Added tag v4.9.1 for changeset d9aa3b27ac9f

release: Finish preparation for 4.9.1

release: updated pip2nix output for 4.9.1

release: Start preparation for 4.9.1

docs: added release notes for 4.9.1

select2: always escape .text attributes to prevent XSS via vcs references.

repo-forks: stable, security, fix issue when forging fork_repo_id could allow reading other people forks.

auth: don't expose full set of permissions into channelstream payload. This leads to resource discovery security vulnerability

user-groups: fix potential problem with group sync of external plugins. - when using external plugin we used to check for a parameter that set the sync mode. The problem is we only checked if the flag was there. So toggling sync on and off set the value and then left the key still set but with None. This confused the sync and thought the group should be synced !

security: limit the maximum password lenght to 72 characters to prevent possible server side resource consumption attack. - bcrypt heavy computation can lead to DOS using a very long password .eg 10**8 lenght. - we allowed this on registration or on password update