[v15.0/forgejo]: 2026-06-10 security patches #13002

Birleştirildi

Beowulf security-2026-06-10-v15 'nden gelen 6 değişiklikleri(commit'leri), v15.0/forgejo 'ine 2026-06-10 06:03:30 +02:00 olarak birleştirildi

Sohbet 3 İşleme 6 Değiştirilen Dosyalar 19 +408 -36

mfenniak 2026-06-08 20:52:17 +02:00 yorum yaptı

Üye

Bağlantıyı Kopyala

• fix: prevent stored XSS in user display name on Actions page
• fix: LFS locks must belong to the intended repo, port from Gitea
• fix: prevent unauthorized access to draft releases via API
• fix: prevent writes to OpenID visibility which may affect other users
• fix: prevent viewing private PRs that are linked to public issues on public projects

Release notes

• Security bug fixes
  • PR: : 2026-06-10 security patches

- fix: prevent stored XSS in user display name on Actions page - fix: LFS locks must belong to the intended repo, port from Gitea - fix: prevent unauthorized access to draft releases via API - fix: prevent writes to OpenID visibility which may affect other users - fix: prevent viewing private PRs that are linked to public issues on public projects <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Security bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/13002): <!--number 13002 --><!--line 0 --><!--description OiAyMDI2LTA2LTEwIHNlY3VyaXR5IHBhdGNoZXM=-->: 2026-06-10 security patches<!--description--> <!--end release-notes-assistant-->

mfenniak

test

needed

etiketini 2026-06-08 20:52:18 +02:00 ekledi

mfenniak 1 işlemeyi 2026-06-08 20:52:18 +02:00 ekledi

placeholder Security fixes 2026-06-10 63c3b84a84

mfenniak başlığı [v15.0/forgejo]: placeholder: Security fixes 2026-06-10 [skip ci] iken [v15.0/forgejo]: 2026-06-10 security patches olarak 2026-06-10 04:14:32 +02:00 değiştirdi

mfenniak

forgejo/security

test

present

ekleme ve

test

needed

kaldırma işlemlerini 2026-06-10 04:14:44 +02:00 yaptı

mfenniak security-2026-06-10-v15 63c3b84a84 hedefinden 468533c3bb hedefine zorla gönderildi 2026-06-10 04:15:30 +02:00 Karşılaştır

Beowulf 2026-06-10 06:03:15 +02:00 bu değişiklikleri onayladı

Beowulf f6d4219f10 işlemesi, v15.0/forgejo dalına birleştirildi 2026-06-10 06:03:30 +02:00

Beowulf referenced this pull request from a commit 2026-06-10 06:03:32 +02:00

[v15.0/forgejo]: 2026-06-10 security patches (#13002)

Beowulf security-2026-06-10-v15 dalı silindi 2026-06-10 06:03:33 +02:00

0ko 2026-06-10 06:03:51 +02:00 bu değişiklikleri onayladı

forgejo-release-notes-assistant 2026-06-10 06:04:18 +02:00 Forgejo v15.0.3 kilometre taşına ekledi

0ko

worth a release-note

bug

confirmed

etiketlerini 2026-06-10 06:04:21 +02:00 ekledi

forgejo-release-notes-assistant 2026-06-10 06:06:29 +02:00 yorum yaptı

Üye

Bağlantıyı Kopyala

Where does that come from?

The following is a preview of the release notes for this pull request, as they will appear in the upcoming release. They are derived from the content of the `release-notes/13002.md` file, if it exists, or the title of the pull request. They were also added at the bottom of the description of this pull request for easier reference.

This message and the release notes originate from a call to the release-notes-assistant.

@@ -3,3 +3,11 @@
 - fix: prevent unauthorized access to draft releases via API
 - fix: prevent writes to OpenID visibility which may affect other users
-- fix: prevent viewing private PRs that are linked to public issues on public projects
\ No newline at end of file
+- fix: prevent viewing private PRs that are linked to public issues on public projects
+
+<!--start release-notes-assistant-->
+
+## Release notes
+<!--URL:https://codeberg.org/forgejo/forgejo-->
+- Security bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/13002): <!--number 13002 --><!--line 0 --><!--description OiAyMDI2LTA2LTEwIHNlY3VyaXR5IHBhdGNoZXM=-->: 2026-06-10 security patches<!--description-->
+<!--end release-notes-assistant-->

