Forgejo v1.21.2-1 was released 12 December 2023.
This release contains a security fix related to permissions enforcement of web endpoints.
We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.
The project page of a private user was missing a permission check and was visible publicly. The other pages (packages, repositories, etc.) of this user or even its existence are not visible publicly.
This unfortunate incident forced the immediate preparation of this Forgejo patch release. With no advance warning it only allowed for limited testing and there is a non negligible risk of a regression.
In such a situation the Forgejo admins and users are suffering the consequences, either because they are left unecessarily exposed to publicly known vulnerabilities or because their instance may run into regressions due to insufficient preparation time and testing.
If you have any feedback or suggestions for Forgejo, we’d love to hear from you! Open an issue on our issue tracker for feature requests or bug reports. You can also find us on the Fediverse, or drop by our Matrix space (main chat room) to say hi!