From 7fb6c1e1179d138a3af70361ffc28bf9a49c12cb Mon Sep 17 00:00:00 2001 From: RiotRobot Date: Wed, 1 Apr 2020 15:28:24 +0100 Subject: [PATCH] Prepare changelog for v1.5.15 --- CHANGELOG.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 02d5492a..a5bc6cda 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,19 @@ +Changes in [1.5.15](https://github.com/vector-im/riot-web/releases/tag/v1.5.15) (2020-04-01) +============================================================================================ +[Full Changelog](https://github.com/vector-im/riot-web/compare/v1.5.14...v1.5.15) + +## Security notice + +The `jitsi.html` widget wrapper introduced in Riot 1.5.14 could be used to extract user data by tricking the user into adding a custom widget or opening a link in the browser used to run Riot. Jitsi widgets created through Riot UI do not pose a risk and do not need to be recreated. + +It is important to purge any copies of Riot 1.5.14 so that the vulnerable `jitsi.html` wrapper from that version is no longer accessible. + +## All changes + + * Upgrade React SDK to 2.3.1 for Jitsi fixes + * Fix popout support for jitsi widgets + [\#12980](https://github.com/vector-im/riot-web/pull/12980) + Changes in [1.5.14](https://github.com/vector-im/riot-web/releases/tag/v1.5.14) (2020-03-30) ============================================================================================ [Full Changelog](https://github.com/vector-im/riot-web/compare/v1.5.14-rc.1...v1.5.14)