== Evergreen 3.8.3 ==
-This release contains bug fixes improving on Evergreen 3.8.2.
+This release contains bug fixes improving on Evergreen 3.8.2. This release includes
+fixes for two security bugs.
+
+=== Security Fixes ===
+
+==== Protect qtype CGI Parameter ====
+
+Malicious DoS attempts have been witnessed in the wild making use of
+the fact that Evergreen does not check the contents of the `qtype` CGI
+parameter. While these fail their intent, it would be better to
+simply drop such searches on the floor when they're seen.
+
+Evergreen will now confirm that the search class in the `qtype` parameter
+is valid, and that the remainder of the value is structured correctly,
+before processing the search request.
+
+This is https://bugs.launchpad.net/evergreen/+bug/1811685[Bug 1811685].
+
+==== Catalog Search Denial of Service Protection ====
+
+Here we add two ways to protect against denial of service attacks:
+
+ * Limit concurrent search requests per client IP address
+ ** This helps address issues of accidental spamming from a malfunctioning OPAC workstation, or web crawlers of various types. The limit is controlled by a global flag called *opac.max_concurrent_search.ip*. By default there is no limit set.
+ * Limit the global concurrent search requests for the same query
+ ** This helps address both simple and distributed DoS that send the same search request over and over. The limit is controlled by a global flag called *opac.max_concurrent_search.query*, and defaults to 20.
+
+When a limit is exceeded the client receives an HTTP 429 "Too many requests" response from the web server, and the connection is ended.
+
+This is https://bugs.launchpad.net/evergreen/+bug/1361782[Bug 1361782].
=== Upgrade notes ===
* https://bugs.launchpad.net/evergreen/+bug/2003707[Bug 2003707] - During upgrade, if you're running with `opensrf_core.xml` located anywhere other than `/openils/conf` in a single-tenant manner, make sure that `SYSCONFDIR` as set in `autogen.sh` matches what's set in the installed `Cronscript.pm`
+* https://bugs.launchpad.net/evergreen/+bug/1361782[Bug 1361782] includes a schema upgrade
=== Bug Fixes ===