diff options
| author |  Frédéric Guillot <f@miniflux.net>
| 2023-03-16 19:34:20 -0700 |
|---|---|---|
| committer | Frédéric Guillot <f@miniflux.net>
| 2023-03-16 19:34:20 -0700 |
| commit | ab209df78f41cfd2e3b273682e29c492351575d1 (patch) | |
| tree | 63e5835a6e3e3d21bd935a1eb5ce3e9f770f2d7e | |
| parent | 11a352dcfdb13f8c469ebdff146864742308f1a9 (diff) | |
| download | v2-2.0.43.tar.gz v2-2.0.43.tar.zst v2-2.0.43.zip | |
Update ChangeLog2.0.43
| -rw-r--r-- | ChangeLog | 43 |
1 files changed, 43 insertions, 0 deletions
@@ -1,3 +1,46 @@ +Version 2.0.43 (March 16, 2023) +------------------------------- + +* Avoid XSS when opening a broken image due to unescaped ServerError in proxy handler (CVE-2023-27592) + + Creating an RSS feed item with the inline description containing an `<img>` tag + with a `srcset` attribute pointing to an invalid URL like + `http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error + condition where the invalid URL is returned unescaped and in full. + + This results in JavaScript execution on the Miniflux instance as soon as the + user is convinced to open the broken image. + +* Use `r.RemoteAddr` to check `/metrics` endpoint network access (CVE-2023-27591) + + HTTP headers like `X-Forwarded-For` or `X-Real-Ip` can be easily spoofed. As + such, it cannot be used to test if the client IP is allowed. + + The recommendation is to use HTTP Basic authentication to protect the + metrics endpoint, or run Miniflux behind a trusted reverse-proxy. + +* Add HTTP Basic authentication for `/metrics` endpoint +* Add proxy support for several media types +* Parse feed categories from RSS, Atom and JSON feeds +* Ignore empty link when discovering feeds +* Disable CGO explicitly to make sure the binary is statically linked +* Add CSS classes to differentiate between category/feed/entry view and icons +* Add rewrite and scraper rules for `blog.cloudflare.com` +* Add `color-scheme` to themes +* Add new keyboard shortcut to toggle open/close entry attachments section +* Sanitizer: allow `id` attribute in `<sup>` element +* Add Indonesian Language +* Update translations +* Update Docker Compose examples: + - Run the application in one command + - Bring back the health check condition to `depends_on` + - Remove deprecated `version` element +* Update scraping rules for `ilpost.it` +* Bump `github.com/PuerkitoBio/goquery` from `1.8.0` to `1.8.1` +* Bump `github.com/tdewolff/minify/v2` from `2.12.4` to `2.12.5` +* Bump `github.com/yuin/goldmark` from `1.5.3` to `1.5.4` +* Bump `golang.org/x/*` dependencies + Version 2.0.42 (January 29, 2023) --------------------------------- |