diff --git a/release-notes-published/11.0.3.md b/release-notes-published/11.0.3.md new file mode 100644 index 0000000000..ed6f150af9 --- /dev/null +++ b/release-notes-published/11.0.3.md @@ -0,0 +1,34 @@ +## Git update fixing CVE-2025-48385 + +Git vulnerabilities were [disclosed 8 July 2025](https://groups.google.com/g/git-packagers/c/cYJ6peBtyxk/m/xVukiATcBQAJ) and require an update of the Git version used by Forgejo to Git [v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, or v2.50.1](https://nvd.nist.gov/vuln/detail/CVE-2025-48385). The [containers of this release](https://codeberg.org/forgejo/-/packages/container/forgejo/11.0.3) include a Git binary that is not vulnerable. If Forgejo was installed using a container, it is enough to upgrade the container to get the latest Git binary. + +Security bug fixes are only for Git, there are no security fixes for Forgejo itself in this release. + +## Wiki permissions manual steps + +If collaborators with write access can't edit the wiki, an administrator can now go to the Units settings (`//settings/units#wiki`) and Save the wiki settings (no change is needed) to fix the problem. This is a manual step that will trigger a database update that is currently not possible to automate for Forgejo stable releases. + + + +## Release notes + +- User Interface bug fixes + - [PR](https://codeberg.org/forgejo/forgejo/pulls/8246) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8283)): fix(ui): add missing lazy load attribute to images (#8246) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/8170) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8262)): fix(ui): erroneous list continuation on Cmd+Enter on macOS +- Localization + - [PR](https://codeberg.org/forgejo/forgejo/pulls/8300): i18n: backport of translation updates +- Bug fixes + - [PR](https://codeberg.org/forgejo/forgejo/pulls/8189) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8456)): fix: do not ignore automerge while a PR is checking for conflicts + - [PR](https://codeberg.org/forgejo/forgejo/pulls/8367) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8385)): fix: user activation with uppercase email address + - [PR](https://codeberg.org/forgejo/forgejo/pulls/8234) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8237)): fix: collaborator can edit wiki with write access +- Included for completeness but not worth a release note + - [PR](https://codeberg.org/forgejo/forgejo/pulls/8460) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8465)): chore: disable mismatched root URL e2e test for safari + - [PR](https://codeberg.org/forgejo/forgejo/pulls/8461) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8462)): chore: do not navigate to same URL in E2E test + - [PR](https://codeberg.org/forgejo/forgejo/pulls/8258) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8445)): fix: corrupted wiki unit default permission (#8234 follow-up) (#8258) + - [PR](https://codeberg.org/forgejo/forgejo/pulls/8261) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8412)): fix: skip empty tokens in SearchOptions.Tokens() + - [PR](https://codeberg.org/forgejo/forgejo/pulls/8400) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8401)): chore: improve reliability of webauthn e2e test + - [PR](https://codeberg.org/forgejo/forgejo/pulls/8326) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8333)): fix: make API /repos/{owner}/{repo}/compare/{basehead} work with forks + - [PR](https://codeberg.org/forgejo/forgejo/pulls/8226) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8292)): chore: sort mailer messages in test assertion + - [PR](https://codeberg.org/forgejo/forgejo/pulls/8002) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8289)): fix(ui): release: name is overridden with tag name on edit + - [PR](https://codeberg.org/forgejo/forgejo/pulls/8286) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8287)): Revert "fix(api): document `is_system_webhook` field (#7784)" +