Version bump.

2023-04-19 20:08:38 -05:00 · 2023-04-19 20:08:38 -05:00 · bceeb8e4b7
parent f4d4de0c42
commit bceeb8e4b7
3 changed files with 39 additions and 12 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,11 +5,32 @@ release channel, you can take advantage of these new features and fixes.

 ## New Features/Changes

+## Code Quality/Technical Changes
+
+## Bug Fixes
+
+---
+
+# AzuraCast 0.18.0 (Apr 19, 2023)
+
+This release includes numerous important new features and a vulnerability fix that is particularly important for
+multi-tenant installations (i.e. resellers). Upgrading is strongly recommended in these environments.
+
+## New Features/Changes
+
+- **Fix for [CVE-2023-2191](https://nvd.nist.gov/vuln/detail/CVE-2023-21910)**: An issue was identified where a user who
+  already had an AzuraCast account could update their display name to inject malicious JavaScript into the header menu
+  of the site. In a majority of cases, this menu is only visible to the current logged-in user (pages like the "
+  Administer Users" page are unaffected by this vulnerability), but if a higher-privileged administrator uses the "Log
+  In As" feature to masquerade as a user, then the JavaScript injection could exfiltrate certain data. Anonymous members
+  of the public cannot exploit this vulnerability in an AzuraCast installation, so it is primarily of concern for
+  multi-tenant installations (i.e. resellers).
+
 - **Smarter, Faster Searches**: For searches in the Media Manager, as well as the public-facing Requests and On Demand
  pages, we now use a new search tool called Meilisearch that allows for very fast, very accurate search results, as
  well as more complex search queries (and other goodies, like typo correction).

- **Master_me and Post-Processing Tweaks:** We now have built-in support
+- **Master_me and Post-Processing Tweaks**: We now have built-in support
  for [master_me](https://github.com/trummerschlunk/master_me), an open-source audio mastering tool that helps add
  polish and "punch" to your streams. Its functionality is similar to Stereo Tool, but because it's open-source, we
  include it in every AzuraCast installation. You can now also customize whether our post-processing step includes your
--- a/src/Version.php
+++ b/src/Version.php
@ -17,7 +17,7 @@ use Symfony\Component\Process\Process;
 final class Version
 {
    /** @var string Version that is displayed if no Git repository information is present. */
-    public const FALLBACK_VERSION = '0.17.7';
+    public const FALLBACK_VERSION = '0.18.0';

    public const UPDATE_URL = 'https://docs.azuracast.com/en/getting-started/updates';
    public const CHANGELOG_URL = 'https://github.com/AzuraCast/AzuraCast/blob/main/CHANGELOG.md';
--- a/web/static/api/openapi.yml
+++ b/web/static/api/openapi.yml
@ -5,7 +5,7 @@ info:
  license:
    name: 'Apache 2.0'
    url: 'https://www.apache.org/licenses/LICENSE-2.0.html'
-  version: 0.17.7
+  version: 0.18.0
 servers:
  -
    url: 'https://demo.azuracast.com/api'
@ -3341,7 +3341,6 @@ components:
          type: string
          example: p4ssw0rd
        mounts:
-          description: '*/'
          type: array
          items:
            $ref: '#/components/schemas/Api_NowPlaying_StationMount'
@ -3394,6 +3393,16 @@ components:
          type: string
          example: 'https://your-region.digitaloceanspaces.com'
          nullable: true
+        dropboxAppKey:
+          description: 'The optional Dropbox App Key.'
+          type: string
+          example: ''
+          nullable: true
+        dropboxAppSecret:
+          description: 'The optional Dropbox App Secret.'
+          type: string
+          example: ''
+          nullable: true
        dropboxAuthToken:
          description: 'The optional Dropbox Auth Token.'
          type: string
@ -3645,7 +3654,6 @@ components:
            -
              $ref: '#/components/schemas/Api_NowPlaying_StationQueue'
        song_history:
-          description: '*/'
          type: array
          items:
            $ref: '#/components/schemas/Api_NowPlaying_SongHistory'
@ -3739,12 +3747,10 @@ components:
          type: boolean
          example: true
        mounts:
-          description: '*/'
          type: array
          items:
            $ref: '#/components/schemas/Api_NowPlaying_StationMount'
        remotes:
-          description: '*/'
          type: array
          items:
            $ref: '#/components/schemas/Api_NowPlaying_StationRemote'
@ -4291,7 +4297,7 @@ components:
              type: string
              example: 'Super Administrator'
            permissions:
-              description: 'RolePermission> */'
+              description: RolePermission>
              type: array
              items: {  }
    Settings:
@ -4758,7 +4764,7 @@ components:
              type: integer
              example: 1609480800
            playlists:
-              description: 'StationPlaylistMedia> */'
+              description: StationPlaylistMedia>
              type: array
              items: {  }
    StationMount:
@ -4890,7 +4896,7 @@ components:
              type: boolean
              example: true
            schedule_items:
-              description: 'StationSchedule> */'
+              description: StationSchedule>
              type: array
              items: {  }
    StationSchedule:
@ -4947,7 +4953,7 @@ components:
              example: 1609480800
              nullable: true
            schedule_items:
-              description: 'StationSchedule> */'
+              description: StationSchedule>
              type: array
              items: {  }
    StationStreamerBroadcast:
@ -5054,7 +5060,7 @@ components:
              type: integer
              example: 1609480800
            roles:
-              description: 'Role> */'
+              description: Role>
              type: array
              items: {  }
  responses: