Merge pull request #428 from marcandre/change_fix

Make changes more precise [#424]
flori · Jun 30, 2020 · 7cc9301 · 7cc9301
2 parents f8fa987 + 9e2a1fb
commit 7cc9301
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,7 +1,10 @@
 # Changes
 
 ## 2019-12-11 (2.3.0)
- * Fix default of `create_additions` to always be false [CVE-2020-10663]
+ * Fix default of `create_additions` to always be `false` for `JSON(user_input)`
+   and `JSON.parse(user_input, nil)`.
+   Note that `JSON.load` remains with default `true` and is meant for internal
+   serialization of trusted data. [CVE-2020-10663]
  * Fix passing args all #to_json in json/add/*.
  * Fix encoding issues
  * Fix issues of keyword vs positional parameter