Prepared content for v23.10.3 post

diff --git a/content/blog/2023/security-release-v23-10-3.md b/content/blog/2023/security-release-v23-10-3.md
new file mode 100644 (file)
index 0000000..ed2bbc4
--- /dev/null
+++ b/content/blog/2023/security-release-v23-10-3.md
@@ -0,0 +1,39 @@
++++
+categories = ["Releases"]
+tags = ["Releases"]
+title = "BookStack Security Release v23.10.3"
+date = 2023-11-20T12:00:00Z
+author = "Dan Brown"
+image = "/images/blog-cover-images/unsplash/fence-squirrel-mitchell-orr.jpg"
+slug = "bookstack-release-v23-10-3"
+draft = false
++++
+
+BookStack v23.10.3 has been released.
+This is a security release that addresses a vulnerability in image handling which could be
+exploited to perform server-side requests or read the contents of files on the server system.
+
+Upgrade is strongly advised where untrusted users have permission to create/edit/update page
+content in your instance.
+
+* [Update instructions](https://www.bookstackapp.com/docs/admin/updates)
+* [GitHub release page](https://github.com/BookStackApp/BookStack/releases/tag/v23.10.3)
+
+Thanks to [Carlos Bello](https://www.linkedin.com/in/carlos-andres-bello/) from the 
+[Fluid Attacks](https://fluidattacks.com/) Research Team for discovering and reporting
+this vulnerability.
+
+### Full List of Changes
+
+* Updated thumbnail handling to for use of content as image data. ([#4681](https://github.com/BookStackApp/BookStack/pull/4681))
+
+### For More Information
+
+If you have any questions or comments about this advisory:
+* Open an issue in [the BookStack GitHub repository](https://github.com/BookStackApp/BookStack/issues).
+* Ask on the [BookStack Discord chat](https://discord.gg/ztkBqR2).
+* Follow the [BookStack security policy](https://github.com/BookStackApp/BookStack/blob/development/.github/SECURITY.md) to contact someone privately.
+
+----
+
+<span style="font-size: 0.8em;opacity:0.9;">Header Image Credits: <span>Photo by <a href="https://unsplash.com/@mitchorr?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash">Mitchell Orr</a> on <a href="https://unsplash.com/photos/squirrel-on-wooden-fence-42ApCULIolY?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash">Unsplash</a></span></span>
\ No newline at end of file

diff --git a/content/docs/admin/updates.md b/content/docs/admin/updates.md
index 9b0d4f92f6676b547a0552bb4dc65bdef0ed84f8..8698742a665ae36c8e47a1f921803779d1cbe430 100644 (file)
--- a/content/docs/admin/updates.md
+++ b/content/docs/admin/updates.md
@@ -41,6 +41,10 @@ This is primarily a list of breaking changes & security notices.
 Details of updates can be found on [our blog](https://www.bookstackapp.com/blog/) or via 
 the [GitHub releases page](https://github.com/BookStackApp/BookStack/releases).
 
+#### Updating to v23.10.3 or higher
+
+**Security** - v23.10.3 addresses a vulnerability relating to image handling which could be exploited, by users with the ability to create/edit/update page content, to perform server-side requests or read the contents of files on the server system.
+
 #### Updating to v23.10 or higher
 
 **User Detail/Preference Changes** - Many of the URLs, paths and interfaces for user-self management have changed in this release. You may need to update any documentation or user guidance you may have surrounding users updating their own details or preferences.

diff --git a/static/images/blog-cover-images/unsplash/fence-squirrel-mitchell-orr.jpg b/static/images/blog-cover-images/unsplash/fence-squirrel-mitchell-orr.jpg
new file mode 100644 (file)
index 0000000..7ba6c12
--- /dev/null
+++ b/static/images/blog-cover-images/unsplash/fence-squirrel-mitchell-orr.jpg
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ef63acd4bf8e7139f9d6723bbcc961a1343ea392df97b823b18fe00e7919098a
+size 361624