mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-01-21 04:13:12 +00:00
0a10c17c8d
ChangeLog: https://github.com/hedgedoc/hedgedoc/releases/tag/1.9.0 As documented in the Nix expression, I unfortunately had to patch `yarn.lock` manually (the `yarn.nix` result isn't affected by this). By adding a `git+https`-prefix to `midi "https://github.com/paulrosen/MIDI.js.git#abcjs"` in the lock-file I ensured that `yarn` actually uses the `MIDI.js` from the offline-cache from `yarn2nix` rather than trying to download a tarball from GitHub. Also, this release contains a fix for CVE-2021-39175 which doesn't seem to be backported to 1.8. To quote NVD[1]: > In versions prior to 1.9.0, an unauthenticated attacker can inject > arbitrary JavaScript into the speaker-notes of the slide-mode feature > by embedding an iframe hosting the malicious code into the slides or by > embedding the HedgeDoc instance into another page. Even though it "only" has a medium rating by NVD (6.1), this seems rather problematic to me (also, GitHub rates this as "High"), so it's actually a candidate for a backport. [1] https://nvd.nist.gov/vuln/detail/CVE-2021-39175 |
||
|---|---|---|
| .. | ||
| bookstack | ||
| cryptpad | ||
| discourse | ||
| dokuwiki | ||
| engelsystem | ||
| fileshelter | ||
| frab | ||
| galene | ||
| hedgedoc | ||
| jirafeau | ||
| jitsi-meet | ||
| lemmy | ||
| matomo | ||
| mediawiki | ||
| moodle | ||
| morty | ||
| pgpkeyserver-lite | ||
| plausible | ||
| restya-board | ||
| rss-bridge | ||
| searx | ||
| selfoss | ||
| shaarli | ||
| shiori | ||
| sogo | ||
| vikunja | ||
| virtlyst | ||
| wallabag | ||
| whitebophir | ||
| wiki-js | ||
| wordpress | ||