diaspora* 0.7.18.2

This release addresses possible security issues when processing images uploaded by users that is affecting some system configurations.

This fix was heavily inspired by Mastodon's fix for GHSA-9928-3cp5-93fm, and while diaspora*s attack surface is significantly smaller and some operating systems do ship a restrictive ImageMagick policy, this release makes sure that everyone is safe.

Thank you Cure53 for finding this issue, thank you Mozilla for paying Cure53 to look into it, and thanks for Mastodon for fixing it.

diaspora* 0.7.18.1

Bug fixes

• Update binstubs to fix diaspora* being unable to start when multiple bundler versions were available #8392

diaspora* 0.7.18.0

Refactor

• Fix order-dependent jasmine test failures and switch to random order #8333
• Get rid of some uses of "execute_script" in feature specs #8331
• Fix deprecation warnings for sidekiq 7.0 #8359
• Remove entypo-rails dependency to prepare for rails 6 #8361
• Remove compass-rails dependency which is not supported anymore #8362
• Switch to sassc-rails which speeds up assets:precompile a lot #8362
• Remove markerb dependency which doesn't exist anymore #8365
• Upgrade to rails 6.1 #8366
• Update the suggested Ruby version to 2.7. If you run into trouble during the update and you followed our installation guides, run rvm install 2.7. #8366
• Upgrade to bundler 2 #8366
• Stop checking /.well-known/host-meta, check for /.well-known/nodeinfo instead #8377
• Handle NodeInfo timeouts gracefully #8380

Bug fixes

• Fix that no mails were sent after photo export #8365
• Fix people with quotes in the name causing issues with mail sender #8365

Features

• Render posts and comments as HTML in HTML mails #8365
• Add NodeInfo 2.1 support and also read newer versions of NodeInfo #8379

diaspora* 0.7.17.0

Security

• Bump Rails to 5.2.7 to address CVE-2022-22577 and CVE-2022-27777 #8350
• Do not allow the user to mass assign their own password and 2fa settings alongside other parameters. Reported by Breno Vitório (@brenu) - thank you! #8351

Bug fixes

• Don't suggest to retry exports on failure #8343

diaspora* 0.7.16.0

Security

• Update rails to fix CVE-2022-23633 #8336

Refactor

• Cache local posts/comments count for statistics #8241
• Fix html-syntax in some handlebars templates #8251
• Remove chat_enabled flag from archive export #8265
• Change thumbnails in image slideshow to squares #8275
• Replace uglifier with terser for JS compression #8268

Bug fixes

• Ensure the log folder exists #8287
• Limit name length in header #8313
• Fix fallback avatar in hovercards #8316
• Use old person private key for export if relayable author migrated away #8310

Features

• Add tags to tumblr posts #8244
• Add blocks to the archive export #8263
• Allow points and dashes in the username #8266
• Add support for footnotes in markdown #8277
• Send AccountMigration if receiving message to a migrated account #8288
• Add podmin mail address to the footer #8242
• Add username to password-reset mail #8037
• Resend account migration and deletion for closed recipients #8309
• Add sharing status to hovercards #8317
• Migrate photo URLs and cleanup old uploaded photos #8314

diaspora* 0.7.15.0

Refactor

• Replaced some http:// links in the UI with their https:// counterparts #8207
• Testing: Replaced phantomjs with headless Chrome/Chromium #8234

Bug fixes

• Update comment counter when deleting a comment in the Single Post View #7938
• Link diaspora only poduptime list #8174
• Delete a user's invitation code during account deletion #8202
• Bump mimemagic #8231
• Removed support for defunct Uni Heidelberg OSM tile server, Mapbox is now required if you want to show maps #8215
• Render only two fractional digits in the posts per user/day admin statistics #8227
• Make aspect dropdowns scrollable #8213
• Fix Photo#ownserhip_of_status_message validation #8214

Features

• Support and recommend TOML as configuration format #8132

diaspora* 0.7.14.0

Refactor

• Update the suggested Ruby version to 2.6. If you run into trouble during the update and you followed our installation guides, run rvm install 2.6. #7929

Bug fixes

• Don't link to deleted users in admin user stats #8063
• Properly validate a profile's gender field length instead of failing with a database error. #8127

diaspora* 0.7.13.0

Security

• Fixes USN-4274-1, a potential Denial-of-Service vulnerability in Nokogiri. #8108

Refactor

• Set better example values for unicorn stdout/stderr log settings #8058
• Replace dependency on rails-assets.org with custom gems cache at gems.diasporafoundation.org #8087

Bug fixes

• Fix error while trying to fetch some sites with invalid OpenGraph data #8049
• Don't show sign up link on mobile when registrations are disabled #8060

Features

• Add cronjob to cleanup pending photos which were never posted #8041

diaspora* 0.7.12.0

Refactor

• Harmonize markdown titles sizes #8029

Bug fixes

• Improve handling of mixed case hostnames while fetching OpenGraph data #8021
• Fix "remember me" with two factor authentication enabled #8031

Features

• Add line mentioning diaspora* on the splash page #7966
• Improve communication about signing up on closed pods #7896

diaspora* 0.7.11.0

Refactor

• Enable paranoid mode for devise #8003
• Refactor likes cucumber test #8002

Bug fixes

• Fix old photos without remote url for export #8012

Features

• Add a manifest.json file as a first step to make diaspora* a Progressive Web App #7998
• Allow web+diaspora:// links to link to a profile with only the diaspora ID #8000
• Support TOTP two factor authentication #7751