From d42f4bc98e0e0fb98f00f70a45d6cbaec6968cd6 Mon Sep 17 00:00:00 2001
From: Laura Hausmann <laura@hausmann.dev>
Date: Sun, 17 Nov 2024 18:48:52 +0100
Subject: [PATCH] Release: v2024.1-beta4.security1

---
 CHANGELOG.md          | 13 +++++++++++++
 Directory.Build.props |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ee14a213..e7fc9e5b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,16 @@
+## v2024.1-beta4.security1
+This is a security hotfix release. It's identical to v2024.1-beta4, except for the security mitigations listed below. Upgrading is strongly recommended for all server operators.
+
+### Backend
+- ActivityPub actor and note validation has been improved & now protects against cross-origin identifiers in more places, resolving a database pollution vulnerability
+- Cross-origin `url` properties on actor & note objects now get set to null before ingestion, resolving a clickjacking vulnerability
+- User resolution when processing incoming notes is now limited
+
+### Attribution
+This release was made possible by project contributors: Laura Hausmann
+
+Furthermore, I want to give special thanks to Hazel Koehler for the vulnerability disclosure.
+
 ## v2024.1-beta4
 This release contains lots of new features & bug fixes, including security fixes. Upgrading is strongly recommended for all server operators.
 
diff --git a/Directory.Build.props b/Directory.Build.props
index 85d8a2fe..09088b39 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -32,7 +32,7 @@
     <!-- Version metadata -->
     <PropertyGroup>
         <VersionPrefix>2024.1</VersionPrefix>
-        <VersionSuffix>beta4</VersionSuffix>
+        <VersionSuffix>beta4.security1</VersionSuffix>
     </PropertyGroup>
 
     <ItemGroup>