github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-11-22 01:36:29 -05:00
Code Issues Projects Releases Packages Wiki Activity

Update release notes for 1.9.0

Browse source 
Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
David Mehren 2021-09-13 20:27:17 +02:00
parent c3deb715dd
commit 07d447757a
No known key found for this signature in database
GPG key ID: 185982BA4C42B7C3
1 changed files with 7 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
public/docs/release-notes.md
View file

@ -1,21 +1,19 @@
# Release Notes
## <i class="fa fa-tag"></i> 1.9.0-rc1 <i class="fa fa-calendar-o"></i> 2021-08-29
## <i class="fa fa-tag"></i> 1.9.0 <i class="fa fa-calendar-o"></i> 2021-09-13
### Security Fixes
- [CVE-2021-39175: XSS vector in slide mode speaker-view](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697)
- This release removes Google Analytics and Disqus domains from our default Content Security Policy, because
they were repeatedly used to exploit security vulnerabilities.
- This release removes Google Analytics and Disqus domains from our default Content Security Policy, because they were repeatedly used to exploit security vulnerabilities.
If you want to continue using Google Analytics or Disqus, you can re-enable them in the config.
See [the docs](https://docs.hedgedoc.org/configuration/#web-security-aspects) for details
### Features
- HedgeDoc now automatically retries connecting to the database up to 30 times on startup
- This release introduces the `csp.allowFraming` config option, which controls whether embedding a HedgeDoc instance
in other webpages is allowed. We **strongly recommend disabling** this option to reduce the risk of XSS attacks
- This release introduces the `csp.allowPDFEmbed` config option, which controls whether embedding PDFs inside HedgeDoc
notes is allowed. We recommend disabling this option if you don't use the feature, to reduce the attack surface of
XSS attacks
- This release introduces the `csp.allowFraming` config option, which controls whether embedding a HedgeDoc instance in other webpages is allowed.
We **strongly recommend disabling** this option to reduce the risk of XSS attacks
- This release introduces the `csp.allowPDFEmbed` config option, which controls whether embedding PDFs inside HedgeDoc notes is allowed.
We recommend disabling this option if you don't use the feature, to reduce the attack surface of XSS attacks
- Add additional environment variables to configure the database.
This allows easier configuration in containerised environments, such as Kubernetes
This allows easier configuration in containerized environments, such as Kubernetes
### Enhancements
- Further improvements to the frontend build process, reducing the initial bundle size by 60%