Release Notes for 1.0.7.

css4j · Jul 28, 2020 · cb25dab · cb25dab
1 parent 09ef84b
commit cb25dab
Showing 1 changed file with 8 additions and 7 deletions.
diff --git a/RELEASE_NOTES.txt b/RELEASE_NOTES.txt
@@ -2,20 +2,21 @@
                             CSS4J RELEASE NOTES
                             ===================
 
-Release 1.0.7 - ???? ??, 2020 [This release is EOL and not formally supported]
+Release 1.0.7 - July 28, 2020 [This release is EOL and not formally supported]
 ------------------------------------------------------------------------------
 
 Release Highlights
 ------------------
- This release brings backports of a few bug fixes to the 1.x branch, although
-users should upgrade to 2.0 or later as soon as possible (1.x is not formally
+ The 1.x branch is vulnerable to denial of service attacks in var() substitution.
+Although this release has mitigation code, a carefully crafted style sheet that
+specifically targets css4j could be used to cause a DoS. Therefore, the usage of
+1.x to process untrusted CSS should be avoided.
+
+ This release backports a few 2.0 improvements to the 1.x branch, although users
+should upgrade to 2.0 or later as soon as possible (1.x is not formally
 maintained anymore). When upgrading, please keep in mind that 2.x releases
 require Java 8 or higher.
 
- The 1.x branch is vulnerable to denial of service attacks in var() substitution.
-Although the latest 1.x code has a tentative mitigation, it may not work in all
-cases and the usage of 1.x to process untrusted CSS should be avoided.
-
 
 Description
 -----------