From 1d8b274ae8e7a1910c03d3d27bf5ef8ab148b6be Mon Sep 17 00:00:00 2001 From: Laura Hausmann Date: Mon, 29 Jul 2024 00:16:48 +0200 Subject: [PATCH] Release: v2023.12.9 --- CHANGELOG.md | 21 +++++++++++++++++++++ package.json | 2 +- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ab4ed3de..fcdedd361 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,24 @@ +## v2023.12.9 +This release contains a security patch, as well as minor fixes and improvements. Upgrading is strongly recommended for all server operators. + +### Highlights +- Several DoS vulnerabilities - allowing remote attackers to allocate arbitrary amounts of memory - were patched +- Corrupt jobs now get discarded instead of clogging up the failed queues + +### Backend +- Fetched JSON-LD contexts are now limited to 1MiB, resolving a DoS attack vector +- Fetched node-fetch responses are now limited to 1MiB/10MiB, resolving a DoS attack vector + +### Miscellaneous +- The docker images now use the bundled libvips version shipping with sharp instead of the system-wide one, reducing the image size by ~60MB +- The example docker-compose.yml file was updated +- The iceshrimp-js package was renamed to iceshrimp-sdk in order to prevent confusion should this repository be renamed to iceshrimp-js in the future (to distinguish it from Iceshrimp.NET) +- Various dependency updates +- Various translation updates + +### Attribution +This release was made possible by project contributors: AntoineƐ & Laura Hausmann + ## v2023.12.8 This release contains minor fixes and improvements. Upgrading is recommended for all server operators. diff --git a/package.json b/package.json index 8e2fd8da9..491b80916 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "iceshrimp", - "version": "2023.12.8", + "version": "2023.12.9", "repository": { "type": "git", "url": "https://iceshrimp.dev/iceshrimp/iceshrimp.git"