diff options
author | Jonne Haß <me@jhass.eu> | 2015-07-02 12:09:05 +0300 |
---|---|---|
committer | Jonne Haß <me@jhass.eu> | 2015-07-02 12:09:05 +0300 |
commit | 8624ebb92164f878eeb9811727ba6fba1e7720c1 (patch) | |
tree | 7871805c6393191e1adaa53d9e4c5d7d987066a9 | |
parent | e92c8000babb42412e2fbe4cb4ab7ff6d65a81eb (diff) |
bump to 0.5.1.2v0.5.1.2
-rw-r--r-- | Changelog.md | 6 | ||||
-rw-r--r-- | config/defaults.yml | 2 |
2 files changed, 7 insertions, 1 deletions
diff --git a/Changelog.md b/Changelog.md index 3dedf127c..954d1dba2 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,3 +1,9 @@ +# 0.5.1.2 + +diaspora\* versions prior 0.5.1.2 leaked potentially private profile data (namely the bio, birthday, gender and location fields) to +unauthorized users. While the frontend properly hid them, the backend missed a check to not include them in responses. +Thanks to @cmrd-senya for finding and reporting the issue. + # 0.5.1.1 Update rails to 4.2.2, rack to 1.6.2 and jquery-rails to 4.0.4. This fixes diff --git a/config/defaults.yml b/config/defaults.yml index 442cd798a..aa8622b89 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -4,7 +4,7 @@ defaults: version: - number: "0.5.1.1" # Do not touch unless doing a release, do not backport the version number that's in master + number: "0.5.1.2" # Do not touch unless doing a release, do not backport the version number that's in master heroku: false environment: url: "http://localhost:3000/" |