Bump version to 2.6.0

CHANGELOG.md

@@ -4,19 +4,49 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## Unreleased
-
-### Changed
+## 2.6.0
+### Security
+- Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.
+- CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID
+- Disable XML entity resolution completely to fix a dos vulnerability
 
 ### Added
 - Support for Image activities, namely from Hubzilla
+- Add OAuth scope descriptions
+- Allow lang attribute in status text
+- OnlyMedia Upload Filter
+- Implement MRF policy to reject or delist according to emojis
+- (hardening) Add no_new_privs=yes to OpenRC service files
+- Implement quotes
+- Add unified streaming endpoint
 
 ### Fixed
-
 - rel="me" was missing its cache
+- MediaProxy responses now return a sandbox CSP header
+- Filter context activities using Visibility.visible_for_user?
+- UploadedMedia: Add missing disposition_type to Content-Disposition
+- fix not being able to fetch flash file from remote instance
+- Fix abnormal behaviour when refetching a poll
+- Allow non-HTTP(s) URIs in "url" fields for compatibility with "FEP-fffd: Proxy Objects"
+- Fix opengraph and twitter card meta tags
+- ForceMentionsInContent: fix double mentions for Mastodon/Misskey posts
+- OEmbed HTML tags are now filtered
+- Restrict attachments to only uploaded files only
+- Fix error 404 when deleting status of a banned user
+- Fix config ownership in dockerfile to pass restriction test
+- Fix user fetch completely broken if featured collection is not in a supported form
+- Correctly handle the situation when a poll has both "anyOf" and "oneOf" but one of them being empty
+- Fix handling report from a deactivated user
+- Prevent using the .json format to bypass authorized fetch mode
+- Fix mentioning punycode domains when using Markdown
+- Show more informative errors when profile exceeds char limits
 
 ### Removed
 - BREAKING: Support for passwords generated with `crypt(3)` (Gnu Social migration artifact)
+- remove BBS/SSH feature, replaced by an external bridge.
+- Remove a few unused indexes.
+- Cleanup OStatus-era user upgrades and ap_enabled indicator
+- Deprecate Pleroma's audio scrobbling
 
 ## 2.5.4
 

changelog.d/3126.fix

@@ -1 +0,0 @@
-MediaProxy responses now return a sandbox CSP header

changelog.d/3801.fix

@@ -1 +0,0 @@
-Filter context activities using Visibility.visible_for_user?

changelog.d/3848.add

@@ -1 +0,0 @@
-Add OAuth scope descriptions

changelog.d/3872.remove

@@ -1 +0,0 @@
-remove BBS/SSH feature, replaced by an external bridge.

changelog.d/3873.fix

@@ -1 +0,0 @@
-UploadedMedia: Add missing disposition_type to Content-Disposition

changelog.d/3874.remove

@@ -1 +0,0 @@
-Remove a few unused indexes.

changelog.d/3879.fix

@@ -1 +0,0 @@
-fix not being able to fetch flash file from remote instance

changelog.d/3880.remove

@@ -1 +0,0 @@
-Cleanup OStatus-era user upgrades and ap_enabled indicator

changelog.d/3882.add

@@ -1 +0,0 @@
-Allow lang attribute in status text

changelog.d/3883.fix

@@ -1 +0,0 @@
-Fix abnormal behaviour when refetching a poll

changelog.d/3884.fix

@@ -1 +0,0 @@
-Allow non-HTTP(s) URIs in "url" fields for compatibility with "FEP-fffd: Proxy Objects"

changelog.d/3885.fix

@@ -1 +0,0 @@
-Fix opengraph and twitter card meta tags

changelog.d/3888.fix

@@ -1 +0,0 @@
-ForceMentionsInContent: fix double mentions for Mastodon/Misskey posts

changelog.d/3891.fix

@@ -1 +0,0 @@
-OEmbed HTML tags are now filtered

changelog.d/3897.add

@@ -1 +0,0 @@
-OnlyMedia Upload Filter

changelog.d/3901.security

@@ -1 +0,0 @@
-Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.

changelog.d/akkoma-xml-remote-entities.security

@@ -1 +0,0 @@
-Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem

changelog.d/attachment-type-check.fix

@@ -1 +0,0 @@
-Restrict attachments to only uploaded files only

changelog.d/check-attachment-attribution.security

@@ -1 +0,0 @@
-CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID

changelog.d/delete-status-of-banned-user.fix

@@ -1 +0,0 @@
-Fix error 404 when deleting status of a banned user

changelog.d/deprecate-scrobbles.remove

@@ -1 +0,0 @@
-Deprecate Pleroma's audio scrobbling

changelog.d/disable-xml-entity-resolution.security

@@ -1 +0,0 @@
-Disable XML entity resolution completely to fix a dos vulnerability

changelog.d/dockerfile-config-perms.fix

@@ -1 +0,0 @@
-- Fix config ownership in dockerfile to pass restriction test

changelog.d/emoji-pack-sanitization.security

@@ -1 +0,0 @@
-Emoji pack loader sanitizes pack names

changelog.d/emoji-policy.add

@@ -1 +0,0 @@
-Implement MRF policy to reject or delist according to emojis

changelog.d/featured-collection-shouldnt-break-user-fetch.fix

@@ -1 +0,0 @@
-Fix user fetch completely broken if featured collection is not in a supported form

changelog.d/fix-object-test.fix

@@ -1 +0,0 @@
-Correctly handle the situation when a poll has both "anyOf" and "oneOf" but one of them being empty

changelog.d/handle-report-from-deactivated-user.fix

@@ -1 +0,0 @@
-Fix handling report from a deactivated user

changelog.d/no_new_privs.add

@@ -1 +0,0 @@
-(hardening) Add no_new_privs=yes to OpenRC service files

changelog.d/otp_perms.security

@@ -1 +0,0 @@
-- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories

changelog.d/prevent-bypassing-authorized-fetch-mode.fix

@@ -1 +0,0 @@
-Prevent using the .json format to bypass authorized fetch mode

changelog.d/punycode-mention.fix

@@ -1 +0,0 @@
-Fix mentioning punycode domains when using Markdown

changelog.d/quote.add

@@ -1 +0,0 @@
-Implement quotes

changelog.d/unified-streaming.add

@@ -1 +0,0 @@
-Add unified streaming endpoint

changelog.d/update-credentials-limit-error.fix

@@ -1 +0,0 @@
-Show more informative errors when profile exceeds char limits

mix.exs

@@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
   def project do
     [
       app: :pleroma,
-      version: version("2.5.54"),
+      version: version("2.6.0"),
       elixir: "~> 1.11",
       elixirc_paths: elixirc_paths(Mix.env()),
       compilers: [:phoenix] ++ Mix.compilers(),