diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/docs/CHANGELOG.md | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index 931ab9d..18513f5 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -10,6 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] + - Added a periodic cleanup routine for the decaymap that removes expired entries, ensuring stale data is properly pruned. - Added a no-store Cache-Control header to the challenge page - Hide the directory listings for Anubis' internal static content @@ -28,6 +29,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Fixed a typo in the challenge page title. - Disabled running integration tests on Windows hosts due to it's reliance on posix features (see [#133](https://github.com/TecharoHQ/anubis/pull/133#issuecomment-2764732309)). +## v1.15.1 + +Zenos yae Galvus: Echo 1 + +Fixes a recurrence of [CVE-2025-24369](https://github.com/Xe/x/security/advisories/GHSA-56w8-8ppj-2p4f) +due to an incorrect logic change in a refactor. This allows an attacker to mint a valid +access token by passing any SHA-256 hash instead of one that matches the proof-of-work +test. + +This case has been added as a regression test. It was not when CVE-2025-24369 was released +due to the project not having the maturity required to enable this kind of regression testing. + ## v1.15.0 Zenos yae Galvus |