chore: release notes from #11514 & #11515 backports

release-notes/11514.md

@@ -0,0 +1,7 @@
+- fix: PKCE challenges to Forgejo's OAuth identity provider were not validated when using the `S256` algorithm
+- fix: Forgejo supports using an OAuth Bearer token with HTTP basic authentication, rather than Bearer token authentication, but did not properly apply the limited scopes of the OAuth grant
+- fix: missing permission checks in attachment-related web endpoints allowed modifying attachments that a user did not own
+- fix: email notifications for new releases could be sent to users that no longer access to the repository, or to inactive users
+- fix: missing permission checks in user/org-owned projects would allow modifications of the open/closed state to be made to projects via insecure direct object references
+- fix: missing permission checks in a web endpoint allowed cancellation of the automerge of a PR
+- fix: prevent additional path-traversals in post-login redirect parameters that allowed for arbitrary redirects

release-notes/11515.md

@@ -0,0 +1,7 @@
+- fix: PKCE challenges to Forgejo's OAuth identity provider were not validated when using the `S256` algorithm
+- fix: Forgejo supports using an OAuth Bearer token with HTTP basic authentication, rather than Bearer token authentication, but did not properly apply the limited scopes of the OAuth grant
+- fix: missing permission checks in attachment-related web endpoints allowed modifying attachments that a user did not own
+- fix: email notifications for new releases could be sent to users that no longer access to the repository, or to inactive users
+- fix: missing permission checks in user/org-owned projects would allow modifications of the open/closed state to be made to projects via insecure direct object references
+- fix: missing permission checks in a web endpoint allowed cancellation of the automerge of a PR
+- fix: prevent additional path-traversals in post-login redirect parameters that allowed for arbitrary redirects