From: Galen Charlton <gmc@equinoxinitiative.org>
Date: Wed, 28 Mar 2018 14:14:41 +0000 (-0400)
Subject: release notes for Evergreen 2.12.12
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=72f182c6f9cdc090d4948d676fa2b9032bc9a880;p=contrib%2FConifer.git

release notes for Evergreen 2.12.12
---

diff --git a/docs/RELEASE_NOTES_2_12.adoc b/docs/RELEASE_NOTES_2_12.adoc
index fddb13317e..a35667fca9 100644
--- a/docs/RELEASE_NOTES_2_12.adoc
+++ b/docs/RELEASE_NOTES_2_12.adoc
@@ -3,6 +3,39 @@ Evergreen 2.12 Release Notes
 :toc:
 :numbered:
 
+Evergreen 2.12.12
+-----------------
+This release is a security release that fixes cross-site scripting
+(XSS) vulnerabilities in the Evergreen public catalog.
+
+Security Issue: XSS Vulnerability in Public Catalog
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+This release fixes several cross-site scripting (XSS) vulnerabilities
+in the public catalog. When upgrading, Evergreen administrators should
+review whether any of the following templates have been customized
+or overridden. If so, either the template should be replaced with the
+stock version or the XSS fix (which entails adding the `| html` filter
+in several places) applied to the customized version.
+
+* `Open-ILS/src/templates/opac/parts/record/contents.tt2`
+* `Open-ILS/src/templates/opac/parts/record/copy_counts.tt2`
+* `Open-ILS/src/templates/opac/parts/record/issues-mfhd.tt2`
+
+Note that exploiting the XSS vulnerabilities fixed in this release
+would require either the ability to create maliciously-constructed
+MARC bibliographic or holdings records or the ability to set a
+maliciously constructed organizational unit name.
+
+Acknowledgements
+~~~~~~~~~~~~~~~~
+We would like to thank the following individuals who contributed code,
+tests and documentation patches to the 2.12.12 security release of
+Evergreen:
+
+* Galen Charlton
+* Dan Scott
+* Chris Sharp
+
 Evergreen 2.12.11
 -----------------
 This release contains bug fixes improving on Evergreen 2.12.10: