|
| 1 | +Version 2.0.43 (March 16, 2023) |
| 2 | +------------------------------- |
| 3 | + |
| 4 | +* Avoid XSS when opening a broken image due to unescaped ServerError in proxy handler (CVE-2023-27592) |
| 5 | + |
| 6 | + Creating an RSS feed item with the inline description containing an `<img>` tag |
| 7 | + with a `srcset` attribute pointing to an invalid URL like |
| 8 | + `http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error |
| 9 | + condition where the invalid URL is returned unescaped and in full. |
| 10 | + |
| 11 | + This results in JavaScript execution on the Miniflux instance as soon as the |
| 12 | + user is convinced to open the broken image. |
| 13 | + |
| 14 | +* Use `r.RemoteAddr` to check `/metrics` endpoint network access (CVE-2023-27591) |
| 15 | + |
| 16 | + HTTP headers like `X-Forwarded-For` or `X-Real-Ip` can be easily spoofed. As |
| 17 | + such, it cannot be used to test if the client IP is allowed. |
| 18 | + |
| 19 | + The recommendation is to use HTTP Basic authentication to protect the |
| 20 | + metrics endpoint, or run Miniflux behind a trusted reverse-proxy. |
| 21 | + |
| 22 | +* Add HTTP Basic authentication for `/metrics` endpoint |
| 23 | +* Add proxy support for several media types |
| 24 | +* Parse feed categories from RSS, Atom and JSON feeds |
| 25 | +* Ignore empty link when discovering feeds |
| 26 | +* Disable CGO explicitly to make sure the binary is statically linked |
| 27 | +* Add CSS classes to differentiate between category/feed/entry view and icons |
| 28 | +* Add rewrite and scraper rules for `blog.cloudflare.com` |
| 29 | +* Add `color-scheme` to themes |
| 30 | +* Add new keyboard shortcut to toggle open/close entry attachments section |
| 31 | +* Sanitizer: allow `id` attribute in `<sup>` element |
| 32 | +* Add Indonesian Language |
| 33 | +* Update translations |
| 34 | +* Update Docker Compose examples: |
| 35 | + - Run the application in one command |
| 36 | + - Bring back the health check condition to `depends_on` |
| 37 | + - Remove deprecated `version` element |
| 38 | +* Update scraping rules for `ilpost.it` |
| 39 | +* Bump `github.com/PuerkitoBio/goquery` from `1.8.0` to `1.8.1` |
| 40 | +* Bump `github.com/tdewolff/minify/v2` from `2.12.4` to `2.12.5` |
| 41 | +* Bump `github.com/yuin/goldmark` from `1.5.3` to `1.5.4` |
| 42 | +* Bump `golang.org/x/*` dependencies |
| 43 | + |
1 | 44 | Version 2.0.42 (January 29, 2023) |
2 | 45 | --------------------------------- |
3 | 46 |
|
|
0 commit comments