From 1bbe3fb5f5e4cfcf5e6325ee9335b9924cd71bc7 Mon Sep 17 00:00:00 2001 From: Galen Charlton Date: Wed, 24 May 2017 12:29:57 -0400 Subject: [PATCH] update 2.11.5 release notes Signed-off-by: Galen Charlton --- docs/RELEASE_NOTES_2_11.adoc | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/docs/RELEASE_NOTES_2_11.adoc b/docs/RELEASE_NOTES_2_11.adoc index e3348b13e4..db98214810 100644 --- a/docs/RELEASE_NOTES_2_11.adoc +++ b/docs/RELEASE_NOTES_2_11.adoc @@ -5,9 +5,24 @@ Evergreen 2.11 Release Notes Evergreen 2.11.5 ---------------- - -This release contains several bug fixes improving on Evergreen 2.11.4. - +This release is a security release that also contains several other bug +fixes improving on Evergreen 2.11.4. + +Security Issue: XSS Vulnerability in Public Catalog +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +This release fixes several cross-site scripting (XSS) vulnerabilities +in the public catalog. When upgrading, Evergreen administrators should +review whether any of the following templates have been customized +or overridden. If so, either the template should be replaced with the +stock version or the XSS fix (which entails adding the `| html` filter +in several places) applied to the customized version. + +* `Open-ILS/src/templates/opac/parts/locale_picker.tt2` +* `Open-ILS/src/templates/opac/parts/login/form.tt2` +* `Open-ILS/src/templates/opac/parts/searchbar.tt2` + +Other Bugfixes +~~~~~~~~~~~~~~ * A fix to remove the Chilifresh patron reviews header for Evergreen sites that do not use Chilifresh. * A fix that marks acquisitions POs as received when all line items on the -- 2.11.0