gogs/gogs v0.14.2 on GitHub

Security: Cross-repository LFS object overwrite via missing content hash verification. #8166 - GHSA-gmf8-978x-2fg2
Security: Stored XSS via data URI in issue comments. #8174 - GHSA-xrcr-gmf5-2r8j
Security: Release tag option injection in release deletion. #8175 - GHSA-v9vm-r24h-6rqm
Security: Stored XSS in branch and wiki views through author and committer names. #8176 - GHSA-vgvf-m4fw-938j
Security: DOM-based XSS via issue meta selection on the issue page. #8178 - GHSA-vgjm-2cpf-4g7c
Unable to update files via web editor and API. #8184

Support for passing API access tokens via URL query parameters (token, access_token). Use the Authorization header instead. #8177 - GHSA-x9p5-w45c-7ffc

Previous patch releases

0.14.1

Support comparing tags in addition to branches. #6141
Show file name in browser tab title when viewing files. #5896
Support using TLS for Redis session provider using [session] PROVIDER_CONFIG = ...,tls=true. #7860
Support expanading values in app.ini from environment variables, e.g. [database] PASSWORD = ${DATABASE_PASSWORD}. #8057
Support custom logout URL that users get redirected to after sign out using [auth] CUSTOM_LOGOUT_URL. #8089
Start publishing next-generation, security-focused Docker image via gogs/gogs:next-latest, which will become the default image distribution (gogs/gogs:latest) starting 0.16.0. While not all container options support have been added in the next-generation image, the use of current legacy Docker image is deprecated, it will be published as gogs/gogs:legacy-latest starting 0.16.0, and be completely removed no earlier than 0.17.0. #8061

The required Go version to compile source code changed to 1.25.
The build tag cert has been removed, and the gogs cert subcommand is now always available. #7883
Switched to pure-Go SQLite driver, CGO is no longer required to compile Gogs. #7882
Updated Mermaid JS to 11.9.0. #8009
Halt the repository creation and leave the directory untouched if the repository root already exists. #8091

Security: Unauthenticated file upload. #8128 - GHSA-fc3h-92p8-h36f
Security: Protected branch bypass in web UI. #8124 - GHSA-2c6v-8r3v-gh6p
Security: Authorization bypass allows cross-repository label modification. #8123 - GHSA-cv22-72px-f4gh
Security: Cross-repository comment deletion. #8119 - GHSA-jj5m-h57j-5gv7
500 error on repository watchers and stargazers pages when using MSSQL. #5482
Submodules using ssh:// protocol and a port number are not rendered correctly. #4941
Missing link to user profile on the first commit in commits history page. #7404
Unable to delete or display files with special characters in their names. #7596
Docker healthcheck fails when HTTP_PROXY or HTTPS_PROXY environment variables are set. #7529