mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2025-05-16 16:14:43 -04:00
Update release notes for 1.9.0
Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
David Mehren
parent
c3deb715dd
commit
07d447757a
1 changed files with 7 additions and 9 deletions
|
|
@ -1,21 +1,19 @@
|
||||||
# Release Notes
|
# Release Notes
|
||||||
## <i class="fa fa-tag"></i> 1.9.0-rc1 <i class="fa fa-calendar-o"></i> 2021-08-29
|
## <i class="fa fa-tag"></i> 1.9.0 <i class="fa fa-calendar-o"></i> 2021-09-13
|
||||||
### Security Fixes
|
### Security Fixes
|
||||||
- [CVE-2021-39175: XSS vector in slide mode speaker-view](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697)
|
- [CVE-2021-39175: XSS vector in slide mode speaker-view](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-j748-779h-9697)
|
||||||
- This release removes Google Analytics and Disqus domains from our default Content Security Policy, because
|
- This release removes Google Analytics and Disqus domains from our default Content Security Policy, because they were repeatedly used to exploit security vulnerabilities.
|
||||||
they were repeatedly used to exploit security vulnerabilities.
|
|
||||||
If you want to continue using Google Analytics or Disqus, you can re-enable them in the config.
|
If you want to continue using Google Analytics or Disqus, you can re-enable them in the config.
|
||||||
See [the docs](https://docs.hedgedoc.org/configuration/#web-security-aspects) for details
|
See [the docs](https://docs.hedgedoc.org/configuration/#web-security-aspects) for details
|
||||||
|
|
||||||
### Features
|
### Features
|
||||||
- HedgeDoc now automatically retries connecting to the database up to 30 times on startup
|
- HedgeDoc now automatically retries connecting to the database up to 30 times on startup
|
||||||
- This release introduces the `csp.allowFraming` config option, which controls whether embedding a HedgeDoc instance
|
- This release introduces the `csp.allowFraming` config option, which controls whether embedding a HedgeDoc instance in other webpages is allowed.
|
||||||
in other webpages is allowed. We **strongly recommend disabling** this option to reduce the risk of XSS attacks
|
We **strongly recommend disabling** this option to reduce the risk of XSS attacks
|
||||||
- This release introduces the `csp.allowPDFEmbed` config option, which controls whether embedding PDFs inside HedgeDoc
|
- This release introduces the `csp.allowPDFEmbed` config option, which controls whether embedding PDFs inside HedgeDoc notes is allowed.
|
||||||
notes is allowed. We recommend disabling this option if you don't use the feature, to reduce the attack surface of
|
We recommend disabling this option if you don't use the feature, to reduce the attack surface of XSS attacks
|
||||||
XSS attacks
|
|
||||||
- Add additional environment variables to configure the database.
|
- Add additional environment variables to configure the database.
|
||||||
This allows easier configuration in containerised environments, such as Kubernetes
|
This allows easier configuration in containerized environments, such as Kubernetes
|
||||||
|
|
||||||
### Enhancements
|
### Enhancements
|
||||||
- Further improvements to the frontend build process, reducing the initial bundle size by 60%
|
- Further improvements to the frontend build process, reducing the initial bundle size by 60%
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue