

PDFobject

Archived

dependency

playwright

Archived

dependency

postcss

Archived

dependency

postcss-plugins

Archived

dependency

pprof

Archived

dependency

prometheus client_golang

Archived

dependency

protobuf

Archived

dependency

relative-time-element

Archived

dependency

renovate

Archived

dependency

reply

Archived

dependency

ssh

Archived

dependency

swagger-ui

Archived

dependency

tailwind

Archived

dependency

temporal-polyfill

Archived

dependency

terminal-to-html

Archived

dependency

tests-only

Archived

dependency

text-expander-element

Archived

dependency

urfave

Archived

dependency

vfsgen

Archived

dependency

vite

Archived

dependency

Woodpecker CI

Archived

dependency

x tools

Archived

dependency

XORM

Archived

Discussion

duplicate

enhancement/feature

forgejo/accessibility

forgejo/branding

forgejo/ci

forgejo/commit-graph

forgejo/documentation

forgejo/furnace cleanup

Archived

forgejo/i18n

forgejo/interop

forgejo/moderation

forgejo/privacy

forgejo/release

forgejo/scaling

forgejo/security

forgejo/ui

Gain

High

Gain

Nice to have

Gain

Undefined

Gain

Very High

good first issue

i18n/backport-stable

impact

large

impact

medium

impact

small

impact

unknown

Incompatible license

issue

closed

issue

do-not-exist-yet

issue

open

manual test

Archived

Manually tested during feature freeze

OS

FreeBSD

OS

Linux

OS

macOS

OS

Windows

problem

QA

regression

release blocker

Release Cycle

Feature Freeze

release-blocker

v7.0

Archived

release-blocker

v7.0.1

Archived

release-blocker

v7.0.2

Archived

release-blocker

v7.0.3

Archived

release-blocker

v7.0.4

Archived

release-blocker

v8.0.0

Archived

release-blocker/v9.0.0

Archived

run-all-playwright-tests

run-end-to-end-tests

test

manual

test

needed

test

needs-help

test

not-needed

test

present

untested

Archived

User research - time-tracker

valuable code

worth a release-note

User research - Accessibility

User research - Blocked

User research - Community

User research - Config (instance)

User research - Errors

User research - Filters

User research - Future backlog

User research - Git workflow

User research - Labels

User research - Moderation

User research - Needs input

User research - Notifications/Dashboard

User research - Rendering

User research - Repo creation

User research - Repo units

User research - Security

User research - Settings (in-app)

Project

All projects No project

Author

All authors

Assignee

All assignees No assignee

0ko 0xllx0 aahlenst Alex619829 algernon ashimokawa Beowulf c8h4 caesar christopher-besch cobak78 crystal Cyborus davrot Dirk dmowitz efertone emilylange famfo floss4good fnetX fogti forgejo-backport-action forgejo-end-to-end forgejo-experimental-ci forgejo-moderation forgejo-release-manager forgejo-release-notes-assistant forgejo-renovate-action Gusted iamyaash JakobDev jerger JSchlarb KaKi87 kita klausfyhn Kwonunn lenikadali limiting-factor litchipi mahlzahn Mai-Lapyst Maks1mS maltejur marcellmars mfenniak msrd0 mysticmode n0toose nostar oliverpool pat-s patdyn patka release-team sclu1034 smartclip_tim snematoda Snoweuph spiffyk viceice wetneb Xinayder xtex

Sort

Relevance Newest Oldest Recently updated Least recently updated Most commented Least commented Nearest due date Farthest due date

🔥 Forgejo v7.0.10

forgejo/release

1

#5727 by earl-warren was closed 2024-10-28 16:01:14 +01:00 6 / 18

[v7.0/forgejo] use constant time check for internal token

bug

confirmed

forgejo/security

worth a release-note

1

#5723 by forgejo-backport-action was merged 2024-10-28 08:21:15 +01:00

v7.0/forgejo

1 approval 1 waiting review

[v7.0/forgejo] add permission check to 'delete branch after merge'

bug

confirmed

forgejo/security

worth a release-note

#5720 by earl-warren was merged 2024-10-28 07:16:01 +01:00

v7.0/forgejo

Translation backports to v7

forgejo/i18n

1

#5401 by 0ko was merged 2024-09-27 14:46:29 +02:00

v7.0/forgejo

1 approval