From 759b1ce47a4da09aca3aac92e597252a5f7d5e6e Mon Sep 17 00:00:00 2001 From: Jason Boyer Date: Wed, 17 May 2023 14:25:58 -0400 Subject: [PATCH] Update Release Notes Signed-off-by: Jason Boyer --- docs/RELEASE_NOTES_3_8.adoc | 60 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/docs/RELEASE_NOTES_3_8.adoc b/docs/RELEASE_NOTES_3_8.adoc index 782a31fd0a..02b010c845 100644 --- a/docs/RELEASE_NOTES_3_8.adoc +++ b/docs/RELEASE_NOTES_3_8.adoc @@ -3,6 +3,66 @@ :numbered: :toclevels: 3 +== Evergreen 3.8.4 == + +This release contains bug fixes improving on Evergreen 3.8.3. This release includes +fixes for three security bugs. + +=== Security Fixes === + +=== Fix SQL Injection Vulnerability === + +An SQL injection vulnerability related to the implementation of +search term highlights is now closed. + +This is https://bugs.launchpad.net/evergreen/+bug/2004055[Bug 2004055]. + +=== Malicious Search Protection === + +Evergreen sometimes sees some "novel" query strings in the wild that +cause the search backend to time out or worse. These are sometimes +malicious and sometimes accidental, but the effect on users is the +same. + +The changes here improve query compilation in several respects in order +to reduce the chances of an overly complex query causing problems for +the search subsystem. + +More work is done up front to simplify and combine parts of the +resulting SQL, allowing more work to be done closer to the data. +This change allows Evergreen to handle many more tested or chained +boolean expressions, and negated terms are now handled directly in +line with other adjacent terms. Phrases (exact matches) are now +searched for using Postgres' adjacency tsearch operator. + +All of these changes work together to improve performance by getting +more search work done in fewer database operations while protecting +against certain query constructs that have caused problems in the +past. + +This is https://bugs.launchpad.net/evergreen/+bug/1775958[Bug 1775958]. + +=== Restrict login redirect === + +As a security best-practice, Evergreen should not allow arbitrary +redirection on successful login, but instead limit redirection to +local links or configured domains and schemes. + +This feature is controlled by a new global flag called *opac.login_redirect_domains* +which must contain a comma-separated list of domains. All hostnames +under each domain is allowed for redirect, and the scheme of the +redirect URL must be one of http, https, ftp, or ftps. + +This is https://bugs.launchpad.net/evergreen/+bug/1908576[Bug 1908576]. + +=== Acknowledgements === + +We would like to thank the following individuals who contributed code, testing, and documentation to the 3.8.4 point release of Evergreen: + +* Jason Boyer +* Galen Charlton +* Mike Rylander + == Evergreen 3.8.3 == This release contains bug fixes improving on Evergreen 3.8.2. This release includes -- 2.11.0