Forgejo2d ago

#Forgejo 14.0.4 and 11.0.12 were just released! They are security releases.

We recommend that all installations are upgraded to the latest version as soon as possible.

Check out the release notes and download it at https://forgejo.org/releases/. If you experience any issues with this release, please report to https://codeberg.org/forgejo/forgejo/issues.

#forgejorelease

Forgejo

Show threadRobey ☠️2d ago
@forgejo since i don't use golang, the release note "update go" doesn't really convey any information ... could you add a release note explaining what the security patches are for?
Show threadForgejo2d ago

@robey You may find Go's release notes here: https://go.dev/doc/devel/release

~ @mahlzahn

Release History - The Go Programming Language

Show threadRobey ☠️1d ago
@forgejo @mahlzahn thanks, tho my comment still stands
Show threadForgejo1d ago

@robey Can you maybe clarify your question?

Go is the programming language in which Forgejo is written. So it is also a safety measurement to release a new version when the underlying programming language receives security patches.

~ @beowulf

Show threadRobey ☠️

@forgejo @beowulf comment, not a question: you should add details to your update notes when security is involved.

since i don't use golang, and their own release notes are vague ("security update in modules foo & bar"), i have to assume none of these would affect me. but it would be good to make that explicit in your own release notes.

7:23pmWeb
Show threadMathieu Fenniak3h ago

@robey @forgejo @beowulf I'm a member of Forgejo's security team. For most security releases, we publish detailed notes -- those are case where we've identified proven exploits against Forgejo. In this case, one of our critical dependencies has published security patches, and we're passing those along to our users. There are real security risks, which is why we released this. But there are no proven exploits, so we have no more details to provide.

There are some great bug fixes as well.