forgejo/RELEASE-NOTES.md

157 KiB

Release Notes

A Forgejo release is published shortly after a Gitea release is published and they have matching release numbers. Additional Forgejo releases may be published to address urgent security issues or bug fixes.

The Forgejo admin should carefully read the required manual actions before upgrading. A point release (e.g. v1.21.1-0 or v1.21.2-0) does not require manual actions but others might (e.g. v1.20, v1.21).

1.21.7-0

The complete list of commits included in the Forgejo v1.21.7-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.21.6-0..v1.21.7-0

This stable release contains bug fixes and a security fix. It was built with Go v1.21.8 which includes vulnerability fixes.

  • CVE-2023-45290 which could lead to memory exhaustion when parsing a multipart form.

  • CVE-2023-45289 which could allow incorrect forwarding of sensitive headers and cookies on HTTP redirect.

  • Recommended Action

    We recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

  • Forgejo Semantic Version

    The semantic version was updated to 6.0.7+0-gitea-1.21.7

  • Security fix

    • The google.golang.org/protobuf module was bumped to version v1.33.0 to fix a bug in the google.golang.org/protobuf/encoding/protojson package which could cause the Unmarshal function to enter an infinite loop when handling some invalid inputs. Read more in the announcement.
  • Bug fixes

    The most prominent ones are described here, others can be found in the list of commits included in the release as described above.

1.21.6-0

The complete list of commits included in the Forgejo v1.21.6-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.21.5-0..v1.21.6-0

This stable release contains bug fixes and a security fix, as explained in the v1.21.6-0 companion blog post.

1.21.5-0

The complete list of commits included in the Forgejo v1.21.5-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.21.4-0..v1.21.5-0

This stable release includes bug fixes as well as documentation improvements.

1.21.4-0

The complete list of commits included in the Forgejo v1.21.4-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.21.3-0..v1.21.4-0

This stable release includes security and bug fixes as well as documentation improvements.

1.21.3-0

The complete list of commits included in the Forgejo v1.21.3-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.21.2-1..v1.21.3-0

This stable release includes bug fixes. It was built with an updated version of the Go Cryptography package that fixes CVE-2023-48795. As explained in the corresponding Go issue: "The impact of this attack is relatively limited, as it does not compromise confidentiality of the channel."

1.21.2-1

The complete list of commits included in the Forgejo v1.21.2-1 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.21.2-0..v1.21.2-1

This stable release contains a security fix, as explained in the v1.21.2-1 companion blog post.

1.21.2-0

The complete list of commits included in the Forgejo v1.21.2-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.21.1-0..v1.21.2-0

This stable release includes bug fixes. It was built with Go v1.21.5 that fixes CVE-2023-39326 which a malicious HTTP client can exploit to cause a server to automatically read a large amount of data. It allows for memory exhaustion in the situation that HTTP chuncked encoding requests can reach Forgejo.

1.21.1-0

The complete list of commits included in the Forgejo v1.21.1-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges origin/v1.20/forgejo..origin/v1.21/forgejo

1.20.6-1

The complete list of commits included in the Forgejo v1.20.6-1 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.20.6-0..v1.20.6-1

This stable release contains a security fix.

1.20.6-0

The complete list of commits included in the Forgejo v1.20.6-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.20.5-1..v1.20.6-0

This stable release contains a security fix, as explained in the v1.20.6-0 companion blog post.

  • Recommended Action

    We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

  • Forgejo Semantic Version

    The semantic version was updated to 5.0.7+0-gitea-1.20.6

  • Breaking change

    Prior to this release, a token scoped to read or write permissions on issues was allowed to access both issues and pull requests, regardless of the restrictions imposed to the team in which they belong. In a team it is possible to grant finer grained permissions, for instance to allow a user to access issues but not pull requests. These restrictions are now enforced and API calls that previously succeeded on /api/v1/repos/{org}/{repo}/issues or other endpoints common to both issues and pull requests could return 404. Granting the user the necessary permissions in the team in which they belong will allow them to use that endpoint again.

  • Security fix

    Additional API and web endpoints now fail when given manually crafted identifiers.

1.20.5-1

The complete list of commits included in the Forgejo v1.20.5-1 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.20.5-0..v1.20.5-1

This stable release contains critical security fixes, as explained in the v1.20.5-1 companion blog post.

1.20.5-0

The complete list of commits included in the Forgejo v1.20.5-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.20.4-1..v1.20.5-0

This stable release contains an important security fix, as explained in the v1.20.5-0 companion blog post.

1.20.4-1

The complete list of commits included in the Forgejo v1.20.4-1 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.20.4-0..v1.20.4-1

This stable release includes bug fixes.

1.20.4-0

The complete list of commits included in the Forgejo v1.20.4-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.20.3-0..v1.20.4-0

This stable release includes bug fixes and two features.

1.20.3-0

The complete list of commits included in the Forgejo v1.20.3-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.20.2-0..v1.20.3-0

This stable release includes bug fixes and a safeguard against a regression that may lead to data loss. The [storage*] sections in the app.ini file may cause the files for some subsystems - Attachments, LFS, Avatars, Repository avatars, Repository archives, Packages - to be merged together or misplaced. The safeguard detects this situation and Forgejo will not start to prevent data loss. If your instance is in this situation, follow the instructions in the companion blog post.

1.20.2-0

The complete list of commits included in the Forgejo v1.20.2-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.20.1-0..v1.20.2-0

This stable release includes bug fixes and displays warnings in the administration panel when deprecated entries are found in app.ini.

1.20.1-0

The complete list of commits included in the Forgejo v1.20.1-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges origin/v1.19/forgejo..origin/v1.20/forgejo
  • Container images upgraded to Alpine 3.18

    The Forgejo container images are now based on Alpine 3.18 instead of Alpine 3.17.

1.19.4-0

The complete list of commits included in the Forgejo v1.19.4-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.3-0..v1.19.4-0

This stable release contains security fixes.

1.19.3-0

The complete list of commits included in the Forgejo v1.19.3-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.2-0..v1.19.3-0

This stable release contains security fixes.

1.19.2-0

The complete list of commits included in the Forgejo v1.19.2-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.1-0..v1.19.2-0

This stable release contains important security fixes.

  • Recommended Action

    We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

  • Forgejo Semantic Version

    The semantic version was updated from 4.1.0+0-gitea-1.19.1 to 4.2.0+0-gitea-1.19.2 because of the changes introduced in the internal CI.

  • Security fixes

    • Token scopes were not enforced in some cases (patch 1 and patch 2). The scoped token were introduced in Forgejo v1.19 allow for the creation of application tokens that only have limited permissions, such as creating packages or accessing repositories. Prior to Forgejo v1.19 tokens could be used to perform any operation the user issuing the token could.
    • Permissions to delete secrets was not enforced. The experimental internal CI relies on secrets managed via the web interface, for instance to communicate credentials to a job. Secrets are only used in the context of the experimental internal CI.
  • Bug fixes

    The most prominent ones are described here, others can be found in the list of commits included in the release as described above.

  • Container image upgrades

    In the Forgejo container images the Git version was upgraded to 2.38.5 as a precaution. The Forgejo security team analyzed the security fixes it contains and concluded that Forgejo is not affected.

1.19.1-0

The complete list of commits included in the Forgejo v1.19.1-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.0-3..v1.19.1-0

This stable release includes bug fixes. Functional changes related to the experimental CI have also been backported.

1.19.0-3

The complete list of commits included in the Forgejo v1.19.0-3 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.0-2..v1.19.0-3

This stable release includes security updates and bug fixes.

1.19.0-2

The complete list of commits included in the Forgejo v1.19.0-2 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges origin/v1.18/forgejo..origin/v1.19/forgejo
  • Breaking changes

    • Scoped access tokens

      Forgejo access token, used with the API can now have a "scope" that limits what it can access. Existing tokens stored in the database and created before Forgejo v1.19 had unlimited access. For backward compatibility, their access will remain the same and they will continue to work as before. However, newly created token that do not specify a scope will now only have read-only access to public user profile and public repositories.

      For instance, the /users/{username}/tokens API endpoint will require the scopes: ['all', 'sudo'] parameter and the forgejo admin user generate-access-token will require the --scopes all,sudo argument obtain tokens with ulimited access as before for admin users.

      Read more about the scoped tokens.

    • Disable all units except code and pulls on forks

      When forking a repository, the fork will now have issues, projects, releases, packages and wiki disabled. These can be enabled in the repository settings afterwards. To change back to the previous default behavior, configure DEFAULT_FORK_REPO_UNITS to be the same value as DEFAULT_REPO_UNITS.

    • Filter repositories by default on the explore page

      The explore page now always filters out repositories that are considered not relevant because they are either forks or have no topic and not description and no icon. A link is shown to display all repositories, unfiltered.

      Explore repositories
    • Remove deprecated DSA host key from Docker Container Since OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm, and recommend against its use. http://www.openssh.com/legacy.html

    • Additional restrictions on valid user names

      The algorithm for validating user names was modified and some users may have invalid names. The command forgejo doctor --run check-user-names will list all of them so they can be renamed.

      If a Forgejo instance has users or organizations named forgejo-actions and gitea-actions, they will also need to be renamed before the upgrade. They are now reserved names for the experimental internal CI/CD named Actions.

    • Semantic version

      Since v1.18.5, in addition to the Forgejo release number, a semantic version number (e.g. v3.0.0) can be obtained from the number key of a new /api/forgejo/v1/version endpoint.

      Now, it reflects the Gitea version that Forgejo depends on, is no longer prefixed with v (e.g. 3.0.0+0-gitea-1.19.0), and can be obtained from the version key of the same endpoint.

