Skip to content

1.10.1-ls155

Latest
Latest
Compare
Choose a tag to compare
@LinuxServer-CI LinuxServer-CI released this 02 Feb 22:52
1.10.1-ls155
487e46e
This commit was signed with the committer’s verified signature.
LinuxServer-CI LinuxServer.io CI
SSH Key Fingerprint: fh11rWL5oCDRdg8ER4TS1r8mdK7lLmwPcJouqXZgNko
Verified
Learn about vigilant mode.

CI Report:

https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.1-ls155/index.html

LinuxServer Changes:

Allow using CMD_DB_DIALECT to set up the CMD_DB_URL.

Remote Changes:

This release fixes a security issue where brute-forcing local email/passwords is possible because of missing rate-limits.
We recommend upgrading as soon as possible, if you use local logins.

See also GHSA-6w39-x2c6-6mpf

This release changes the default configuration of the HSTS preload attribute to false for compliance with the
HSTS preload list requirements. This shouldn't impact any instance. However, if you intend to use HSTS preloading
you should enable the config setting hsts.preload to true or set environment variable CMD_HSTS_PRELOAD=true.

This release deprecates support for Node 18.
As the LTS support for 18 runs out in April 2025, the next release will only work with Node 20 and upwards.
Consider this your early warning to upgrade any running instances to at least Node 20.

Enhancements

  • Add fixed rate-limiting to the login and register endpoints
  • Add configurable rate-limiting to the new notes endpoint

Bugfixes

  • Fix a crash when cannot read user profile in OAuth (#5850 by @lautaroalvarez)
  • Fix CSP Header for mermaid embedded images (#5887 by @domrim)
  • Change default of HSTS preload to false for compliance with the HSTS preload list requirements (#5913 by @SvizelPritula)

Contributors

Assets 2
Loading