Skip to content

Commit

Permalink
Add a [SECURITY] to the changelog and update CVE-2023-40577
Browse files Browse the repository at this point in the history
Some users have been vocal about the security fix not visible enough in the changelog, it seems like prometheus uses [SECURITY] to disclose these and I think it's a good practice.

A copy of #3487 but for the release branch of 0.26

Signed-off-by: gotjosh <josue.abreu@gmail.com>
  • Loading branch information
gotjosh committed Aug 25, 2023
1 parent fea2ca4 commit 7b9dba6
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
## 0.26.0 / 2023-08-23

* [SECURITY] Fix stored XSS via the /api/v1/alerts endpoint in the Alertmanager UI. CVE-2023-40577
* [CHANGE] Telegram Integration: `api_url` is now optional. #2981
* [CHANGE] Telegram Integration: `ParseMode` default is now `HTML` instead of `MarkdownV2`. #2981
* [CHANGE] Webhook Integration: `url` is now marked as a secret. It will no longer show up in the logs as clear-text. #3228
Expand All @@ -25,7 +26,6 @@
* [BUGFIX] API: Fixed duplicate receiver names in the `api/v2/receivers` API endpoint. #3338
* [BUGFIX] API: Attempting to delete a silence now returns the correct status code, `404` instead of `500`. #3352
* [BUGFIX] Clustering: Fixes a panic when `tls_client_config` is empty. #3443
* [BUGFIX] Fix stored XSS via the /api/v1/alerts endpoint in the Alertmanager UI.

## 0.25.0 / 2022-12-22

Expand Down

0 comments on commit 7b9dba6

Please sign in to comment.