Update notices and History

meteor · Apr 30, 2014 · f49863f · f49863f
1 parent 6fcbceb
commit f49863f
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/History.md b/History.md
@@ -1,5 +1,19 @@
 ## v.NEXT
 
+
+## v0.7.2.2
+
+* Fix a security flaw in OAuth1 and OAuth2 implementations. If you are
+  using any OAuth accounts packages (such as `accounts-google` or
+  `accounts-twitter`), we recommend that you update immediately and log
+  out your users' current sessions with the following MongoDB command:
+
+  $ db.users.update({}, { $set: { 'services.resume.loginTokens': [] } },
+    { multi: true });
+
+  OAuth redirect URLs are now required to be on the same origin as your app.
+
+
 ## v0.7.2.1
 
 * Fix security flaw in OAuth1 implementation. Clients can no longer

diff --git a/scripts/admin/notices.json b/scripts/admin/notices.json
@@ -91,6 +91,24 @@
   {
     "release": "0.7.1.2"
   },
+  {
+    "release": "0.7.2"
+  },
+  {
+    "release": "0.7.2.1"
+  },
+  {
+    "release": "0.7.2.2",
+    "notices": [
+      "We closed a security hole in our OAuth client. If you are using",
+      "OAuth-based accounts (such as the `accounts-google` or",
+      "`accounts-twitter` packages), we recommend that you log out",
+      "all your users by running this command from a MongoDB shell:",
+      "",
+      "  $ db.users.update({}, { $set: { 'services.resume.loginTokens': [] } },",
+      "    { multi: true });"
+    ]
+  },
   {
     "release": "NEXT"
   }