---
fixes:
  - |
    CVE-2019-13122 has been fixed. Andrew Donnellan discovered an XSS
    via the message-id field. A malicious user could send a patch with
    a message ID that included a script tag. Because of the quirks of
    the email RFCs, such a message ID can survive being sent through
    many mail systems, including Gmail, and be parsed and stored by
    Patchwork. When a user viewed a patch detail page for the patch
    with this message id, the script would be run. This is fixed by
    properly escaping the field before it is rendered.