summaryrefslogtreecommitdiff
path: root/public
diff options
context:
space:
mode:
authorDavid Mehren2020-12-27 20:53:39 +0100
committerDavid Mehren2020-12-27 20:54:39 +0100
commit7d2c433b1bb1ec31ccabfdba148d414b3c4cf711 (patch)
tree4e80471a8797bf9334c3065d5e306fae31fe2a3a /public
parent591f0c10f0efdac46ba7455a554b024fb0fa84e8 (diff)
Bump version to 1.7.1
Signed-off-by: David Mehren <git@herrmehren.de>
Diffstat (limited to '')
-rw-r--r--public/docs/release-notes.md8
1 files changed, 8 insertions, 0 deletions
diff --git a/public/docs/release-notes.md b/public/docs/release-notes.md
index 6d31b8ff..9b2effde 100644
--- a/public/docs/release-notes.md
+++ b/public/docs/release-notes.md
@@ -1,4 +1,12 @@
# Release Notes
+## <i class="fa fa-tag"></i> 1.7.1 <i class="fa fa-calendar-o"></i> 2020-12-27
+This release fixes two security issues. We recommend upgrading as soon as possible.
+### Security Fixes
+- [CVE-2020-26286: Arbitrary file upload](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc)
+ An unauthenticated attacker can upload arbitrary files to the upload storage backend.
+- [CVE-2020-26287: Stored XSS in mermaid diagrams](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-g6w6-7xf9-m95p)
+ An attacker can inject arbitrary script tags in HedgeDoc notes using mermaid diagrams.
+
## <i class="fa fa-tag"></i> 1.7.0 <i class="fa fa-calendar-o"></i> 2020-12-21