Refactor

• Removed the publisher from a user's photo stream due to various issues #6851
• Don't implicitly ignore missing templateName in app.views.Base #6877

Update Nokogiri to 1.6.8, which in turn updates libxml2 to 2.9.4 and libxslt to 1.1.29, addressing a range of security issues. See https://groups.google.com/forum/#!topic/ruby-security-ann/RCHyF5K9Lbc for more details.

Refactor

• Remove unused mentions regex #6810

Bug fixes

• Fix back to top button not appearing on Webkit browsers #6782
• Don't reset the notification timestamp when marking them as read #6821

Features

• The sender's diaspora-ID is now shown in invitation mails #6817

Refactor

• Sort tag autocompletion by tag name #6734
• Make account deletions faster by adding an index #6771

Bug fixes

• Fix empty name field when editing aspect names #6706
• Fix internal server error when trying to log out of an expired session #6707
• Only mark unread notifications as read #6711
• Use https for OEmbeds #6748
• Fix birthday issues on leap days #6738

Features

• Added the footer to conversation pages #6710
• Drop ChromeFrame and display an error page on old IE versions instead #6751

This security release disables post fetching for relayables. Due to an insecure implementation, fetching of root posts for relayables could allow an attacker to distribute malicious/spoofed/modified posts for any person.

Disabling the fetching will make the current federation a bit less reliable, but for a hotfix, this is the best solution. We will re-enable the fetching in 0.6.0.0 when we moved out the federation into its own library and are able to implement further validation during fetches.

Refactor

• Internationalize controller rescue_from text #6554
• Make mention parsing a bit more robust #6658
• Remove unlicensed images #6673
• Removed unused contacts_title #6687

Bug fixes

• Fix plural rules handling more than wanted as "one" #6630
• Fix suppress_annoying_errors eating too much errors #6653
• Ensure the rubyzip gem is properly loaded #6659
• Fix mobile registration layout after failed registration #6677
• Fix mirrored names when using a RTL language #6680
• Disable submitting a post multiple times in the mobile UI #6682

Features

• Keyboard shortcuts now do work on profile pages as well #6647
• Add the podmin email address to 500 errors #6652

Fix evil regression caused by Active Model no longer exposing include_root_in_json in instances.

• Fix CVE-2016-0751 - Possible Object Leak and Denial of Service attack in Action Pack
• Fix CVE-2015-7581 - Object leak vulnerability for wildcard controller routes in Action Pack
• Fix CVE-2015-7576 - Timing attack vulnerability in basic authentication in Action Controller
• Fix CVE-2016-0752 - Possible Information Leak Vulnerability in Action View
• Fix CVE-2016-0753 - Possible Input Validation Circumvention in Active Model
• Fix CVE-2015-7577 - Nested attributes rejection proc bypass in Active Record
• Fix CVE-2015-7579 - XSS vulnerability in rails-html-sanitizer
• Fix CVE-2015-7578 - Possible XSS vulnerability in rails-html-sanitizer

• Fix Nokogiri CVE-2015-7499
• Fix unsafe "Remember me" cookies in Devise

Refactor

• Add more integration tests with the help of the new diaspora-federation gem #6539

Bug fixes

• Fix mention autocomplete when pasting the username #6510
• Use and update updated_at for notifications #6573
• Ensure the author signature is checked when receiving a relayable #6539
• Do not try to display hovercards when logged out #6587

Features

• Display hovercards without aspect dropdown when logged out #6603
• Add media.ccc.de as a trusted oEmbed endpoint

• Fix XSS on profile pages
• Bump nokogiri to fix several libxml2 CVEs, see http://www.ubuntu.com/usn/usn-2834-1/

Bug fixes

• Redirect to sign in page when a background request fails with 401 #6496
• Correctly skip setting sidekiq logfile on Heroku #6500
• Fix notifications for interactions by non-contacts #6498
• Fix issue where the publisher was broken on profile pages #6503
• Prevent participations being created for invalid interactions #6552
• Improve federation for reshare related interactions #6481

Refactor

• Improve infinite scroll triggering #6451

Bug fixes

• Skip first getting started step if it looks done already #6456
• Normalize new followed tags and insert them alphabetically #6454
• Add avatar fallback for notification dropdown #6463
• Improve handling of j/k hotkeys #6462
• Fix JS error caused by hovercards 6480

Features

• Show spinner on initial stream load #6384
• Add new moderator role. Moderators can view and act on reported posts #6351
• Only post to the primary tumblr blog #6386
• Always show public photos on profile page #6398
• Expose Unicorn's pid option to our configuration system #6411
• Add stream of all public posts #6465
• Reload stream when clicking on already active one #6466
• Sign in user before evaluating post visibility #6490

Fix a leak of potentially private profile data to unauthorized users who were sharing with the person and on a pod that received that data.

