docs: Add a release note for CVE-2019-13122

Signed-off-by: Daniel Axtens <dja@axtens.net>
author: Daniel Axtens <dja@axtens.net> 2019-07-05 15:21:26 +1000
committer: Daniel Axtens <dja@axtens.net> 2019-07-05 15:36:18 +1000
commit: f48179f6368982fdeb7f2dfb515f1972d86b0991 (patch)
tree: 29ecb4f2981801e064a795e80fc6c13e4edbe9de /releasenotes
parent: b3fa0c402e060622a5ed539a465d2fa98b1d2e13 (diff)
download: patchwork-f48179f6368982fdeb7f2dfb515f1972d86b0991.tar
patchwork-f48179f6368982fdeb7f2dfb515f1972d86b0991.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml b/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml
new file mode 100644
index 0000000..48afac0
--- /dev/null
+++ b/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml
@@ -0,0 +1,11 @@
+---
+fixes:
+  - |
+    CVE-2019-13122 has been fixed. Andrew Donnellan discovered an XSS
+    via the message-id field. A malicious user could send a patch with
+    a message ID that included a script tag. Because of the quirks of
+    the email RFCs, such a message ID can survive being sent through
+    many mail systems, including Gmail, and be parsed and stored by
+    Patchwork. When a user viewed a patch detail page for the patch
+    with this message id, the script would be run. This is fixed by
+    properly escaping the field before it is rendered.
+\ No newline at end of file
author	Daniel Axtens <dja@axtens.net>	2019-07-05 15:21:26 +1000
committer	Daniel Axtens <dja@axtens.net>	2019-07-05 15:36:18 +1000
commit	f48179f6368982fdeb7f2dfb515f1972d86b0991 (patch)
tree	29ecb4f2981801e064a795e80fc6c13e4edbe9de /releasenotes
parent	b3fa0c402e060622a5ed539a465d2fa98b1d2e13 (diff)
download	patchwork-f48179f6368982fdeb7f2dfb515f1972d86b0991.tar patchwork-f48179f6368982fdeb7f2dfb515f1972d86b0991.tar.gz