From 337847c51423a61ac4a9d30b1fe97f7afe431ac6 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Jul 19 2018 08:56:11 +0000 Subject: Release 4.0.4 Signed-off-by: Pierre-Yves Chibon --- diff --git a/doc/changelog.rst b/doc/changelog.rst index a7338a8..8410427 100644 --- a/doc/changelog.rst +++ b/doc/changelog.rst @@ -3,6 +3,41 @@ Changelog This document records all notable changes to `Pagure `_. +4.0.4 (2018-07-19) +------------------ + +.. note:: This release fixes CVE-2018-1002155, CVE-2018-1002156, + CVE-2018-1002157, CVE-2018-1002153 + +- Ensure the project's description does not contain any javascript (Michael + Scherer) +- Prevent the project's URL to be anything other than an URL +- Escape any html people may have injected in their author name in commits + (Michael Scherer) +- Do not serve SVG inline (Michael Scherer) + + - The four items above constitute CVE-2018-1002155 + +- Catch exception raised by pagure-ci when it fails to find a build on jenkins +- Fix RELATES and FIXES regex to cover projects with a dash in their name +- Support calls from jenkins indicating the build is started +- Ensure we check the required group membership when giving a project away +- Add missing titles to the milestones table in the settings +- Properly inform the user if they are introducing a duplicated tag +- Only select the default template when creating a new ticket +- Fix the subscribe button on the PR page +- Fix updating a remote PR +- Fix showing the 'more' button on the overview page +- Multiple fixes to the pagure-milter +- Fix triggering CI checks on new comments added to a PR +- Fix logging and the SMTPHandler +- Do not notify everyone about private tickets (CVE-2018-1002157) +- Make the settings of a project private (CVE-2018-1002156) +- Ensure the git repo of private projects aren't exposed via https + (CVE-2018-1002153) +- Do not log activity on private projects +- Drop trollius-redis requirement (Neal Gompa) + 4.0.3 (2018-05-14) ------------------ diff --git a/doc/contributors.rst b/doc/contributors.rst index 5759cc4..e7de52f 100644 --- a/doc/contributors.rst +++ b/doc/contributors.rst @@ -3,12 +3,12 @@ Contributors to pagure Pagure would be nothing without its contributors. -On May 14, 2018 (release 4.0.3) the list looks as follow: +On July 19, 2018 (release 4.0.4) the list looks as follow: ================= =========== Number of commits Contributor ================= =========== - 5841 Pierre-Yves Chibon + 5867 Pierre-Yves Chibon 193 Ryan Lerch 172 Vivek Anand 139 farhaanbukhsh @@ -74,6 +74,7 @@ Number of commits Contributor 2 Carlos Mogas da Silva 2 Daniel Mach 2 Kamil Páral + 2 Michael Scherer 2 Nuno Maltez 2 Ompragash 2 Peter Oliver @@ -105,6 +106,7 @@ Number of commits Contributor 1 Kunaal Jain 1 Mathew Robinson 1 Mohan Boddu + 1 Neal Gompa 1 Neha Kandpal 1 Peter Kolínek 1 Robert Bost diff --git a/files/pagure.spec b/files/pagure.spec index 6832bf0..e063d1b 100644 --- a/files/pagure.spec +++ b/files/pagure.spec @@ -1,5 +1,5 @@ Name: pagure -Version: 4.0.3 +Version: 4.0.4 Release: 1%{?dist} Summary: A git-centered forge @@ -443,6 +443,9 @@ install -p -m 644 pagure-ev/pagure_ev.service \ %changelog +* Thu Jul 19 2018 Pierre-Yves Chibon - 4.0.4-1 +- Update to 4.0.4 + * Mon May 14 2018 Pierre-Yves Chibon - 4.0.3-1 - Update to 4.0.3 diff --git a/pagure/__init__.py b/pagure/__init__.py index 1382b64..902fdc3 100644 --- a/pagure/__init__.py +++ b/pagure/__init__.py @@ -9,5 +9,5 @@ """ -__version__ = '4.0.3' +__version__ = '4.0.4' __api_version__ = '0.23'