⚠️ Important ⚠️
- Vulnerability within oauth
- Versions affected: anything past v3.6.0
- Providers affected: Google
- The vulnerability is caused due to a backwards compatibility fallback method of trying to find a oauth user, this fallback method would not rely on the provider's ID but instead just the username + provider name. This meant that as long as the determined username was the same, two google accounts with the same username will point to the same user if linked.
- This doesn't effect discord or github, since they have unique usernames.
- If you don't use oauth, you are totally fine to continue using previous versions at your own risk.
What's Changed
- feat(ci): push to docker hub by @wdhdev in #613
- fix: code scroll overflow handling by @quantum5 in #620
- Update README.md by @Rovoska in #627
- fix(repo): update devcontainer defaults to use bundled postgres by @Hegi in #585
- feat: proper range request handling by @ari-party in #635
- fix: Check if route was set to /r, as it's reserved. by @TacticalTechJay in #643
New Contributors
- @quantum5 made their first contribution in #620
- @Rovoska made their first contribution in #627
- @Hegi made their first contribution in #585
Full Changelog: v3.7.10...v3.7.11