Release notes

• Security bug fixes
  • PR: : 2026-06-10 security patches

<details> <summary>Where does that come from?</summary> The following is a preview of the release notes for this pull request, as they will appear in the upcoming release. They are derived from the content of the `release-notes/13002.md` file, if it exists, or the title of the pull request. They were also added at the bottom of the description of this pull request for easier reference. This message and the release notes originate from a call to the [release-notes-assistant](https://code.forgejo.org/forgejo/release-notes-assistant). ```diff @@ -3,3 +3,11 @@ - fix: prevent unauthorized access to draft releases via API - fix: prevent writes to OpenID visibility which may affect other users -- fix: prevent viewing private PRs that are linked to public issues on public projects \ No newline at end of file +- fix: prevent viewing private PRs that are linked to public issues on public projects + +<!--start release-notes-assistant--> + +## Release notes +<!--URL:https://codeberg.org/forgejo/forgejo--> +- Security bug fixes + - [PR](https://codeberg.org/forgejo/forgejo/pulls/13002): <!--number 13002 --><!--line 0 --><!--description OiAyMDI2LTA2LTEwIHNlY3VyaXR5IHBhdGNoZXM=-->: 2026-06-10 security patches<!--description--> +<!--end release-notes-assistant--> ``` </details> <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Security bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/13002): <!--number 13002 --><!--line 0 --><!--description OiAyMDI2LTA2LTEwIHNlY3VyaXR5IHBhdGNoZXM=-->: 2026-06-10 security patches<!--description--> <!--end release-notes-assistant-->

0ko bu değişiklik isteğine referansta bulundu forgejo/security-announcements'den 2026-06-10 08:22:59 +02:00

Forgejo v11.0.15 and v15.0.3 #54

Bu konuşmaya katılmak için oturum aç.

Gözden Geçirenler

Değerlendirici yok

Beowulf

0ko

Etiketler

Etiketleri temizle   

arch

riscv64

Arşivlenmiş

  

backport/v1.19

Scheduled for backport to Forgejo v1.19

Arşivlenmiş

  

backport/v1.20

Scheduled for backport to Forgejo v1.20

Arşivlenmiş

  

backport/v1.21/forgejo

Scheduled for backport to Forgejo v1.21

Arşivlenmiş

  

backport/v10.0/forgejo

Automated backport to v10.0

Arşivlenmiş

  

backport/v11.0/forgejo

Automated backport to v11.0

  

backport/v12.0/forgejo

Automated backport to v12.0

Arşivlenmiş

  

backport/v13.0/forgejo

Automated backport to v13.0

Arşivlenmiş

  

backport/v14.0/forgejo

Automated backport to v14.0

Arşivlenmiş

  

backport/v15.0/forgejo

Automated backport to v15.0

  

backport/v7.0/forgejo

Scheduled for backport to Forgejo v7.0

Arşivlenmiş

  

backport/v8.0/forgejo

Scheduled for backport to Forgejo v8.0

Arşivlenmiş

  

backport/v9.0/forgejo

Scheduled for backport to Forgejo v9.0

Arşivlenmiş

  

breaking

The release containing this change is not backward compatible

  

bug

Something is not working

Arşivlenmiş

  

bug

confirmed

it can be reproduced

  

bug

duplicate

bug has already been reported in the Forgejo tracker

  

bug

needs-more-info

the information provided does not contain enough details

  

bug

new-report

bug has just been reported and need triage (default label on issue creation)

  

bug

reported-upstream

bug cannot be fixed within Forgejo easily, it has been reported upstream

  

code/actions

Forgejo Actions feature

  

code/api

API

  

code/auth

Forgejo Authentication

  

code/auth/faidp

Forgejo as Identity Provider (in OAuth/OIDC flow)

  

code/auth/farp

Forgejo as Relying Party / Client (in OAuth/OIDC flow)

  

code/email

Everything related to email in Forgejo

  

code/federation

Federation

  

code/git

Related to the Git backend in Forgejo

  

code/migrations

Migration between Git forges (i.e. for GitHub, GitLab, Gitea, Forgejo, etc.). NOT for database migrations.

  

code/packages

Forgejo package and container registry

  

code/wiki

  

database

MySQL

https://www.mysql.com/

  

database

PostgreSQL

https://www.postgresql.org/

  

database

SQLite

https://sqlite.org/

  

dependency-upgrade

https://codeberg.org/forgejo/forgejo/issues/2779

  

dependency

Chi

https://github.com/go-chi/chi/

Arşivlenmiş

  

dependency

Chroma

https://github.com/alecthomas/chroma/

Arşivlenmiş

  

dependency

F3

https://f3.forgefriends.org/

  

dependency

ForgeFed

https://forgefed.org

  

dependency

garage

https://git.deuxfleurs.fr/Deuxfleurs/garage

  

dependency

Gitea

https://github.com/go-gitea/gitea

Arşivlenmiş

  

dependency

Golang

https://go.dev/

  

Discussion

  

duplicate

This issue or pull request already exists

  

enhancement/feature

New feature

  

forgejo/accessibility

Accessibility (a11y)

  

forgejo/branding

Branding (logo, name, tagline etc.)

