Docs: adding release notes for 3.1.15
authorJane Sandberg <sandbej@linnbenton.edu>
Wed, 18 Sep 2019 03:48:13 +0000 (20:48 -0700)
committerGalen Charlton <gmc@equinoxinitiative.org>
Thu, 19 Sep 2019 19:31:33 +0000 (15:31 -0400)
Signed-off-by: Jane Sandberg <sandbej@linnbenton.edu>
Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
docs/RELEASE_NOTES_3_1.adoc

index a136370..133158f 100644 (file)
@@ -3,6 +3,74 @@ Evergreen 3.1 Release Notes
 :toc:
 :numbered:
 
+Evergreen 3.1.15
+----------------
+This release is a security release that fixes cross-site scripting
+(XSS) vulnerabilities in the Evergreen public catalog. This release
+also includes several other bugfixes improving on Evergreen 3.1.14.
+
+Security Issue: XSS Vulnerability in Public Catalog
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+
+ * `Open-ILS/src/templates/opac/browse.tt2`
+ * `Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2`
+ * `Open-ILS/src/templates/opac/parts/header.tt2`
+ * `Open-ILS/src/templates/opac/parts/place_hold.tt2`
+ * `Open-ILS/src/templates/opac/parts/place_hold_result.tt2`
+ * `Open-ILS/src/templates/opac/parts/result/adv_filter.tt2`
+
+They should also review the following templates.  If these templates have
+been customized or overridden, either the template should be replaced with
+the stock version or the XSS fix (which entails adding `rel="nofollow` to
+external links) applied to the customized version.
+
+* `Open-ILS/src/templates/opac/parts/record/summary.tt2`
+* `Open-ILS/src/templates/opac/parts/result/table.tt2`
+
+
+Other Bugfixes
+~~~~~~~~~~~~~~
+Evergreen 3.1.15 also includes the following changes:
+
+Circulation
+^^^^^^^^^^^
+
+* Default hold transit slips no longer include patron's personal
+information (https://bugs.launchpad.net/evergreen/+bug/1735847[Bug 1735847])
+* Fixes an issue with the reshelving process
+(https://bugs.launchpad.net/evergreen/+bug/1018011[Bug 1018011])
+
+Reports
+^^^^^^^
+
+* Fixes issues related to cloning templates made in the XUL client
+(https://bugs.launchpad.net/evergreen/+bug/1796945[Bug 1796945])
+
+
+Acknowledgements
+~~~~~~~~~~~~~~~~
+We would like to thank the following individuals who contributed code,
+tests and documentation patches to the 3.1.15 security release of
+Evergreen:
+
+* Thomas Berezansky
+* Jason Boyer
+* Jeff Davis
+* Blake Graham-Henderson
+* Andrea Buntz Neiman
+* Debbie Luchenbill
+* Jane Sandberg
+* Chris Sharp
+* Jason Stephenson
+* Dan Wells
+
+
 Evergreen 3.1.14
 ----------------