Releases: diaspora/diaspora
diaspora* 0.5.9.1
Update Nokogiri to 1.6.8, which in turn updates libxml2 to 2.9.4 and libxslt to 1.1.29, addressing a range of security issues. See https://groups.google.com/forum/#!topic/ruby-security-ann/RCHyF5K9Lbc for more details.
diaspora* 0.5.9.0
diaspora* 0.5.8.0
diaspora* 0.5.7.1
This security release disables post fetching for relayables. Due to an insecure implementation, fetching of root posts for relayables could allow an attacker to distribute malicious/spoofed/modified posts for any person.
Disabling the fetching will make the current federation a bit less reliable, but for a hotfix, this is the best solution. We will re-enable the fetching in 0.6.0.0 when we moved out the federation into its own library and are able to implement further validation during fetches.
diaspora* 0.5.7.0
Refactor
- Internationalize controller rescue_from text #6554
- Make mention parsing a bit more robust #6658
- Remove unlicensed images #6673
- Removed unused contacts_title #6687
Bug fixes
- Fix plural rules handling more than wanted as "one" #6630
- Fix
suppress_annoying_errors
eating too much errors #6653 - Ensure the rubyzip gem is properly loaded #6659
- Fix mobile registration layout after failed registration #6677
- Fix mirrored names when using a RTL language #6680
- Disable submitting a post multiple times in the mobile UI #6682
Features
diaspora* 0.5.6.3
Fix evil regression caused by Active Model no longer exposing include_root_in_json
in instances.
diaspora* 0.5.6.2
- Fix CVE-2016-0751 - Possible Object Leak and Denial of Service attack in Action Pack
- Fix CVE-2015-7581 - Object leak vulnerability for wildcard controller routes in Action Pack
- Fix CVE-2015-7576 - Timing attack vulnerability in basic authentication in Action Controller
- Fix CVE-2016-0752 - Possible Information Leak Vulnerability in Action View
- Fix CVE-2016-0753 - Possible Input Validation Circumvention in Active Model
- Fix CVE-2015-7577 - Nested attributes rejection proc bypass in Active Record
- Fix CVE-2015-7579 - XSS vulnerability in rails-html-sanitizer
- Fix CVE-2015-7578 - Possible XSS vulnerability in rails-html-sanitizer
diaspora* 0.5.6.1
- Fix Nokogiri CVE-2015-7499
- Fix unsafe "Remember me" cookies in Devise
diaspora* 0.5.6.0
Refactor
- Add more integration tests with the help of the new diaspora-federation gem #6539
Bug fixes
- Fix mention autocomplete when pasting the username #6510
- Use and update updated_at for notifications #6573
- Ensure the author signature is checked when receiving a relayable #6539
- Do not try to display hovercards when logged out #6587
Features
- Display hovercards without aspect dropdown when logged out #6603
- Add media.ccc.de as a trusted oEmbed endpoint
diaspora* 0.5.5.1
- Fix XSS on profile pages
- Bump nokogiri to fix several libxml2 CVEs, see http://www.ubuntu.com/usn/usn-2834-1/