  

forgejo/ci

Forgejo Actions CI configuration

  

forgejo/commit-graph

The commit graph feature and page.

  

forgejo/documentation

  

forgejo/furnace cleanup

Keeping Forgejo in sync with its dependencies and contributing back to them

Arşivlenmiş

  

forgejo/i18n

t9n/translation, l10n/localization, and i18n/internationalization of Forgejo

  

forgejo/interop

Interoperability with other services: Webhooks, bridges, integrations

  

forgejo/moderation

Moderation

  

forgejo/privacy

Privacy first

  

forgejo/release

Release management

  

forgejo/scaling

Performance and scaling

  

forgejo/security

Security (please disclose responsibly)

  

forgejo/ui

User interface

  

Gain

High

User research provides indicators that this would be good to have, interested contributors are encouraged to pick this.

  

Gain

Nice to have

This is likely worth having, but the assumption is not backed by user research data (it might benefit a small amount of users only.) Unlikely to receive much attention, but feel free to pick.

  

Gain

Undefined

Not enough information to assess the request's benefits. This issue may be closed if no gain is established: You can help by giving us more input.

  

Gain

Very High

User research indicates that this is an important improvement for Forgejo users. Contributions very welcome!

  

good first issue

Optimal for first-timers! Make sure to look for further explanations and ask for help if needed. If you want, you can consider the person who added this label as a point of contact.

  

i18n/backport-stable

This PR needs to be backported to stable branch of Forgejo safely and manually, using a migration script.

  

impact

large

Large impact: Potential data loss, many users affected, major degradation in UX.

  

impact

medium

Medium impact: Several users affected, degradation in UX, workarounds might be available but inconvenient.

  

impact

small

Small impact: No data loss, workarounds might be available, affects few users.

  

impact

unknown

Report was not yet triaged to assess impact.

  

Incompatible license

This pull request contains changes that are not (yet) compatible with the current Forgejo license

  

issue

closed

The issue was resolved in the repository of the dependency

  

issue

do-not-exist-yet

An issue should be created in the respository of the dependency

  

issue

open

An open issue exists in the upstream repository of the dependency

  

manual test

Pull requests that have been merged with a manual test

Arşivlenmiş

  

Manually tested during feature freeze

The manual test instructions were followed

  

OS

FreeBSD

Specific to the FreeBSD Operating System

  

OS

Linux

Specific to (GNU/)Linux Operating Systems

  

OS

macOS

Specific to the MacOS Operating System

  

OS

Windows

Specific to the Windows Operating System

  

problem

A user report about a problem. Needs to be triaged to find potential solutions.

  

QA

  

regression

found in the version of the milestone and not before

  

release blocker

Issues that must be fixed before the release can be published

  

Release Cycle

Feature Freeze

Only bug fixes with automated tests (except for CSS/JavaScript)

  

release-blocker

v7.0

Issues that must be fixed before Forgejo v7.0 can be released 17 April 2024

Arşivlenmiş

  

release-blocker

v7.0.1

Issues that must be fixed before Forgejo v7.0.1 can be released

Arşivlenmiş

  

release-blocker

v7.0.2

Issues that must be fixed before Forgejo v7.0.2 can be released

Arşivlenmiş

  

release-blocker

v7.0.3

Issues that must be fixed before Forgejo v7.0.3 can be released

Arşivlenmiş

  

release-blocker

v7.0.4

Issues that must be fixed before Forgejo v7.0.4 can be released

Arşivlenmiş

  

release-blocker

v8.0.0

Issues that must be fixed before Forgejo v8.0.0 can be released

Arşivlenmiş

  

release-blocker/v9.0.0

Issues that must be fixed before Forgejo v9.0.0 can be released

Arşivlenmiş

  

run-all-playwright-tests

Add this label to a PR to run all playwright tests manually.

  

run-end-to-end-tests

Trigger additional tests on the PR when it is ready to be merged

  

stage

2-research

Needs research to moe on.

  

stage

3-design

Needs design to move on

  

stage

4-implementation

This is actionable and waits for implementation

  

test

manual

manual testing has been documented

  

test

needed

test should be added

  

test

needs-help

help needed to add a test

  

test

not-needed

no additional test is needed

  

test

present

test has been added

  

untested

Pull requests that have been merged with no test and submitted as is to the dependency where they belong

Arşivlenmiş

  

User research - time-tracker

Time tracking feature for issues and the JS stopwatch.

  

valuable code

This PR was closed because the implementation is incomplete

  

worth a release-note

Add this PR to the release notes

  

User research - Accessibility

Requires input about accessibility features, likely involves user testing.

  

User research - Blocked

Do not pick as-is! We are happy if you can help, but please coordinate with ongoing redesign in this area.

  

User research - Community

Community features, such as discovering other people's work or otherwise feeling welcome on a Forgejo instance.

  

User research - Config (instance)

Instance-wide configuration, authentication and other admin-only needs.

  

User research - Errors

How to deal with errors in the application and write helpful error messages.

  

User research - Filters

How filter and search is being worked with.

  

User research - Future backlog

The issue might be inspiring for future design work.

  

User research - Git workflow

AGit, fork-based and new Git workflow, PR creation etc

  

User research - Labels

Active research about Labels

  

User research - Moderation

Moderation Featuers for Admins are undergoing active User Research

  

User research - Needs input

Use this label to let the User Research team know their input is requested.

  

User research - Notifications/Dashboard

Research on how users should know what to do next.

  

User research - Rendering

Text rendering, markup languages etc

  

User research - Repo creation

Active research about the New Repo dialog.

  

User research - Repo units

The repo sections, disabling them and the "Add more" button.

  

User research - Security

  

User research - Settings (in-app)

How to structure in-app settings in the future?

Etiket Yok

arch

riscv64

backport/v1.19

backport/v1.20

backport/v1.21/forgejo

backport/v10.0/forgejo

backport/v11.0/forgejo

backport/v12.0/forgejo

backport/v13.0/forgejo

backport/v14.0/forgejo

backport/v15.0/forgejo

backport/v7.0/forgejo

backport/v8.0/forgejo

backport/v9.0/forgejo

breaking

bug

bug

confirmed

bug

duplicate

bug

needs-more-info

bug

new-report

bug

reported-upstream

code/actions

code/api

code/auth

code/auth/faidp

code/auth/farp

code/email

code/federation

code/git

code/migrations

code/packages

code/wiki

database

MySQL

database

PostgreSQL

database

SQLite

dependency-upgrade

dependency

Chi

dependency

Chroma

dependency

F3

dependency

ForgeFed

dependency

garage

dependency

Gitea

dependency

Golang

Discussion

duplicate

enhancement/feature

forgejo/accessibility

forgejo/branding

forgejo/ci

forgejo/commit-graph

forgejo/documentation

forgejo/furnace cleanup

forgejo/i18n

forgejo/interop

forgejo/moderation

forgejo/privacy

forgejo/release

forgejo/scaling

forgejo/security

forgejo/ui

Gain

High

Gain

Nice to have

Gain

Undefined

Gain

Very High

good first issue

i18n/backport-stable

impact

large

impact

medium

impact

small

impact

unknown

Incompatible license

issue

closed

issue

do-not-exist-yet

issue

open

manual test

Manually tested during feature freeze

OS

FreeBSD

OS

Linux

OS

macOS

OS

Windows

problem

QA

regression

release blocker

Release Cycle

Feature Freeze

release-blocker

v7.0

release-blocker

v7.0.1

release-blocker

v7.0.2

release-blocker

v7.0.3

release-blocker

v7.0.4

release-blocker

v8.0.0

release-blocker/v9.0.0

run-all-playwright-tests

run-end-to-end-tests

stage

2-research

stage

3-design

stage

4-implementation

test

manual

test

needed

test

needs-help

test

not-needed

test

present

untested

User research - time-tracker

valuable code

worth a release-note

User research - Accessibility

User research - Blocked

User research - Community

User research - Config (instance)

User research - Errors

User research - Filters

User research - Future backlog

User research - Git workflow

User research - Labels

User research - Moderation

User research - Needs input

User research - Notifications/Dashboard

User research - Rendering

User research - Repo creation

User research - Repo units

User research - Security

User research - Settings (in-app)

Kilometre Taşı

Kilometre Taşlarını Temizle

Öge yok

Kilometre Taşı Yok

Forgejo v15.0.3

Projeler

Projeleri temizle

Öge yok

Proje yok

Atananlar

Atamaları Temizle

Atanan Kişi Yok

4 katılımcı

Bildirimler

Abone Ol

Bitiş Tarihi

Bitiş tarihi geçersiz veya aralık dışında. Lütfen 'yyyy-aa-gg' biçimini kullanın.

Bitiş tarihi atanmadı.

Bağımlılıklar

Bağımlılık yok.

Referans

forgejo/forgejo!13002

Herhangi bir açıklama sağlanmadı.