Discourse 3.0.2 Stable Release
Discourse strongly recommends that all sites follow the default tests-passed branch of Discourse. The “stable” branch is more focused on lack of change than lack of bugs - all releases, including those on tests-passed and beta are production ready.
Changes
Security
- Bump Rails to v7.0.4.3
- Hide PM count for tags by default (CVE-2023-23935)
- Fix XSS in full name composer reply (CVE-2023-25172)
- Monkey-patch web-push gem to use safer HTTP client (Advisory)
- SSRF protection bypass with IPv4-mapped IPv6 addresses (CVE-2023-28111)
- Add FinalDestination::FastImage that’s SSRF safe (CVE-2023-28112 )
- Rate limit the creation of backups (CVE-2023-28107)
Feature
- rate limit anon searches per second
Bug Fixes
- Ensure anon-cached values are never returned for API requests (stable)
- Don’t spam presence requests when getting 429
- Failing system spec for rate limited search
- avoid race condition when setting user status