Release v1.8.16

2021-11-28 16:57:38 -05:00 · 2021-11-28 16:57:38 -05:00 · 142a47cbbc
parent 77bcb507b3
commit 142a47cbbc
3 changed files with 24 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,25 @@
+# 1.8.16
+
+### Security fixes
+
+If you cannot upgrade to v1.8.16 for some reason, you are encouraged to try
+cherry-picking the fixes to the version you are running:
+
+```shell
+git cherry-pick b7065eb9a0ec..77bcb507b30e
+```
+
+* Maliciously crafted `.etherpad` files can no longer overwrite arbitrary
+  non-pad database records when imported.
+* Imported `.etherpad` files are now subject to numerous consistency checks
+  before any records are written to the database. This should help avoid
+  denial-of-service attacks via imports of malformed `.etherpad` files.
+
+### Notable enhancements and fixes
+
+* Fixed several `.etherpad` import bugs.
+* Improved support for large `.etherpad` imports.
+
 # 1.8.15

 ### Security fixes
--- a/src/package-lock.json
+++ b/src/package-lock.json
@ -1,6 +1,6 @@
 {
  "name": "ep_etherpad-lite",
-  "version": "1.8.15",
+  "version": "1.8.16",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
--- a/src/package.json
+++ b/src/package.json
@ -246,6 +246,6 @@
    "test": "mocha --timeout 120000 --recursive tests/backend/specs ../node_modules/ep_*/static/tests/backend/specs",
    "test-container": "mocha --timeout 5000 tests/container/specs/api"
  },
-  "version": "1.8.15",
+  "version": "1.8.16",
  "license": "Apache-2.0"
 }