summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--docs/dev/openapi.yml2
-rw-r--r--package.json2
-rw-r--r--public/docs/release-notes.md8
3 files changed, 10 insertions, 2 deletions
diff --git a/docs/dev/openapi.yml b/docs/dev/openapi.yml
index 8bb7f255..c5de475c 100644
--- a/docs/dev/openapi.yml
+++ b/docs/dev/openapi.yml
@@ -3,7 +3,7 @@ openapi: 3.0.1
info:
title: HedgeDoc
description: HedgeDoc is an open source collaborative note editor. Several tasks of HedgeDoc can be automated through this API.
- version: 1.7.0
+ version: 1.7.1
contact:
name: HedgeDoc on GitHub
url: https://github.com/hedgedoc/hedgedoc
diff --git a/package.json b/package.json
index ae234182..3e8046bb 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "HedgeDoc",
- "version": "1.7.0",
+ "version": "1.7.1",
"description": "The best platform to write and share markdown.",
"main": "app.js",
"license": "AGPL-3.0",
diff --git a/public/docs/release-notes.md b/public/docs/release-notes.md
index 6d31b8ff..9b2effde 100644
--- a/public/docs/release-notes.md
+++ b/public/docs/release-notes.md
@@ -1,4 +1,12 @@
# Release Notes
+## <i class="fa fa-tag"></i> 1.7.1 <i class="fa fa-calendar-o"></i> 2020-12-27
+This release fixes two security issues. We recommend upgrading as soon as possible.
+### Security Fixes
+- [CVE-2020-26286: Arbitrary file upload](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc)
+ An unauthenticated attacker can upload arbitrary files to the upload storage backend.
+- [CVE-2020-26287: Stored XSS in mermaid diagrams](https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-g6w6-7xf9-m95p)
+ An attacker can inject arbitrary script tags in HedgeDoc notes using mermaid diagrams.
+
## <i class="fa fa-tag"></i> 1.7.0 <i class="fa fa-calendar-o"></i> 2020-12-21