docs: Add a release note for CVE-2019-13122

author Daniel Axtens <dja@axtens.net>

Fri, 5 Jul 2019 05:21:26 +0000 (15:21 +1000)

committer Daniel Axtens <dja@axtens.net>

Fri, 5 Jul 2019 05:37:27 +0000 (15:37 +1000)
author Daniel Axtens <dja@axtens.net>
Fri, 5 Jul 2019 05:21:26 +0000 (15:21 +1000)
committer Daniel Axtens <dja@axtens.net>
Fri, 5 Jul 2019 05:37:27 +0000 (15:37 +1000)
diff --git a/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml b/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml

new file mode 100644 (file)

index 0000000..48afac0
--- /dev/null
+++ b/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml
@@ -0,0 +1,11 @@
+---
+fixes:
+  - |
+    CVE-2019-13122 has been fixed. Andrew Donnellan discovered an XSS
+    via the message-id field. A malicious user could send a patch with
+    a message ID that included a script tag. Because of the quirks of
+    the email RFCs, such a message ID can survive being sent through
+    many mail systems, including Gmail, and be parsed and stored by
+    Patchwork. When a user viewed a patch detail page for the patch
+    with this message id, the script would be run. This is fixed by
+    properly escaping the field before it is rendered.
+\ No newline at end of file
author	Daniel Axtens <dja@axtens.net>
	Fri, 5 Jul 2019 05:21:26 +0000 (15:21 +1000)
committer	Daniel Axtens <dja@axtens.net>
	Fri, 5 Jul 2019 05:37:27 +0000 (15:37 +1000)