From 36d5669293c73b7fc2b8c060e0a30c0044cfec7a Mon Sep 17 00:00:00 2001 From: "Alexander L." Date: Fri, 27 Mar 2026 12:09:29 +0100 Subject: [PATCH] Update forgejo to 11.0.11 (#5209) --- forgejo/docker-compose.yml | 2 +- forgejo/umbrel-app.yml | 11 ++++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/forgejo/docker-compose.yml b/forgejo/docker-compose.yml index 46d9bfbe..b5ba52a8 100644 --- a/forgejo/docker-compose.yml +++ b/forgejo/docker-compose.yml @@ -8,7 +8,7 @@ services: PROXY_AUTH_ADD: "false" server: - image: codeberg.org/forgejo/forgejo:11.0.10-rootless@sha256:d0247afd85fde057d4d3233fd13ba840b7a2bc569c93db8a5e6d4ef5b946a36e + image: codeberg.org/forgejo/forgejo:11.0.11-rootless@sha256:3372178750d690c577487dbf37b07d6a20cf2364acf876ca217d0ffa13046590 user: "1000:1000" restart: on-failure ports: diff --git a/forgejo/umbrel-app.yml b/forgejo/umbrel-app.yml index d8ee403f..60c655d2 100644 --- a/forgejo/umbrel-app.yml +++ b/forgejo/umbrel-app.yml @@ -2,7 +2,7 @@ manifestVersion: 1.1 id: forgejo category: developer name: Forgejo -version: "11.0.10" +version: "11.0.11" tagline: A self-hosted lightweight software forge description: >- Forgejo is a self-hosted lightweight software forge, designed to be a fully self-hosted, privacy-respecting alternative to GitHub, GitLab, and Bitbucket. It is a fork of Gitea with additional features and community-driven enhancements. Forgejo is written in Go and can run on low-resource hardware like a Raspberry Pi. @@ -49,8 +49,13 @@ gallery: - 3.jpg releaseNotes: >- 🚨 This release includes important security fixes: - - Fixed excess creation of commit_status records - - Upgraded Go version to 1.25.6, addressing denial of service vulnerabilities + - Fixed PKCE challenge validation for OAuth identity provider when using the S256 algorithm + - Fixed improper scope enforcement when using OAuth Bearer tokens with HTTP basic authentication + - Fixed missing permission checks in attachment endpoints that allowed modifying attachments a user did not own + - Fixed email notifications for new releases being sent to users who lost repository access or are inactive + - Fixed missing permission checks in user/org-owned projects that allowed unauthorized changes to project state + - Fixed missing permission check that allowed unauthorized cancellation of pull request automerge + - Fixed path-traversal vulnerability in post-login redirect parameters that could allow arbitrary redirects Full release notes are available at https://forgejo.org/releases/