ChangeLog

https://github.com/diaspora/diaspora/blob/master/Changelog.md

0.5.10.2

Update to Rails 4.2.7.1 which fixes CVE-2016-6316 and CVE-2016-6317.

0.5.10.1

We made a mistake and removed mysql2 from the Gemfile.lock in a recent gem update. Since this could cause some issues for some installations, we decided to release a hotfix.

0.5.10.0

Refactor

• Removed the publisher from a user's photo stream due to various issues #6851
• Don't implicitly ignore missing templateName in app.views.Base #6877

0.5.9.1

Update Nokogiri to 1.6.8, which in turn updates libxml2 to 2.9.4 and libxslt to 1.1.29,
addressing a range of security issues. See https://groups.google.com/forum/#!topic/ruby-security-ann/RCHyF5K9Lbc
for more details.

0.5.9.0

Refactor

• Remove unused mentions regex #6810

Bug fixes

• Fix back to top button not appearing on Webkit browsers #6782
• Don't reset the notification timestamp when marking them as read #6821

Features

• The sender's diaspora-ID is now shown in invitation mails #6817

0.5.8.0

Refactor

• Sort tag autocompletion by tag name #6734
• Make account deletions faster by adding an index #6771

Bug fixes

• Fix empty name field when editing aspect names #6706
• Fix internal server error when trying to log out of an expired session #6707
• Only mark unread notifications as read #6711
• Use https for OEmbeds #6748
• Fix birthday issues on leap days #6738

Features

• Added the footer to conversation pages #6710
• Drop ChromeFrame and display an error page on old IE versions instead #6751

0.5.7.1

This security release disables post fetching for relayables. Due to an insecure implementation, fetching of root posts for relayables could allow an attacker to distribute malicious/spoofed/modified posts for any person.

Disabling the fetching will make the current federation a bit less reliable, but for a hotfix, this is the best solution. We will re-enable the fetching in 0.6.0.0 when we moved out the federation into its own library and are able to implement further validation during fetches.

0.5.7.0

Refactor

• Internationalize controller rescue_from text #6554
• Make mention parsing a bit more robust #6658
• Remove unlicensed images #6673
• Removed unused contacts_title #6687

Bug fixes

• Fix plural rules handling more than wanted as "one" #6630
• Fix suppress_annoying_errors eating too much errors #6653
• Ensure the rubyzip gem is properly loaded #6659
• Fix mobile registration layout after failed registration #6677
• Fix mirrored names when using a RTL language #6680
• Disable submitting a post multiple times in the mobile UI #6682

Features

• Keyboard shortcuts now do work on profile pages as well #6647
• Add the podmin email address to 500 errors #6652

0.5.6.3

Fix evil regression caused by Active Model no longer exposing
include_root_in_json in instances.

0.5.6.2

• Fix CVE-2016-0751 - Possible Object Leak and Denial of Service attack in Action Pack
• Fix CVE-2015-7581 - Object leak vulnerability for wildcard controller routes in Action Pack
• Fix CVE-2015-7576 - Timing attack vulnerability in basic authentication in Action Controller
• Fix CVE-2016-0752 - Possible Information Leak Vulnerability in Action View
• Fix CVE-2016-0753 - Possible Input Validation Circumvention in Active Model
• Fix CVE-2015-7577 - Nested attributes rejection proc bypass in Active Record
• Fix CVE-2015-7579 - XSS vulnerability in rails-html-sanitizer
• Fix CVE-2015-7578 - Possible XSS vulnerability in rails-html-sanitizer

0.5.6.1

• Fix Nokogiri CVE-2015-7499
• Fix unsafe "Remember me" cookies in Devise

0.5.6.0

Refactor

• Add more integration tests with the help of the new diaspora-federation gem #6539

Bug fixes

• Fix mention autocomplete when pasting the username #6510
• Use and update updated_at for notifications #6573
• Ensure the author signature is checked when receiving a relayable #6539
• Do not try to display hovercards when logged out #6587

Features

• Display hovercards without aspect dropdown when logged out #6603
• Add media.ccc.de as a trusted oEmbed endpoint