Merge branch 'security' into 3.1-stable

author: Andrey Andreev <narf@devilix.net> 2017-01-09 14:18:25 +0100
committer: Andrey Andreev <narf@devilix.net> 2017-01-09 14:18:25 +0100
commit: e5b31fce3e74c9b28f9fb9a904b4e2f29873293d (patch)
tree: 32a66c3a806f34b2c77c96c432f551b27c756e6e /user_guide_src/source/changelog.rst
parent: e898e565c60617dbc43186c14018519d8ef05042 (diff)
parent: 61fd92498db72bc511effa8c15274596afbb5010 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 91a59c4cf..ca1696c42 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -7,6 +7,14 @@ Version 3.1.3
 
 Release Date: Not Released
 
+-  **Security**
+
+   -  Fixed an XSS vulnerability in :doc:`Security Library <libraries/security>` method ``xss_clean()``.
+   -  Fixed a possible file inclusion vulnerability in :doc:`Loader Library <libraries/loader>` method ``vars()``.
+   -  Fixed a possible remote code execution vulnerability in the :doc:`Email Library <libraries/email>` when 'mail' or 'sendmail' are used (thanks to Paul Buonopane from `NamePros <https://www.namepros.com/>`_).
+   -  Added protection against timing side-channel attacks in :doc:`Security Library <libraries/security>` method ``csrf_verify()``.
+   -  Added protection against BREACH attacks targeting the CSRF token field generated by :doc:`Form Helper <helpers/form_helper>` function :php:func:`form_open()`.
+
 -  General Changes
 
    -  Deprecated ``$config['allow_get_array']``.
author	Andrey Andreev <narf@devilix.net>	2017-01-09 14:18:25 +0100
committer	Andrey Andreev <narf@devilix.net>	2017-01-09 14:18:25 +0100
commit	e5b31fce3e74c9b28f9fb9a904b4e2f29873293d (patch)
tree	32a66c3a806f34b2c77c96c432f551b27c756e6e /user_guide_src/source/changelog.rst
parent	e898e565c60617dbc43186c14018519d8ef05042 (diff)
parent	61fd92498db72bc511effa8c15274596afbb5010 (diff)