mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-11-25 03:06:31 -05:00
Update release notes for 1.9.0-rc1
Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
parent
d62b3badad
commit
30722503c5
1 changed files with 18 additions and 5 deletions
|
@ -1,24 +1,37 @@
|
|||
# Release Notes
|
||||
## <i class="fa fa-tag"></i> 1.9.0 <i class="fa fa-calendar-o"></i> UNRELEASED
|
||||
## <i class="fa fa-tag"></i> 1.9.0-rc1 <i class="fa fa-calendar-o"></i> 2021-08-29
|
||||
### Security Fixes
|
||||
- [CVE-2021-39175: XSS vector in slide mode speaker-view](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697)
|
||||
- This release removes Google Analytics and Disqus domains from our default Content Security Policy, because
|
||||
they were repeatedly used to exploit security vulnerabilities.
|
||||
If you want to continue using Google Analytics or Disqus, you can re-enable them in the config.
|
||||
See [the docs](https://docs.hedgedoc.org/configuration/#web-security-aspects) for details.
|
||||
See [the docs](https://docs.hedgedoc.org/configuration/#web-security-aspects) for details
|
||||
|
||||
### Features
|
||||
- HedgeDoc now automatically retries connecting to the database up to 30 times on startup.
|
||||
- HedgeDoc now automatically retries connecting to the database up to 30 times on startup
|
||||
- This release introduces the `csp.allowFraming` config option, which controls whether embedding a HedgeDoc instance
|
||||
in other webpages is allowed. We **strongly recommend disabling** this option to reduce the risk of XSS attacks.
|
||||
in other webpages is allowed. We **strongly recommend disabling** this option to reduce the risk of XSS attacks
|
||||
- This release introduces the `csp.allowPDFEmbed` config option, which controls whether embedding PDFs inside HedgeDoc
|
||||
notes is allowed. We recommend disabling this option if you don't use the feature, to reduce the attack surface of
|
||||
XSS attacks.
|
||||
XSS attacks
|
||||
- Add additional environment variables to configure the database.
|
||||
This allows easier configuration in containerised environments, such as Kubernetes
|
||||
|
||||
### Enhancements
|
||||
- Further improvements to the frontend build process, reducing the initial bundle size by 60%
|
||||
- Improve the error handling of the `filesystem` upload method
|
||||
- Improve the error message of failing migrations
|
||||
|
||||
### Bugfixes
|
||||
- Fix crash when trying to read the current Git commit on startup
|
||||
- Fix endless loop on shutdown when HedgeDoc can't connect to the database
|
||||
- Ensure that all cookies are set with the `secure` flag, if HedgeDoc is loaded via HTTPS
|
||||
- Fix session cookies being created on calls to `/metrics` and `/status`
|
||||
- Fix incorrect creation of S3 endpoint domain (thanks to [@matejc](https://github.com/matejc))
|
||||
- Remove CDN support, fixing inconsistencies in library versions delivered to the client
|
||||
- Fix font display issues when having some variants of fonts used by HedgeDoc installed locally
|
||||
- Fix links between slides not working
|
||||
- Fix Vimeo integration using a deprecated API
|
||||
|
||||
### Miscellaneous
|
||||
- Removed MSSQL support, as migrations from 2018 are broken with SQL Server and nobody seems to use it
|
||||
|
|
Loading…
Reference in a new issue