From: Galen Charlton <gmc@equinoxinitiative.org>
Date: Thu, 19 Sep 2019 19:38:23 +0000 (-0400)
Subject: update 3.4 release notes for security bugfixes
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=195d44add76d4d02bbd752dd4f91dcc2a1bcda30;p=working%2FEvergreen.git

update 3.4 release notes for security bugfixes

NOTE: This section can be removed for 3.4-rc.

Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
---

diff --git a/docs/RELEASE_NOTES_3_4.adoc b/docs/RELEASE_NOTES_3_4.adoc
index 4e84393457..49b91b71ca 100644
--- a/docs/RELEASE_NOTES_3_4.adoc
+++ b/docs/RELEASE_NOTES_3_4.adoc
@@ -3,6 +3,37 @@ Evergreen 3.4 Release Notes
 :toc:
 :numbered:
 
+Evergreen 3.4-beta2
+-------------------
+The Evergreen 3.4-beta2 release includes security fixes for cross-site scripting
+(XSS) vulnerabilities in the Evergreen public catalog. Testers of the Evergreen
+3.4 beta 1 release are encouraged to install this release, which does not
+include any database updates since the beta 1.
+
+Security Issue: XSS Vulnerability in Public Catalog
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+
+ * `Open-ILS/src/templates/opac/browse.tt2`
+ * `Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2`
+ * `Open-ILS/src/templates/opac/parts/header.tt2`
+ * `Open-ILS/src/templates/opac/parts/place_hold.tt2`
+ * `Open-ILS/src/templates/opac/parts/place_hold_result.tt2`
+ * `Open-ILS/src/templates/opac/parts/result/adv_filter.tt2`
+
+They should also review the following templates.  If these templates have
+been customized or overridden, either the template should be replaced with
+the stock version or the XSS fix (which entails adding `rel="nofollow` to
+external links) applied to the customized version.
+
+* `Open-ILS/src/templates/opac/parts/record/summary.tt2`
+* `Open-ILS/src/templates/opac/parts/result/table.tt2`
+
 Upgrade notes
 -------------