From 6726314834d0de9e29c45dcb3d6f3ce9118a956d Mon Sep 17 00:00:00 2001
From: Bert JW Regeer <bertjw@regeer.org>
Date: Wed, 23 Aug 2023 14:42:14 -0600
Subject: Update CHANGES for exploit mitigation

---
 CHANGES.rst | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'CHANGES.rst')

diff --git a/CHANGES.rst b/CHANGES.rst
index a582ca98f..0039fe1e9 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -12,9 +12,22 @@ Features
 Bug Fixes
 ---------
 
+- Removed support for null-bytes in the path when making a request for a file
+  against a static_view. Whille null-bytes are allowed by the HTTP
+  specification, due to the handling of null-bytes potentially leading to
+  security vulnerabilities it is no longer supported.
+
+  This fixes a security vulnerability that is present due to a bug in Python
+  3.11.0 through 3.11.4, thereby allowing the unintended disclosure of an
+  ``index.html`` one directory up from the static views path.
+
+  Thanks to Masashi Yamane of LAC Co., Ltd for reporting this issue.
+
 Backward Incompatibilities
 --------------------------
 
+- Requests to a static_view are no longer allowed to contain a null-byte in any
+  part of the path segment.
 - Pyramid is no longer tested on, nor supports Python 3.6
 - Pyramid drops support for l*gettext() methods in the i18n module.
   These have been deprecated in Python's gettext module since 3.8, and
-- 
cgit v1.2.3