Add release notes for 6.0.6

Author: gasman

CHANGELOG.txt

@@ -131,6 +131,12 @@ Changelog
  * Maintenance: Refactor the Django port of `urlify` to use TypeScript, officially deprecate `window.URLify` global util (LB (Ben) Johnston)
 
 
+6.0.6 (11.07.2024)
+~~~~~~~~~~~~~~~~~~
+
+ * Fix: CVE-2024-39317: Regular expression denial-of-service via search query parsing (Jake Howard)
+
+
 6.0.5 (30.05.2024)
 ~~~~~~~~~~~~~~~~~~
 

docs/releases/6.0.6.md

@@ -0,0 +1,20 @@
+# Wagtail 6.0.6 release notes
+
+_July 11, 2024_
+
+```{contents}
+---
+local:
+depth: 1
+---
+```
+
+## What's new
+
+### CVE-2024-39317: Regular expression denial-of-service via search query parsing
+
+This release addresses a denial-of-service vulnerability in Wagtail. A bug in Wagtail's [`parse_query_string`](wagtailsearch_query_string_parsing) would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string` would take an unexpectedly large amount of time to process, resulting in a denial of service.
+
+In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses parse_query_string, it may be exploitable by other users (e.g. unauthenticated users).
+
+Many thanks to Jake Howard for reporting and fixing this issue. For further details, please see [the CVE-2024-39317 security advisory](https://github.com/wagtail/wagtail/security/advisories/GHSA-jmp3-39vp-fwg8).

docs/releases/index.rst

@@ -8,6 +8,7 @@ Release notes
    6.1.2
    6.1.1
    6.1
+   6.0.6
    6.0.5
    6.0.4
    6.0.3