Releases: lwindolf/liferea
2.0-RC4
This is another security bugfix release. Please upgrade!
Give feedback!
If you are testing this 2.0 release candidate please give feedback in the Github discussion
created for this release: https://github.com/lwindolf/liferea/discussions
Changes
* Fixes a RCE vulnerability when importing OPML files containing
script commands. Now script commands from untrusted OPML files are
always dropped.
(reported by Laurence Tennant)
* Fixes a RCE vulnerability in the download manager plugin where
a command could have been injected into file paths.
(reported by Laurence Tennant)
* Fixes #1519: fatal errors on unsupported URI schemes
(Lars Windolf)
* Fixes #1533: missing refresh of feed info after updates
(Lars Windolf)
* Fixes regression when adding newsbins
(Lars Windolf)
* Improved handling for image loading, overly large images (e.g.
from HTML scraping) are now shrunk to their effective size.
(Lars Windolf)
* Do not show "0" for news bin count, when "show total count" is enabled
(Lars Windolf)
1.16.12
This is a security bugfix release. Please upgrade!
Changes
* Fixes a RCE vulnerability when importing OPML files containing
script commands. Now script commands from untrusted OPML files are
always dropped.
(reported by Laurence Tennant)
* Fixes a RCE vulnerability in the download manager plugin where
a command could have been injected into file paths.
(reported by Laurence Tennant)
2.0-RC3
This is a bugfix release fixing release blockers for 2.0.
Changes
* Fixes a long-standing security bug that caused unencrypted connection
when fetching feed content from Reedah and TheOldReader. Please upgrade
and change your Reedah / TheOldReader password afterwards!
(Lars Windolf)
* Fixes #1529: small memory leak in parser initialization
(Lars Windolf)
* Fixes #1528: TinyTinyRSS not working anymore due to Content-Encoding
header not indicating JSON
(Lars Windolf)
* Fixes #1524: mark all read dialog broken
(Lars Windolf)
* Fixes #1523: replace outdated feedburner URL in default feed list OPML
(Lars Windolf)
* Dialogs converted to libadwaita: rename, reedah_source, google_source
(Lars Windolf)
* Drop old migration code for 1.4-1.8 versions
(Lars Windolf)
* Improved enclosure handling: when using images a large one matching the window
width will be used (previously sometimes the smallest one was selected due to
not checking sizes)
(Lars Windolf)
1.16.11
This is a security bugfix.
Please urgently upgrade if you use Liferea with Reedah or TheOldReader sync!
If you use TinyTinyRSS sync please upgrade to fix a synching issue.
Security Issue with Reedah + TheOldReader sync support
Sadly there is a long-standing security bug causing unencrypted connections when fetching
feed content for those two backends. When doing such requests via http:// your auth token
got exposed and could allow malicious 3rd parties to manipulate your Reedah / TheOldReader
accounts.
Note: the login request itself (including) your password was not affected, still I advise to
- upgrade to the newest Liferea release 1.16.11 or 2.0-RC3
- verify your Reedah / TheOldReader subscriptions
- change your Reedah / TheOldReader password just to be safe
Changes
* Fixes a long-standing security bug that caused unencrypted connection
when fetching feed content from Reedah and TheOldReader. Please upgrade
and change your Reedah / TheOldReader password afterwards!
(Lars Windolf)
* Fixes #1528: TinyTinyRSS not working anymore due to Content-Encoding
header not indicating JSON
(Lars Windolf)
* Fixes #1523: replace outdated feedburner URL in default feed list OPML
(Lars Windolf)
2.0-RC2
This is the 2nd 2.0 release candidate. Thank you for reporting problems.
This release further reduces deprecation warning and fixes functional problems
as well as an important bug in the update handling. Please leave comments in
the Github discussion for this release.
Open TODOs for final 2.0
Right now there are quite some issues left for a 2.0 release mostly critical and
fatal log messages during update handling and in some dialogs (#1519).
Changes
* Fixes #1515: Ctrl-R does not work
(Lars Windolf)
* Fixes #1514: Internal browser URL submit broken
(Lars Windolf)
* Fixes #1510: <media:content> images are not displayer
(Lars Windolf)
* Fixes #1508: Duplicate favicon fetch
(Lars Windolf)
* Fixes a lot of deprecations in GTK, libxml2
(Lars Windolf)
* Fixes broken update state persistence that causes unnecessary
feed updates. Documents compliance with feed reader requirements
https://rachelbythebay.com/frb/ in net.c
(Lars Windolf)
* Add new feature to make search folders show the total count
instead of the unread count. This is useful for example with the
"Important" search folder.
(Lars Windolf)
* Add Georgian translation
(Ekaterine Papava)
1.16.10
This is a new maintenance release for 1.16 backporting some fixes from 2.0-RC2
Changes
* Fixes #1516: glib >= 2.86 required
(Lars Windolf)
* Fixes #1508: Duplicate favicon fetch
(Lars Windolf)
* Fixes update state persistence that caused unnecessary feed updates.
(Lars Windolf)
2.0-RC1
This is the first release candidate for the new 2.0 release line that contains the GTK4 port of Liferea.
Migration from 1.x
Migration from 1.14/1.16 to 2.0 is supported and should be seamless. The database schema is compatible
with 1.16 so you can fall back to 1.16 at any time if you encounter problems.
Removed features
Major porting efforts always have some side-effects with features being lost. Despite this rather
large refactoring almost all features stay as they are with the following exceptions:
- Dropped menu bar in favour of a header bar
- Dropped support for girepository-1.0
- Removed status bar in favour of raising toasts
- Trayicon plugin was removed as incompatible with GTK4
Known issues
This entirely new code base has still some issues:
- Item/feed list popup menus show overflow
- Some dialogs sometimes freeze
Please help with testing and report any bugs you discover!
