From: Galen Charlton <gmc@equinoxinitiative.org>
Date: Wed, 24 May 2017 16:29:57 +0000 (-0400)
Subject: update 2.11.5 release notes
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=1bbe3fb5f5e4cfcf5e6325ee9335b9924cd71bc7;p=evergreen%2Fmasslnc.git

update 2.11.5 release notes

Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
---

diff --git a/docs/RELEASE_NOTES_2_11.adoc b/docs/RELEASE_NOTES_2_11.adoc
index e3348b13e4..db98214810 100644
--- a/docs/RELEASE_NOTES_2_11.adoc
+++ b/docs/RELEASE_NOTES_2_11.adoc
@@ -5,9 +5,24 @@ Evergreen 2.11 Release Notes
 
 Evergreen 2.11.5
 ----------------
-
-This release contains several bug fixes improving on Evergreen 2.11.4.
-
+This release is a security release that also contains several other bug
+fixes improving on Evergreen 2.11.4.
+
+Security Issue: XSS Vulnerability in Public Catalog
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+
+* `Open-ILS/src/templates/opac/parts/locale_picker.tt2`
+* `Open-ILS/src/templates/opac/parts/login/form.tt2`
+* `Open-ILS/src/templates/opac/parts/searchbar.tt2`
+
+Other Bugfixes
+~~~~~~~~~~~~~~
 * A fix to remove the Chilifresh patron reviews header for Evergreen sites
 that do not use Chilifresh.
 * A fix that marks acquisitions POs as received when all line items on the