Updated changelog

author Armin Ronacher <armin.ronacher@active-4.com>

Thu, 29 Dec 2016 13:14:44 +0000 (14:14 +0100)

committer Armin Ronacher <armin.ronacher@active-4.com>

Thu, 29 Dec 2016 13:14:44 +0000 (14:14 +0100)
author Armin Ronacher <armin.ronacher@active-4.com>
Thu, 29 Dec 2016 13:14:44 +0000 (14:14 +0100)
committer Armin Ronacher <armin.ronacher@active-4.com>
Thu, 29 Dec 2016 13:14:44 +0000 (14:14 +0100)
diff --git a/CHANGES b/CHANGES

index 4e5df26c9934f6ef11d3983f176e12446b46ef5f..e3e758204734ad283f1cb3a1f5fcc5d79b5e92ac 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,9 +4,12 @@ Jinja2 Changelog
  Version 2.8.1
  -------------
  
-(unreleased bugfix release)
+(bugfix release, released on December 29th 2016)
  
  - Fixed the `for_qs` flag for `urlencode`.
+- SECURITY: if the sandbox mode is used format expressions are now sandboxed
+  with the same rules as in Jinja.  This solves various information leakage
+  problems that can occur with format strings.
  
  Version 2.8
  -----------
author	Armin Ronacher <armin.ronacher@active-4.com>
	Thu, 29 Dec 2016 13:14:44 +0000 (14:14 +0100)
committer	Armin Ronacher <armin.ronacher@active-4.com>
	Thu, 29 Dec 2016 13:14:44 +0000 (14:14 +0100)