Update changelog and release notes

django-cms · fsbraun · Nov 13, 2024 · Nov 13, 2024 · Nov 13, 2024 · Nov 13, 2024
commit 245a817af7e14cb736c8d34368b5423b438482ac
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -2,20 +2,25 @@
 Changelog
 =========
 
+3.11.9 (2024-11-13)
+===================
+
 Bug Fixes:
 ----------
 * XSS vulnerability for page title (#8075) (699f04e9b) -- Fabian Braun
+* fix: Accept legacy action names for page permission check (#8022) (fc4838f99) -- Fabian Braun
+
 
 Statistics:
 -----------
 
 This release includes 4 pull requests, and was created with the help of the following contributors (in alphabetical order):
 
-* Fabian Braun (1 pull request)
-* Github Release Action (3 pull requests)
+* Fabian Braun (2 pull requests)
 
 With the review help of the following contributors:
 
+* Mark Walker
 
 Thanks to all contributors for their efforts!
 

diff --git a/docs/upgrade/3.11.9.rst b/docs/upgrade/3.11.9.rst
@@ -1,35 +1,52 @@
 .. _upgrade-to-3.11.9:
 
 ####################
-Release notes 3.11.8
+Release notes 3.11.9
 ####################
 
+************
+Security fix
+************
+
+    django CMS 3.11.9 closes a security vulnerability that could allow an attacker
+to inject malicious code into the page title allowing to load arbitrary
+javascript code when viewing the page. We recommend that you upgrade to
+this version as soon as possible.
+
+The security issue is of low severity, since an attacker needs to have access
+to the django CMS admin interface to exploit it.
+
+Thanks to `Ali İltizar (@alii76tt) <https://twitter.com/alii76tt>`_ for
+reporting the issue.
+
+.. note::
+
+   As ever, we remind our users and contributors that all security reports,
+   patches and concerns be addressed only to our security team by email, at
+   `security@django-cms.org <mailto:security@django-cms.org>`_.
+
+
+
 ********************
 What's new in 3.11.9
 ********************
 
-Features:
----------
-* Improved permission performance for Django CMS 3 by @fsbraun in https://github.com/django-cms/django-cms/pull/7987
-
 Bug Fixes:
 ----------
-* Backport of #7868 and #7920 by @fsbraun in https://github.com/django-cms/django-cms/pull/7926
-* Mark language and user middleware synchronous for ASGI (#7985) by @jbazik in https://github.com/django-cms/django-cms/pull/7986
-* Also clear menu cache if page permissions are changed (#7988) (#7990) (7a2632277) -- Fabian Braun
-* Import error from backporting v4 deprecation (#7993) (4492f479c) -- Fabian Braun
+* XSS vulnerability for page title (#8075) (699f04e9b) -- Fabian Braun
+* fix: Accept legacy action names for page permission check (#8022) (fc4838f99) -- Fabian Braun
+
 
 Statistics:
 -----------
 
 This release includes 4 pull requests, and was created with the help of the following contributors (in alphabetical order):
 
-* Fabian Braun (3 pull request)
-* John Bazik (1 pull request)
+* Fabian Braun (2 pull requests)
 
 With the review help of the following contributors:
 
-* Vinit Kumar
+* Mark Walker
 
 Thanks to all contributors for their efforts!