From 7595e415d59e51c05cfcb90748e2d9fcc0a39dd5 Mon Sep 17 00:00:00 2001
From: Sebastian Wagner <wagner@cert.at>
Date: Mon, 27 Apr 2020 21:01:14 +0200
Subject: [PATCH] REL: Release version 2.1.1 fixing a critical security issue

---
 CHANGELOG.md                   | 23 ++++++++---------------
 NEWS.md                        | 10 ++++++----
 debian/changelog               |  7 +++++++
 intelmq-manager/php/config.php |  2 +-
 4 files changed, 22 insertions(+), 20 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 34c89bd..3366a0e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,35 +2,28 @@ CHANGELOG
 =========
 
 
-2.1.1 (unreleased)
+2.1.1 (2020-04-27)
 ------------------
 Bernhard Herzog (Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.
 
 ### Backend
-- Fix mispelling of the environmental variable `INTELMQ_MANGER_CONTROLLER_CMD` to `INTELMQ_MANAGER_CONTROLLER_CMD` (an 'a' was missing).
+- Fix misspelling of the environmental variable `INTELMQ_MANGER_CONTROLLER_CMD` to `INTELMQ_MANAGER_CONTROLLER_CMD` (an 'a' was missing).
 - Fix handling of POST variable `msg` of the message-sending functionality available in the Inspect-tool.
 
 ### Pages
-
-#### Landing page
-
-#### Configuration
-
-#### Management
-
 #### Monitor
 - Fix running commands with the "inspect" widget by fixing the definition of the `CONTROLLER_CMD` in the template (PR #194).
 
-#### Check
-
 ### Documentation
 - Update supported operating systems in Installation documentation (i.a. PR #191).
 
-### Third-party libraries
-
-### Packaging
-
 ### Known issues
+* Missing CSRF protection (#111).
+* Graph jumps around on "Add edge" (#148).
+* wrong error message for new bots with existing ID (#152).
+* `ALLOWED_PATH=` violates CSP (#183).
+* Monitor page: Automatic log refresh reset log page to first one (#190).
+
 
 2.1.0 (2019-10-15)
 ------------------
diff --git a/NEWS.md b/NEWS.md
index 3a19699..6cc0b25 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -3,16 +3,18 @@ NEWS
 
 See the changelog for a full list of changes.
 
-2.1.1 (unreleased)
+2.1.1 (2020-04-27)
 ------------------
-**Never ever run intelmq-manager on a public webserver without SSL and proper authentication**.
 
-Bernhard Herzog (Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.
+### Security
+* **Never ever run intelmq-manager on a public webserver without SSL and proper authentication**.
+* Bernhard Herzog (Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.
+* Use IntelMQ Manager only from a browser that can only access internal, trusted sites. (Because CSRF development is under way, see [#111](github.com/certtools/intelmq/issues/111)).
 
+### Configuration
 The environment variable name was corrected from `INTELMQ_MANGER_CONTROLLER_CMD` to `INTELMQ_MANGAER_CONTROLLER_CMD` you might need to adapt your configuration.
 The old name will be available until version 3.0.
 
-Use IntelMQ Manager only from a browser that can only access internal, trusted sites. (Because CSRF development is under way, see [#111](github.com/certtools/intelmq/issues/111)).
 
 2.1.0 (2019-10-15)
 ------------------
diff --git a/debian/changelog b/debian/changelog
index f149c3a..ee31fb8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+intelmq-manager (2.1.1-1) stable; urgency=critical
+
+  * Update to version 2.1.1.
+   * Bernhard Herzog (Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.
+
+ -- Sebastian Wagner <wagner@cert.at>  Mon, 27 Apr 2020 21:02:23 +0200
+
 intelmq-manager (2.1.0-1) stable; urgency=medium
 
   * Update to version 2.1.0
diff --git a/intelmq-manager/php/config.php b/intelmq-manager/php/config.php
index 4e231e5..d6dcb4d 100644
--- a/intelmq-manager/php/config.php
+++ b/intelmq-manager/php/config.php
@@ -24,7 +24,7 @@
 
     $BOT_CONFIGS_REJECT_REGEX = '/[^[:print:]\n\r\t]/';
     $BOT_ID_REJECT_REGEX = '/[^A-Za-z0-9.-]/';
-    $VERSION = "2.1.1a1";
+    $VERSION = "2.1.1";
 
     $ALLOWED_PATH = "/opt/intelmq/var/lib/bots/"; // PHP is allowed to fetch the config files from the current location in order to display bot configurations.
     $FILESIZE_THRESHOLD = 2000; // config files under this size gets loaded automatically; otherwise a link is generated