From 30a91b6fd742b1bcb6f143523ab3fcdefbdf094a Mon Sep 17 00:00:00 2001 From: David Mehren Date: Mon, 3 May 2021 21:54:25 +0200 Subject: [PATCH 1/3] Add release notes for 1.8.0 Signed-off-by: David Mehren --- public/docs/release-notes.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/public/docs/release-notes.md b/public/docs/release-notes.md index 4849a0294..d3173450d 100644 --- a/public/docs/release-notes.md +++ b/public/docs/release-notes.md @@ -1,12 +1,14 @@ # Release Notes -## 1.8.0-rc1 2021-04-26 +## 1.8.0 2021-05-03 -This release fixes a security issue. We recommend upgrading as soon as possible. +This release fixes multiple security issues. We recommend upgrading as soon as possible. **Please note:** This release dropped support for Node 10, which is end-of-life since April 2021. You now need at least Node 12 to run HedgeDoc, but we recommend running [the latest LTS release](https://nodejs.org/en/about/releases/). ### Security Fixes - [CVE-2021-29474: Relative path traversal Attack on note creation](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87) +- [CVE-2021-21306: Underscore ReDoS](https://github.com/markedjs/marked/security/advisories/GHSA-4r62-v4vq-hr96) in the `marked` library + This issue allowed an attacker to hang HedgeDoc by inserting a malicious string into a note. Thanks to Ralph Krimmel for reporting! We also published an advisory for [CVE-2021-29475: PDF export allows arbitrary file reads](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pxxg-px9v-6qf3), which has already been fixed since HedgeDoc 1.6.0. From 73e26e1d2d2a331cec68ff9c02b315fe41f45859 Mon Sep 17 00:00:00 2001 From: David Mehren Date: Mon, 3 May 2021 21:57:01 +0200 Subject: [PATCH 2/3] Bump version to 1.8.0 Signed-off-by: David Mehren --- docs/content/dev/openapi.yml | 2 +- docs/content/setup/docker.md | 2 +- docs/content/setup/manual-setup.md | 4 ++-- package.json | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/content/dev/openapi.yml b/docs/content/dev/openapi.yml index cd62b48a7..1a734451e 100644 --- a/docs/content/dev/openapi.yml +++ b/docs/content/dev/openapi.yml @@ -3,7 +3,7 @@ openapi: 3.0.1 info: title: HedgeDoc description: HedgeDoc is an open source collaborative note editor. Several tasks of HedgeDoc can be automated through this API. - version: 1.8.0-rc1 + version: 1.8.0 contact: name: HedgeDoc on GitHub url: https://github.com/hedgedoc/hedgedoc diff --git a/docs/content/setup/docker.md b/docs/content/setup/docker.md index 11ff9b02c..bc8b3ac98 100644 --- a/docs/content/setup/docker.md +++ b/docs/content/setup/docker.md @@ -28,7 +28,7 @@ services: restart: always app: # Make sure to use the latest release from https://hedgedoc.org/latest-release - image: quay.io/hedgedoc/hedgedoc:1.7.2 + image: quay.io/hedgedoc/hedgedoc:1.8.0 environment: - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc - CMD_DOMAIN=localhost diff --git a/docs/content/setup/manual-setup.md b/docs/content/setup/manual-setup.md index 64ad57c51..d1c3dcad5 100644 --- a/docs/content/setup/manual-setup.md +++ b/docs/content/setup/manual-setup.md @@ -16,7 +16,7 @@ 1. Check if you meet the [requirements at the top of this document](#manual-installation). 2. Download the [latest release](https://hedgedoc.org/latest-release/) and extract it. - Alternatively, you can use Git to clone the repository and checkout a release, e.g. with `git clone -b 1.7.2 https://github.com/hedgedoc/hedgedoc.git`. + Alternatively, you can use Git to clone the repository and checkout a release, e.g. with `git clone -b 1.8.0 https://github.com/hedgedoc/hedgedoc.git`. 3. Enter the directory and execute `bin/setup`, which will install the dependencies and create example configs. 4. Configure HedgeDoc: To get started, you can use this minimal `config.json`: ```json @@ -62,7 +62,7 @@ If you want to upgrade HedgeDoc from an older version, follow these steps: and the latest release. 2. Fully stop your old HedgeDoc server. 3. [Download](https://hedgedoc.org/latest-release/) the new release and extract it over the old directory. - If you use Git, you can check out the new tag with e.g. `git fetch origin && git checkout 1.7.2` + If you use Git, you can check out the new tag with e.g. `git fetch origin && git checkout 1.8.0` 5. Run `bin/setup`. This will take care of installing dependencies. It is safe to run on an existing installation. 6. *:octicons-light-bulb-16: If you used the release tarball for 1.7.0 or newer, this step can be skipped.* Build the frontend bundle by running `yarn run build`. diff --git a/package.json b/package.json index 528d45bbd..63dfc6cb5 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "HedgeDoc", - "version": "1.8.0-rc1", + "version": "1.8.0", "description": "The best platform to write and share markdown.", "main": "app.js", "license": "AGPL-3.0", From e6d4ac5f9a50b28b9d6e456d7fc343194ab1cbee Mon Sep 17 00:00:00 2001 From: David Mehren Date: Mon, 3 May 2021 22:07:56 +0200 Subject: [PATCH 3/3] Remove mention of .sequelizerc from docs Signed-off-by: David Mehren --- docs/content/setup/manual-setup.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/docs/content/setup/manual-setup.md b/docs/content/setup/manual-setup.md index d1c3dcad5..26882ba21 100644 --- a/docs/content/setup/manual-setup.md +++ b/docs/content/setup/manual-setup.md @@ -35,18 +35,14 @@ For details, have a look at [the configuration documentation](../configuration.md). 5. *:octicons-light-bulb-16: If you use the release tarball for 1.7.0 or newer, this step can be skipped.* Build the frontend bundle by running `yarn run build`. -6. Modify the file named `.sequelizerc`, change the value of the variable `url` to your db connection string. For example: - - `postgres://username:password@localhost:5432/hedgedoc` - - `mysql://username:password@localhost:3306/hedgedoc` - - `sqlite:///opt/hedgedoc/hedgedoc.sqlite` (note that you need to use an absolute path to the SQLite file) -7. It is recommended to start your server manually once: +6. It is recommended to start your server manually once: ```shell NODE_ENV=production yarn start ``` This way it's easier to see warnings or errors that might occur. You can leave out `NODE_ENV=production` for development. -8. If you use the example config, HedgeDoc should now be available at [http://127.0.0.1:3000](http://127.0.0.1:3000). -9. Run the server as you like (node, forever, pm2, systemd, Init-Scripts). +7. If you use the example config, HedgeDoc should now be available at [http://127.0.0.1:3000](http://127.0.0.1:3000). +8. Run the server as you like (node, forever, pm2, systemd, Init-Scripts). See [below](#systemd-unit-example) for an example using systemd. ## Upgrading