[chore] Include explicit mention of GHSA-c74f-6mfw-mm4v in changelog (o…

…pen-telemetry#10332) Mentions GHSA-c74f-6mfw-mm4v explicitly in the changelog
hypertrace · Jun 5, 2024 · d5dd7a6 · d5dd7a6
1 parent 86ee482
commit d5dd7a6
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 14 deletions.
diff --git a/.chloggen/jpkroehling-configgrpc-use-own-compressors-for-zstd.yaml b/.chloggen/jpkroehling-configgrpc-use-own-compressors-for-zstd.yaml
diff --git a/CHANGELOG-API.md b/CHANGELOG-API.md
@@ -7,8 +7,14 @@ If you are looking for user-facing changes, check out [CHANGELOG.md](./CHANGELOG
 
 <!-- next version -->
 
+## v0.102.1
+
+No API-only changes on this release. **This release addresses [GHSA-c74f-6mfw-mm4v](https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v) for `configgrpc`.**
+
 ## v1.9.0/v0.102.0
 
+**This release addresses [GHSA-c74f-6mfw-mm4v](https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v) for `confighttp`.**
+
 ### 🛑 Breaking changes 🛑
 
 - `otelcol`: Remove deprecated `ConfigProvider` field from `CollectorSettings` (#10281)

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,12 +7,22 @@ If you are looking for developer-facing changes, check out [CHANGELOG-API.md](./
 
 <!-- next version -->
 
+## v0.102.1
+
+**This release addresses [GHSA-c74f-6mfw-mm4v](https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v) for `configgrpc`.**
+
+### 🧰 Bug fixes 🧰
+
+- `configrpc`: Use own compressors for zstd. Before this change, the zstd compressor we used didn't respect the max message size. This addresses [GHSA-c74f-6mfw-mm4v](https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v) for `configgrpc` (#10323)
+
 ## v1.9.0/v0.102.0
 
+**This release addresses [GHSA-c74f-6mfw-mm4v](https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v) for `confighttp`.**
+
 ### 🛑 Breaking changes 🛑
 
 - `envprovider`: Restricts Environment Variable names.  Environment variable names must now be ASCII only and start with a letter or an underscore, and can only contain underscores, letters, or numbers. (#9531)
-- `confighttp`: Apply MaxRequestBodySize to the result of a decompressed body (#10289)
+- `confighttp`: Apply MaxRequestBodySize to the result of a decompressed body. This addresses [GHSA-c74f-6mfw-mm4v](https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v) for `confighttp` (#10289)
   When using compressed payloads, the Collector would verify only the size of the compressed payload. 
   This change applies the same restriction to the decompressed content. As a security measure, a limit of 20 MiB was added, which makes this a breaking change. 
   For most clients, this shouldn't be a problem, but if you often have payloads that decompress to more than 20 MiB, you might want to either configure your