Welcome the #HedgeDoc account :)
Welcome the #HedgeDoc account :)
HedgeDoc security issue response time was quite good this time around: Monday evening we got the report and started working on it and today we released the new version. That is a response time of ~48h.
#HedgeDoc #SecurityResponse
We've just released #HedgeDoc 1.10.3
This release contains a security fix for XSS possibility through malicious SVG uploads
See our security advisory https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-3983-rrqh-mvx5
Read the full changelog on https://hedgedoc.org/releases/1.10.3/
This episode #OpenSourceSecurity talks to @sheogorath about forking open source projects
It's a lot more complicated than you think it is, and Sheogorath has some first hand experience from one of the most complicated forks I've ever seen in HedgeDoc
It's a fun chat filled with lessons
https://opensourcesecurity.io/2025/2025-02-fork_open_source_sheogorath/
We've just released #HedgeDoc 1.10.2
This release contains a security fix for users of the SAML Login!
See our security advisory https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gw77-7r3c-4cm3
Read the full changelog on https://hedgedoc.org/releases/1.10.2/
Over the last couple of evenings, I put together a prototype for editing a @hedgedoc document from Neovim!
This involved forking the rust-socketio crate to add support for Socket.IO 2.x, slightly extending our @ethersync editor plugin, and writing some "connecting glue".
Not quite ready to publish – but would this be interesting/useful for any of you?
EDIT: In the long run, this would support any editor that has a plugin speaking the Ethersync Protocol, see https://ethersync.github.io/ethersync/editor-plugin-dev-guide.html :)
We've just released #HedgeDoc 1.10.1
This release contains a medium severity security fix for users of the local email/password login!
Read the full changelog on https://hedgedoc.org/releases/1.10.1/
REMEMBER: Deletion of https://demo-archive.hedgedoc.org
As announced in July of last year already, we're deleting the archive of the old demo instance soon. In 2 weeks from now on - so on February 3rd, 2025 - the instance with all its notes and media files will be removed. In case there's anything which you need to backup, do that now. There won't be any way to recover your notes afterward.
The new demo instance is wiped daily, please seek a new place for your notes to live on.
We've just released #HedgeDoc 2 Alpha 3
Read more on https://github.com/hedgedoc/hedgedoc/releases/tag/v2.0.0-alpha.3
We've just re-released #HedgeDoc 1.10.0
This release contains a medium severity security fix for users of MySQL/MariaDB!
Please be aware that running HedgeDoc with Node.js 22.7.0 may lead to UTF-8 problems because of a regression in Node.
We recommend using Node 20 for the time being.
Read the full changelog on https://hedgedoc.org/releases/1.10.0/
In conclusion: we re-released #HedgeDoc version 1.10.0 with no adjustments to the HedgeDoc code. The #NodeJS version 22.7.0 was the origin of the issue.
If you run HedgeDoc with an own installation, please make sure you don't use this NodeJS version.
The official container images were adjusted to use Node 20 in the meantime for both 1.9.9 and 1.10.0.
What will we do today, Brain? The same thing we do everyday, Pinky: Release HedgeDoc 1.10.0.
#HedgeDocLeaks
We suspect it's related to a recent nodejs problem: https://github.com/nodejs/node/issues/54543
This explains some indeterminate behaviour as well as why we saw reports even for 1.9.9.
We are currently working on reverting the recent base-image updates for existing versions as well as preparing a new release for the changes we introduced in 1.10.0
Please be aware that we are currently investigating a problem with the fresh #hedgedoc 1.10.0 release after reports of broken notes. We pulled the release, PLEASE DON'T INSTALL IT.
Well, maybe that release broke UTF-8.
Look at @innaytool developing HedgeDoc 2 on a totally normal setup.
#HedgeDocLeaks
There are news! Good news!
We provide an cleaned up read-only archive of the old demo instance as well as set up a new demo instance which will be wiped on a regular basis.
https://community.hedgedoc.org/t/status-of-the-demo-instance/1634/14
Please go ahead and start migrating your notes to a self-hosted instance. In the upcoming weeks.
Sadly we had to suspend the demo instance after abuse.
https://community.hedgedoc.org/t/no-more-anonymous-usage-of-demo-instance/1634/4
Some entity decided to spam and abuse the demo instance for their gains. This is why we can't have nice things.
We hope we can bring the demo instance come back from this. But be ready to migrate to your own instances in the next few weeks.