From 41ff0f7218de7e9f31a61d889132a9696c912da4 Mon Sep 17 00:00:00 2001
From: Florian Zschocke <f.zschocke+git@gmail.com>
Date: Sat, 9 Apr 2022 19:29:17 +0200
Subject: [PATCH] doc: Merge release 1.9.3 info into releases.moxie

---
 releases.moxie | 47 +++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 43 insertions(+), 4 deletions(-)

diff --git a/releases.moxie b/releases.moxie
index dc20beca..c7a75a92 100644
--- a/releases.moxie
+++ b/releases.moxie
@@ -1,7 +1,7 @@
 #
 # ${project.version} release
 #
-r33: {
+r34: {
     title: ${project.name} ${project.version} released
     id: ${project.version}
     date: ${project.buildDate}
@@ -21,6 +21,45 @@ r33: {
       - paladox
 }
 
+#
+# 1.9.3 release
+#
+r33: {
+    title: Gitblit 1.9.3 released
+    id: 1.9.3
+    date: 2022-04-09
+    note: ''
+          The 1.9 minor version is the last to support Java 7. From 1.10 on Gitblit will require Java 8.
+          ''
+    html: ~
+    text: ''
+          !! IMPORTANT SECURITY FIX FOR CONFIG USER SERVICE !!
+
+          There is a security vulnerability in version 1.9.2, which allows an attacker to gain
+          elevated access rights. This is present when the Config User Service is used as the
+          user service, which is the default.
+
+          Version 1.9.2 introduced a new implementation to store user data in the user config file
+          which holds user name, password, access rights etc. This was done to solve problems with
+          very large user bases (pr-1364). This new implementation does not properly escape all
+          control characters, like newline and tab. As a result, a normal user, when logged into
+          Gitblit, can edit his profile data and enter values in e.g. the email address that are
+          interpreted as control characters in the text file stored on disk. This allows the malicious
+          user to give themselves e.g. elevated access rights on their account.
+
+          This is fixed in 1.9.3. Updates of existing installations should be made to 1.9.3, not 1.9.2.
+
+          Many thanks to Github user @YYHYlh for finding and reporting this issue (issue-1410).
+          ''
+    security:
+      - Fix escaping control characters in config user service, resolving a security vulnerability. (issue-1410)
+    fixes: ~
+    changes: ~
+    additions: ~
+    dependencyChanges: ~
+    contributors: ~
+}
+
 #
 # 1.9.2 release
 #
@@ -2061,6 +2100,6 @@ r1: {
 	- James Moger
 }
 
-snapshot: &r33
-release: &r32
-releases: &r[1..32]
+snapshot: &r34
+release: &r33
+releases: &r[1..33]
-- 
2.39.5