changeset 5903:e55effb840da

update docs/CHANGES
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Wed, 12 Dec 2012 12:04:34 +0100
parents 840ebd16ddd9
children 3a1b92276377
files docs/CHANGES
diffstat 1 files changed, 11 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/docs/CHANGES	Sun Dec 09 23:20:50 2012 +0100
+++ b/docs/CHANGES	Wed Dec 12 12:04:34 2012 +0100
@@ -16,7 +16,7 @@
     editor_force = True
     editor_default = 'text'  # internal default, just for completeness
 
-Version 1.9.5:
+Version 1.9.<current>:
 
   SECURITY HINT: make sure you have allow_xslt = False (or just do not use
   allow_xslt at all in your wiki configs, False is the internal default).
@@ -25,6 +25,16 @@
   HINT: Python >= 2.5 is maybe required! See docs/REQUIREMENTS for details.
 
   Fixes:
+  * fix XSS issue, escape page name in rss link
+  * escape user- or admin-defined css url
+  * make taintfilename more secure
+  * use a constant time str comparison function to prevent timing attacks
+  * Attachment handler: catch all Zip-related errors
+
+
+Version 1.9.5:
+
+  Fixes:
    * Security fix: fix virtual group bug in ACL evaluation.
    * Avoid crash if #refresh processing instruction is used without arguments.
    * Fix issue with non-ASCII textchas.