# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2017-10-26 11:20:57
# Node ID 4edcf89e2c6d11840042feae82097746a890984f
# Parent  2338f289df2844ea85a9fc91187808c9f719a246

docs: added release notes for 4.9.1

diff --git a/docs/release-notes/release-notes-4.9.1.rst b/docs/release-notes/release-notes-4.9.1.rst
new file mode 100644
--- /dev/null
+++ b/docs/release-notes/release-notes-4.9.1.rst
@@ -0,0 +1,54 @@
+|RCE| 4.9.1 |RNS|
+-----------------
+
+Release Date
+^^^^^^^^^^^^
+
+- 2017-10-26
+
+
+New Features
+^^^^^^^^^^^^
+
+
+
+General
+^^^^^^^
+
+
+
+Security
+^^^^^^^^
+
+- security(critical): repo-forks: fix issue when forging fork_repo_id parameter
+  could allow reading other people forks.
+- security(high): auth: don't expose full set of permissions into channelstream
+  payload. Forged requests could return list of private repositories in the system.
+- security(medium): general-security: limit the maximum password input length
+  to 72 characters.
+- security(medium): select2: always escape .text attributes to prevent XSS
+  via branches or tags names.
+
+
+
+Performance
+^^^^^^^^^^^
+
+- git: improve performance and reduce memory usage on large clones.
+
+
+
+Fixes
+^^^^^
+
+
+- user-groups: fix potential problem with ldap group sync in external auth plugins.
+
+
+
+Upgrade notes
+^^^^^^^^^^^^^
+
+- This release changes the maximum allowed input password to 72 characters. This
+  prevent resource consumption attack. If you need longer password than 72
+  characters please contact our team.
diff --git a/docs/release-notes/release-notes.rst b/docs/release-notes/release-notes.rst
--- a/docs/release-notes/release-notes.rst
+++ b/docs/release-notes/release-notes.rst
@@ -9,6 +9,7 @@ Release Notes
 .. toctree::
    :maxdepth: 1
 
+   release-notes-4.9.1.rst
    release-notes-4.9.0.rst
    release-notes-4.8.0.rst
    release-notes-4.7.2.rst