Changes
* Build system switched from autotools to meson. Tarballs are now .tar.xz
(Lars Windolf)
* All message dialogs and auth dialog are now modal.
(Lars Windolf)
* Source UI definitions are now provided by a Cambalache 1.0 workflow, single source
of truth for all .ui files is liferea.cmb
(Lars Windolf)
* Ported code base to GTK4. Note that the port is a minimal port, a lot of
GTK4 deprecated widgets (like GtkTreeView) are still in use. Those will be
replaced over time.
(Lars Windolf)
* New dependency libadwaita, some dialogs are already implemented as AdwDialog
and AdwAlertDialog more will follow.
(Lars Windolf)
* Removed HTML shortcut documentation in favour of GtkShortCutsWindow
Also changed hotkey F1 to point a shortcuts
(Lars Windolf)
* Changed simple search from a dialog to a search bar
(Lars Windolf)
1.16.9
This is a bugfix release for 1.16. If you use online accounts (TinyTinyRSS, Miniflux, FreshRSS... )
with Liferea please upgrade.
Changes
* Fixes a regression that breaks using online accounts
(Lars Windolf)
* Fixes a regression when subscribing to local files
(Lars Windolf)
* Fixes some memory leaks
(Lars Windolf)
1.16.8
This is a new stable Liferea 1.16 release with several improvements and bugfixes
Performance Bugfix
The 1.16.7 change to the feed updating did make it faster, but some code paths did unintentionally
block the GUI. This could lead to UI freezes on initial updating.
This should now be improved significantly. If you still experience long freezes please open an issue!
More customizing
If you really dislike or miss something with the rendering Liferea does, you now can with
a little bit of Javascript skill modify the rendering. There is a pre-render and a post-render
hook were you can modify data before rendering or extend/modify/remove the rendering
after the default rendering happens.
The hook boiler-plate is prepared in ~/.config/liferea/user.js
// This is a JS hook that allows you to hack the Liferea rendering
//
// It is invoked by the htmlview.js rendering scripting and provides you
// with hooks one to modify the data before rendering and one to modify
// or enhance the rendering after it is done.
// hooks to modify item info rendering
window.hookPreItemRendering = (data) => {
return data;
};
window.hookPostItemRendering = () => {
// Modify DOM as you like
};
// hooks to modify node info rendering
window.hookPreNodeRendering = (data) => {
return data;
};
window.hookPostNodeRendering = () => {
// Modify DOM as you like
};
Better contrast
Jeff Fortin suggested to be more bold with contrast and now Liferea is. Light theme
contrast has been increased significantly and dark contrast has been lowered a bit.
Added Blogroll support
Long ago Liferea already had support for the userland originated "blogchannel" namespace.
This RSS module did not get traction back then and for many years there was no way for a
feed to indicate the blogroll of the author. With the new "source" namespace (https://source.scripting.com/)
defined by Dave Winer there is again a way to put your blogroll into your feed.
Liferea now fetches the OPML automatically and presents you the blogroll when you click
the feed.
Additionally Liferea also detects blogrolls defined (via <link rel="blogroll"> in the HTML of the feeds
homepage when initially subscribing to a feed. The rss-feed-index crawler which is the source of
the "Discover feeds" feature in Liferea found over 900 OPML subscription lists out there, so it might
well be that feeds you subscribe to will have a blogroll to show.
If you have blog with an OPML blogroll and do not yet have either a <link rel="blogroll"> tag in your
HTML or a <source:blogroll> tag in your feed please add it to make it easier for other users to automatically
find your OPML!
Changes
* Reimplements category display, improves metadata display by
displaying all in a wrapped line to optimize vertical space usage
* Add a new user.js which is automatically installed to ~/.config/liferea/user.js
that provides hooks for data and rendering manipulation.
(Lars Windolf)
* #1490: Add blogroll support. For feeds with <source:blogroll> element or homepages
with <link rel="blogroll"> blogroll URLs are detected and the blogroll is downloaded
and shown in the feed view.
(Lars Windolf)
* Change "Discover Feeds" to open in external browser. Due to
rss-finder using ESM and Webkit enforcing CORS for ESM and
Cloudflares corsproxy.io now not available anymore there is no
easy and secure way to simply embed it.
(Lars Windolf)
* Security updates for JS modules
(Lars Windolf)
* Fixes #1494: Better contrast in light mode, a bit less in dark mode
(Lars Windolf)
* Fixes #1482: Extraneous white space in item header
(Lars Windolf)
* Fixes #1481: Updating feeds satuarates the main look making
interaction difficult
(Lars Windolf)
* Fixes a memory leak when loading subscription metadata
(Lars Windolf)
* Update of Spanish translation
(Cristian Othón Martínez Vera)
1.16.7
This is a new bugfix release. Due to further enshittification at Youtube the video embedding
had to be removed, which is probably a good idea anyway. A bug in the favicon handling was
solved so if you had some missing ones they will surely show up now. There was a visual
improvement to the "Important" label coloring and finally BlueSky feeds will now show a link
to the post, which they were missing due to having no titles (which normally have the link).
And last I want to wish everyone a Happy New Year 2026!
Changes
* Drop Youtube video embedding due to "error 153" and the general
privacy implications
(Lars Windolf)
* Fixes #805: use white on red instead of black on red for
item list "Important" label
(Lars Windolf)
* Fixes #1478: No favicons for several feeds
(Lars Windolf)
* Fixes #1477: bsky.app links not being used
(Lars Windolf)
* Fixes #1480: Extract item content is sometimes unexpectedly colored
(Lars Windolf)