Merge branch 'update-loofah-rails-html-sanitizer' into 'master'

Add note to update loofah and rails-html-sanitizer.

See merge request schleuder/schleuder-website!39

1 files changed, 2 insertions, 0 deletions

diff --git a/index.md b/index.md
index ed5ae0c..e2d5d5a 100644
--- a/index.md
+++ b/index.md
@@ -18,6 +18,8 @@ To **be notified** of news about Schleuder subscribe to [schleuder-announce](htt
 
 ## News
 
+2018-03-28: **Vulnerability in dependencies of schleuder-web.** Anyone running schleuder-web should update the gems "loofah" and "rails-html-sanitizer" by running "bundle update loofah rails-html-sanitizer" as soon as possible. (See [CVE-2018-8048](https://github.com/flavorjones/loofah/issues/144) and [CVE-2018-3741](https://hackerone.com/reports/328270) for details.)
+
 2018-02-19: **Linux-packages for Schleuder 3.2.2 available.** For Debian (stretch-backports) and CentOS (EL 7) there are now packages of Schleuder version 3.2.2 available to easily install and upgrade it. Please see the [installation instructions](https://schleuder.nadir.org/docs/#installation) for details on how to use the packages. For details about version 3.2.2 please read the [changelog](https://0xacab.org/schleuder/schleuder/blob/master/CHANGELOG.md#322-2018-02-06).
 
 2018-02-06: **Schleuder 3.2.2 released!** This release fixes some minor bugs, e.g. with lingering dirmngr-processes, parsing keywords from big messages, and OpenPGP-keys with non-ASCII-characters. It also pins the "mail"-library to version 2.6, because 2.7 seems to have problems. For all details please see the [changelog](https://0xacab.org/schleuder/schleuder/blob/master/CHANGELOG.md#322-2018-02-06).