Update CHANGELOG

CHANGELOG.md

@@ -1,3 +1,33 @@
+## 0.3.0 (Upcoming)
+
+### Notes:
+
+This change contains possible breaking changes to the default go-getter client
+    used in Packer, and Packer plugins, for downloading remote files. Please
+    see [security options](https://github.com/hashicorp/go-
+    getter/tree/v2#security- options) for details on the changes made with go-
+    getter.
+
+## Bug fixes:
+* multistep/commonsteps: Add default timeouts to the GitGetter, HgGetter,
+    S3Getter, and GcsGetter getters to mitigate against resource exhaustion
+    when calling out to external command line applications.
+    [GH-111](https://github.com/hashicorp/packer-plugin-sdk/pull/111)
+* multistep/commonsteps: Disable support for the `X-Terraform-Get` header to
+    mitigate against protocol switching, endless redirect, and configuration
+    bypass abuse of custom HTTP response header processing.
+    [GH-111](https://github.com/hashicorp/packer-plugin-sdk/pull/111)
+* multistep/commonsteps: Update settings for the default go-getter client to
+    prevent arbitrary host access via go-getter's path traversal, symlink
+    processing, and command injection flaws.
+    [GH-111](https://github.com/hashicorp /packer-plugin-sdk/pull/111)
+* sdk: Bump github.com/hashicorp/go-getter/v2, github.com/hashicorp/go-
+    getter/gcs/v2, github.com/hashicorp/go-getter/s3/v2 to address a number of
+    security vulnerabilities as defined in
+    [HCSEC-2022-13](https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-
+    vulnerabilities-in-go-getter-library/39930)
+    [GH-110](https://github.com/hashicorp/packer-plugin-sdk/pull/110)
+
 ## 0.2.13 (May 11, 2022)
 
 * cmd/packer-sdc: Update golang.org/x/tools to fix internal package errors when running code generation commands with Go 1.18 [GH-108](https://github.com/hashicorp/packer-plugin-sdk/pull/108)