From 142a47cbbc40d93513dd9ef1efe35c3e0f9efda6 Mon Sep 17 00:00:00 2001 From: Richard Hansen Date: Sun, 28 Nov 2021 16:57:38 -0500 Subject: [PATCH] Release v1.8.16 --- CHANGELOG.md | 22 ++++++++++++++++++++++ src/package-lock.json | 2 +- src/package.json | 2 +- 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 777571bdd..450f8e616 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,25 @@ +# 1.8.16 + +### Security fixes + +If you cannot upgrade to v1.8.16 for some reason, you are encouraged to try +cherry-picking the fixes to the version you are running: + +```shell +git cherry-pick b7065eb9a0ec..77bcb507b30e +``` + +* Maliciously crafted `.etherpad` files can no longer overwrite arbitrary + non-pad database records when imported. +* Imported `.etherpad` files are now subject to numerous consistency checks + before any records are written to the database. This should help avoid + denial-of-service attacks via imports of malformed `.etherpad` files. + +### Notable enhancements and fixes + +* Fixed several `.etherpad` import bugs. +* Improved support for large `.etherpad` imports. + # 1.8.15 ### Security fixes diff --git a/src/package-lock.json b/src/package-lock.json index bccb0f8c0..79539bf9c 100644 --- a/src/package-lock.json +++ b/src/package-lock.json @@ -1,6 +1,6 @@ { "name": "ep_etherpad-lite", - "version": "1.8.15", + "version": "1.8.16", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/src/package.json b/src/package.json index 90ac13b36..349810915 100644 --- a/src/package.json +++ b/src/package.json @@ -246,6 +246,6 @@ "test": "mocha --timeout 120000 --recursive tests/backend/specs ../node_modules/ep_*/static/tests/backend/specs", "test-container": "mocha --timeout 5000 tests/container/specs/api" }, - "version": "1.8.15", + "version": "1.8.16", "license": "Apache-2.0" }