Added notes for silent fix to address kramdown vulnerability (#18011)

forced-request · brentjo · megbird · web-flow · commit 9234b29eae63 · 2021-03-03T15:10:25.000-07:00
* Added notes for silent fix to address kramdown vulnerability https://github.com/github/products-cna/pull/15#issuecomment-784526977 * Update 0.yml * added note about bug bounty program * Updated Verbiage * Update 0.yml * Update data/release-notes/3-0/0.yml Co-authored-by: Brent Johnson <6415223+brentjo@users.noreply.github.com> Co-authored-by: Meg Bird <megbird@github.com>
diff --git a/data/release-notes/3-0/0.yml b/data/release-notes/3-0/0.yml
@@ -1,6 +1,8 @@
 date: '2021-02-16'
 intro: The minimum infrastructure requirements have increased for {% data variables.product.prodname_ghe_server %} 3.0+. For more information, see "[About minimum requirements for GitHub Enterprise Server 3.0 and later](/admin/enterprise-management/upgrading-github-enterprise-server#about-minimum-requirements-for-github-enterprise-server-30-and-later)."
 sections:
+  security_fixes:
+    - '**HIGH:** A remote code execution vulnerability was identified in {% data variables.product.prodname_ghe_server %} that could be exploited when building a {% data variables.product.prodname_pages %} site. User-controlled configuration of the underlying parsers used by {% data variables.product.prodname_pages %} were not sufficiently restricted and made it possible to execute commands on the {% data variables.product.prodname_ghe_server %} instance. To exploit this vulnerability, an attacker would need permission to create and build a {% data variables.product.prodname_pages %} site on the {% data variables.product.prodname_ghe_server %} instance. This vulnerability has been assigned CVE-2020-10519 and was reported via the [GitHub Bug Bounty Program](https://bounty.github.com).'
   features:
     - heading: GitHub Actions
       notes:
