1.15.2 Unstable

This is a bugfix release. It provides an important stability fix regarding feed parsing.
Kudos to Rich Coe for debugging and fixing the issue!

Changes

    * Fixes #1291: Feed parsing is broken
      (Rich Coe)

1.15.1 Unstable

This is a new feature release. It introduces the long awaited switch to libsoup3 and libwebkit2gtk-4.1.
Thanks to many testers helping testing the latest code from git some errors were ironed out already.
Still there is an issue remaining where feed updates are getting stuck when updating while DNS resolution/Wifi/network... fails. Please comment if you also experience this issue!

Also noteworthy is a simplification of the debug handling which removes three CLI parameters
--debug-performance, --debug-trace and --debug-verbose.

Changes

    * Update to libsoup3 and libwebkit2gtk-4.1
      (Lars Windolf)

    * Fixes #1285: HTTP 304 incorrectly caused error state
      (Rich Coe)

    * Fixes #1272: Crash on moving feed into new folder
      (Lars Windolf, reported by Jakub T. Jankiewicz)

    * Fixes #1262: Plugin installer: duplicate punctuation
      (Christian Stadelmann)

    * Fixes #1250: Incorrect item_id when downloading AMP URLs
      (Alexandre Erwin Ittner)

    * Fixes #1248: Can't maximize for reading feeds
      (Lars Windolf)

    * Fixes #1242: Dropping not-functioning Pocket bookmark URL
      (Lars Windolf)

    * Fixes #1241: Dropping not-functioning identi.ca bookmark URL
      (Lars Windolf)

    * Fixes #1240: TypeError on add-bookmark-site preferences
      (Lucidiot)

    * Many fixes for static code analysis warnings
      (Lars Windolf)

    * Simplified debug handling. Drop --debug-performance
      --debug-trace and --debug-verbose CLI parameters.

    * Removed stale Deutsche Welle Brasil feed from pt-BR default feed list
      (Alexandre Erwin Ittner)

    * Updated appdata description and summary
      (bbhtt)

    * Add Russian user documentation (slichtzzz)
    * Updated Czech translation (Amerey)
    * Updated Brazilian Portugese translation (Fúlvio Alves)

1.14.6 Stable

This is a bugfix release for 1.14. Please upgrade!

Changes

    * Fixes #1272: crash when moving feed to empty folder
      (reported by Jakub T. Jankiewicz)

    * Fixes #1198: FreshRSS logging in correctly but can't get posts
      (reported by Roger Gonzalez)

    * Fixes #1248 Can’t maximize for reading feeds
      (reported by ksso83)

1.15.0 Unstable

This is the first release of the new unstable line 1.15. The current idea is to release a bit
faster than every two years. So not so much features will be introduced before 1.16

Changes

    * Fixes #1217, #1224: Endless recursion in 1.14.3
      (reported by uduecoder, mokraemer)

    * Fixes #1214: crash in conf_get_bool_value_from_schema
      (mozbugbox, reported by Mikel Olasagasti)

    * Fixes #1215: failed to build in launchpad PPA due to
      auto_test permission issue (reported by PandaJim)

    * Fixes #1212: 1.14.1 crash when refreshing feeds.
      (mozbugbox, reported by Froggy232)

    * Fixes #1198: FreshRSS logging in correctly but can't get posts
      (reported by Roger Gonzalez)

    * Fixes a memory leak when reloading CSS
      (Lars Windolf)

    * Fixes CVE-2023-1350: RCE vulnerability on feed enrichment
      (patch by Alexander Erwin Ittner)

    * Fixes #1200: Crash on double free
      (mozbugbox)

    * Improve #1192 be reordering widget creation order
      (Lars Windolf)

    * Improvements to the libnotify plugin
      (Tasos Sahanidis)

    * Fixes a g_object_unref warning on shutdown
    * Drops a debug output in the plugin installer
    * Drop webkit inspector from installable plugins in favour of --debug-html
    * Drop pane plugin from default plugins
    * Drop pane plugin (old workaround for pane issues)

1.14.5 Stable

This is another stabilizitation release for 1.14. I'm cautiously optimistic that we have solved most of the instabilities now :-)

Changes

    * Dropping tray icon plugin from list of per-default activated plugins

    * Fixes #1127: corrupted double-linked list
      (reported by Paul Gevers)

    * Fixes #1229: assertion when deleting feeds too quickly
      (reported by Tasos Sahanidis)

    * Fixing format and cast errors (#1223)
      (reported by Paul Gevers)

1.14.4 Stable

1.14 is not as stable yet as intended and is suffering from startup race conditions. This bugfix release tries to further eliminate those issues.

Changes

    * Fixes #1217, #1224: Endless recursion in 1.14.3
      (reported by uduecoder, mokraemer)

    * Additional fixes for #1214: crash in conf_get_bool_value_from_schema
      (reported by Mikel Olasagasti)

    * Fixes a g_object_unref warning on shutdown
    * Drops a debug output in the plugin installer

1.14.3 Stable

This is another 1.14 bugfix release to address a crash affecting some users and a build issue when running tests.

Changes

    * Fixes #1214: crash in conf_get_bool_value_from_schema
      (mozbugbox, reported by Mikel Olasagasti)

    * Fixes #1215: failed to build in launchpad PPA due to
      auto_test permission issue (reported by PandaJim)

1.14.2 Stable

This is a stability fix for 1.14.1. The fix of CVE-2023-1350 in 1.14.1 did contain a memory error that leads to crashes. Sorry about that. Please upgrade to avoid the problem!

Changes

    * Fixes #1212: 1.14.1 crash when refreshing feeds.
      (mozbugbox, reported by Froggy232)

    * Fixes a memory leak when reloading CSS
      (Lars Windolf)

1.14.1 Stable

This is an important security fix for 1.14. Please upgrade!

CVE-2023-1350 Remote code execution on feed enrichment

If you have enabled "Extract full content from HTML5 and Google AMP" for one or
more of your feed subscriptions it is possible for a an attacker to inject a script command
that would run any command on your system.

Upgrading to 1.14.1 solves this security problem.

If you cannot upgrade disable "Extract full content from HTML5 and Google AMP" for all
of you feeds. This can be done in the feed properties dialog,

If you have many feeds you might want to do this automatically:

1. Close Liferea
2. Open ~/.config/liferea/feedlist.opml in an editor
3. Replace all occurences of html5Extract="true" with an empty string

Changes

    * Fixes CVE-2023-1350: RCE vulnerability on feed enrichment
      (patch by Alexander Erwin Ittner)

    * Fixes #1200: Crash on double free
      (mozbugbox)

    * Improve #1192 be reordering widget creation order
      (Lars Windolf)

1.12.10 Stable

This is an important security fix for 1.12. Please upgrade!

CVE-2023-1350 Remote code execution on feed enrichment

If you have enabled "Extract full content from HTML5 and Google AMP" for one or
more of your feed subscriptions it is possible for a an attacker to inject a script command
that would run any command on your system.

Upgrading to 1.12.10 or 1.14.1 solves this security problem.

If you cannot upgrade disable "Extract full content from HTML5 and Google AMP" for all
of you feeds. This can be done in the feed properties dialog,

If you have many feeds you might want to do this automatically:

1. Close Liferea
2. Open ~/.config/liferea/feedlist.opml in an editor
3. Replace all occurences of html5Extract="true" with an empty string

Changes

    * Fixes CVE-2023-1350: RCE vulnerability on feed enrichment
      (patch by Alexander Erwin Ittner)