Merge branch '6.8' into bump-6.8.12

elastic · Jul 27, 2020 · 50e332c · 50e332c
2 parents 3456615 + 6ad7b4f
commit 50e332c
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/docs/CHANGELOG.asciidoc b/docs/CHANGELOG.asciidoc
@@ -101,7 +101,20 @@ This section summarizes the changes in each release.
 [[release-notes-6.8.11]]
 == {kib} 6.8.11
 
-coming::[6.8.11]
+[float]
+[[security-update-6.8.11]]
+=== Security updates
+* In {kib} 6.8.11 and earlier, there is a denial of service (DoS) flaw in Timelion. Attackers can construct a URL that when viewed by a {kib} user, 
+the {kib} process consumes large amounts of CPU and becomes unresponsive,
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7016[CVE-2020-7016].
++
+You must upgrade to 6.8.11. If you are unable to upgrade, set `timelion.enabled` to `false` in your kibana.yml file to disable Timelion.
+
+* In all {kib} versions, region map visualizations contain a stored XSS flaw. Attackers that can edit or create region map visualizations can obtain 
+sensitive information or perform destructive actions on behalf of {kib} users who view the region map visualization,
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7017[CVE-2020-7017].
++
+You must upgrade to 6.8.11. If you are unable to upgrade, set `xpack.maps.enabled`, `region_map.enabled`, and `tile_map.enabled` to `false` in kibana.yml to disable map visualizations.
 
 [float]
 [[enhancement-v6.8.11]]