From 617f27d63787f4096395646da1343be6b718809b Mon Sep 17 00:00:00 2001 From: Laura Hausmann Date: Sun, 17 Nov 2024 18:42:18 +0100 Subject: [PATCH] Release: v2023.12.11 --- CHANGELOG.md | 20 ++++++++++++++++++++ package.json | 2 +- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a4cc7a28d..5ffbb7b81 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,23 @@ +## v2023.12.11 +This release contains several critical security patches, as well as minor fixes and improvements. Upgrading is strongly recommended for all server operators. + +### Highlights +- Several DoS, impersonation, data leakage & click jacking vulnerabilities have been patched + +### Backend +- Various issues related to AP object validation have been resolved +- The ap/get API endpoint is now only available to administrators +- Blocks are now enforced in NoteRepository.isVisibleForMe +- Audience parsing no longer bypasses the AP recursion limit +- Edits of local-only notes are no longer federated out +- AP object URIs now get canonicalized before comparing them for consistency +- SSRF prevention now applies to all code paths + +### Attribution +This release was made possible by project contributors: Kopper & Laura Hausmann + +Furthermore, I want to give special thanks to Hazel Koehler for the vulnerability disclosure. + ## v2023.12.10 This release contains a critical security patch, as well as minor fixes and improvements. Upgrading is strongly recommended for all server operators. diff --git a/package.json b/package.json index 62c20426a..963c3162c 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "iceshrimp", - "version": "2023.12.10", + "version": "2023.12.11", "repository": { "type": "git", "url": "https://iceshrimp.dev/iceshrimp/iceshrimp.git"