Mergeback release 2.5.4

2023-08-05 08:27:42 +02:00 · 2023-08-05 08:27:42 +02:00 · 4099ddb3dc
commit 4099ddb3dc
parent 6d48b0f1a9
3 changed files with 7 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -18,6 +18,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Removed
 - BREAKING: Support for passwords generated with `crypt(3)` (Gnu Social migration artifact)

+## 2.5.4
+
+## Security
+- Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
+
 ## 2.5.3

 ### Security
--- a/changelog.d/akkoma-xml-remote-entities.security
+++ b/changelog.d/akkoma-xml-remote-entities.security
@ -1 +1 @@
-Restrict XML parser from processing external entitites (XXE)
+Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
--- a/mix.exs
+++ b/mix.exs
@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
  def project do
    [
      app: :pleroma,
-      version: version("2.5.53"),
+      version: version("2.5.54"),
      elixir: "~> 1.11",
      elixirc_paths: elixirc_paths(Mix.env()),
      compilers: [:phoenix] ++ Mix.compilers(),