Refactor

• Drop broken correlations from the admin pages #6223
• Extract PostService from PostsController #6208
• Drop outdated/unused mbp-respond.min.js and mbp-modernizr-custom.js #6257
• Refactor ApplicationController#after_sign_out_path_for #6258
• Extract StatusMessageService from StatusMessagesController #6280
• Refactor HomeController#toggle_mobile #6260
• Extract CommentService from CommentsController #6307
• Extract user/profile discovery into the diaspora_federation-rails gem #6310
• Refactor PostPresenter #6315
• Convert BackToTop to a backbone view #6279 and #6360
• Automatically follow the new HQ-Account #6369

Bug fixes

• Fix indentation and a link title on the default home page #6212
• Bring peeping Tom on the 404 page back #6226
• Fix mobile photos index page #6243
• Fix conversations view with no contacts #6266
• Links in the left sidebar are now clickable on full width #6267
• Guard against passing nil into person_image_tag #6286
• Prevent Handlebars from messing up indentation of pre tags #6339
• Fix pagination design on notifications page #6364

Features

• Implement NodeInfo #6239
• Display original author on reshares of NSFW posts #6270
• Use avatars in hovercards as links to the profile #6297
• Remove avatars of ignored users from stream faces #6320
• New /m route to force the mobile view #6354

Refactor

• Update perfect-scrollbar #6085
• Remove top margin for first heading in a post #6110
• Add link to pod statistics in right navigation #6117
• Update to Rails 4.2.3 #6140
• Refactor person related URL generation #6168
• Move webfinger and HCard generation out of the core and embed the diaspora_federation-rails gem #6151
• Refactor rspec tests to to use let instead of before blocks #6199
• Refactor tests for EXIF stripping #6183

Bug fixes

• Precompile facebox images #6105
• Fix wrong closing a-tag #6111
• Fix mobile more-button wording when there are less than 15 posts #6118
• Fix reappearing flash boxes during sign-in #6146
• Capitalize Wiki link #6193

Features

• Add configuration options for some debug logs #6090
• Send new users a welcome message from the podmin #6128
• Cleanup temporary upload files daily #6147
• Add guid to posts and comments in the user export #6185

diaspora* versions prior 0.5.1.2 leaked potentially private profile data (namely the bio, birthday, gender and location fields) to unauthorized users. While the frontend properly hid them, the backend missed a check to not include them in responses.

0.5.1.1

Update rails to 4.2.2, rack to 1.6.2 and jquery-rails to 4.0.4. This fixes

• CVE-2015-3226
• CVE-2015-3227
• CVE-2015-1840
• CVE-2015-3225

Refactor

• Use Bootstrap modal for new aspect pane #5850
• Use asset helper instead of .css.erb #5886
• Dropped db/seeds.rb #5896
• Drop broken install scripts #5907
• Improve invoking mobile site in the testsuite #5915
• Do not retry a couple of unrecoverable job failures #5938 #5942
• Remove some old temporary workarounds #5964
• Remove unused hasPhotos and hasText functions #5969
• Replace foreman with eye #5966
• Improved handling of reshares with deleted roots #5968
• Remove two unused methods #5970
• Refactored the Logger to add basic logrotating and more useful timestamps #5975
• Gracefully handle mailer failures if a like is already deleted again #5983
• Ensure posts have an author #5986
• Improve the logging messages of Sidekiq messages #5988
• Improve the logging of Eyes output #5989
• Gracefully handle XML parse errors within federation #5991
• Remove zip-zip workaround gem #6001
• Cleanup and reorganize image assets #6004
• Replace vendored assets for facebox by gem #6005
• Improve styling of horizontal ruler in posts #6016
• Increase post titles length to 50 and use configured pod name as title in the atom feed #6020
• Remove deprecated Facebook permissions #6019
• Make used post title lengths more consistent #6022
• Improved logging source #6041
• Gracefully handle duplicate entry while receiving share-visibility in parallel #6068
• Update twitter gem to get rid of deprecation warnings #6083
• Refactor photos federation to get rid of some hacks #6082

Bug fixes

• Disable auto follow back on aspect deletion #5846
• Fix only sharing flag for contacts that are receiving #5848
• Return 406 when requesting a JSON representation of people/:guid/contacts #5849
• Hide manage services link in the publisher on certain pages #5854
• Fix notification mails for limited posts #5877
• Fix medium and small avatar URLs when using Camo #5883
• Improve output of script/server #5885
• Fix CSS for bold links #5887
• Correctly handle IE8 in the chrome frame middleware #5878
• Fix code reloading for PostPresenter #5888
• Fix closing account from mobile view #5913
• Allow using common custom template for desktop & mobile landing page #5915
• Use correct branding in Atom feed #5929
• Update the configurate gem to avoid issues by missed missing settings keys #5934
• ContactPresenter#full_hash_with_person did not contain relationship information #5936
• Fix inactive user removal not respecting configuration for daily limits #5953
• Fix missing localization of inactive user removal warning emails #5950
• Fix fetching for public post while Webfingering #5958
• Handle empty searchable in HCard gracefully #5962
• Fix a freeze in new post parsing #5965
• Add case insensitive unconfirmed email addresses as authentication key #5967
• Fix liking on single post views when accessed via GUID #5978
• Only return the current_users participation for post interactions #6007
• Fix tag rendering in emails #6009
• Fix the logo in emails #6013
• Disable autocorrect for username on mobile sign in #6028
• Fix broken default avatars in the database #6014
• Only strip text direction codepoints around hashtags #6067
• Fix selected week on admin weekly stats page #6079
• Fix that some unread conversations may be hidden #6060
• Fix photo links in the mobile interface #6082

Features

• Hide post title of limited post in comment notification email #5843
• More and better environment checks in script/server #5891
• Enable aspect sorting again #5559
• Submit messages in conversations with Ctrl+Enter #5910
• Support syntax highlighting for fenced code blocks #5908
• Added link to diasporafoundation.org to invitation email #5893
• Gracefully handle missing og:urls #5926
• Remove private post content from "also commented" mails #5931
• Add a button to follow/unfollow tags to the mobile interface #5941
• Add a "Manage followed tags" page to mass unfollow tags in the mobile interface #5945
• Add popover/tooltip about email visibility to registration/settings page #5956
• Fetch person posts on sharing request #5960
• Introduce 'authorized' configuration option for services #5985
• Added configuration options for log rotating #5994

Use the correct setting for captcha length instead of defaulting to 1 always.