  • Features

  • User Interface improvements

  • Container images upgraded to Alpine 3.17

    The Forgejo container images are now based on Alpine 3.17 instead of Alpine 3.16. It includes an upgrade from git 2.36.5 to git 2.38.4 and from openssh 9.0p1 to openssh 9.1p1.

1.18.5-0

This stable release contains an important security fix for Forgejo to raise the protection against brute force attack on hashed passwords stored in the database to match industry standards, as described in detail in a companion blog post.

We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

If PASSWORD_HASH_ALGO is explicitly set in app.ini, comment it out so that the stronger algorithm is used instead.

All password hashes stored with another algorithm will be updated to the new algorithm on the next usage of this password (e.g. a user provides the password to the Forgejo server when they login). It does not require manual intervention.

Forgejo

Gitea

Note that there is no Forgejo v1.18.4-N because Gitea v1.18.4 was replaced by Gitea v1.18.5 a few days after its release because of a regression. Forgejo was not affected.

1.18.3-2

This stable release includes a security fix for git and bug fixes.

Git

Git recently announced new versions to address two CVEs (CVE-2023-22490, CVE-2023-23946). On 14 Februrary 2023, Git published the maintenance release v2.39.2, together with releases for older maintenance tracks v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. All major GNU/Linux distributions also provide updated packages via their security update channels.

We recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

  • When using a Forgejo binary: upgrade the git package to a version greater or equal to v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7 or v2.30.8
  • When using a Forgejo container image: docker pull codeberg.org/forgejo/forgejo:1.18.3-2

Forgejo

Gitea

1.18.3-1

This stable release includes bug fixes.

Forgejo

Gitea

1.18.3-0

This stable release includes bug fixes.

Forgejo

Gitea

1.18.2-1

This stable release includes a security fix. It was possible to reveal a user's email address, which is problematic because users can choose to hide their email address from everyone. This was possible because the notification email for a repository transfer request to an organization included every user's email address in the owner team. This has been fixed by sending individual emails instead and the code was refactored to prevent it from happening again.

We strongly recommend that all installations are upgraded to the latest version as soon as possible.

Gitea

1.18.2-0

This stable release includes bug fixes.

Gitea

1.18.1-0

This is the first Forgejo stable point release.

Forgejo

Critical security update for Git

Git recently announced new versions to address two CVEs (CVE-2022-23521, CVE-2022-41903). On 17 January 2023, Git published the maintenance release v2.39.1, together with releases for older maintenance tracks v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, and v2.30.7. All major GNU/Linux distributions also provide updated packages via their security update channels.

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

  • When using a Forgejo binary: upgrade the git package to a version greater or equal to v2.39.1, v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, or v2.30.7
  • When using a Forgejo container image: docker pull codeberg.org/forgejo/forgejo:1.18.1-0

Read more in the Forgejo blog.

Release process stability

The release process based on Woodpecker CI was entirely reworked to be more resilient to transient errors. A new release is first uploaded into the new Forgejo experimental organization for testing purposes.

Automated end to end testing of releases was implemented with a full development cycle including the creation of a new repository and a run of CI. It relieves the user and developer from the burden of tedious manual testing.

Container environment variables

When running a container, all environment variables starting with FORGEJO__ can be used instead of GITEA__. For backward compatibility with existing scripts, it is still possible to use GITEA__ instead of FORGEJO__. For instance:

docker run --name forgejo -e FORGEJO__security__INSTALL_LOCK=true codeberg.org/forgejo/forgejo:1.18.1-0

Forgejo hook types

A new forgejo hook type is available and behaves exactly the same as the existing gitea hook type. It will be used to implement additional features specific to Forgejo in a way that will be backward compatible with Gitea.

X-Forgejo headers

Wherever a X-Gitea header is received or sent, an identical X-Forgejo is added. For instance when a notification mail is sent, the X-Forgejo-Reason header is set to explain why. Or when a webhook is sent, the X-Forgejo-Event header is set with push, tag, etc. for Woodpecker CI to decide on an action.

Look and feel fixes

The Forgejo theme was modified to take into account user feedback.

Gitea

1.18.0-1

This is the first Forgejo release.

Forgejo improvements

Woodpecker CI

A new CI configuration based on Woodpecker CI was created. It is used to:

Look and feel

The default themes were replaced by Forgejo themes and the landing page was modified to display the Forgejo logo and names but the look and feel remains otherwise identical to Gitea.

Landing page

Privacy

Gitea instances fetch https://dl.gitea.io/gitea/version.json weekly by default, which raises privacy concerns. In Forgejo this feature needs to be explicitly activated at installation time or by modifying the configuration file. Forgejo also provides an alternative RSS feed to be informed when a new release is published.

Gitea

1.18.0-0

This release was replaced by 1.18.0-1 a few hours after being published because the release process was interrupted.

1.18.0-rc1-2

This is the first Forgejo release candidate.