Release v1.8.16

CHANGELOG.md

@@ -1,3 +1,25 @@
+# 1.8.16
+
+### Security fixes
+
+If you cannot upgrade to v1.8.16 for some reason, you are encouraged to try
+cherry-picking the fixes to the version you are running:
+
+```shell
+git cherry-pick b7065eb9a0ec..77bcb507b30e
+```
+
+* Maliciously crafted `.etherpad` files can no longer overwrite arbitrary
+  non-pad database records when imported.
+* Imported `.etherpad` files are now subject to numerous consistency checks
+  before any records are written to the database. This should help avoid
+  denial-of-service attacks via imports of malformed `.etherpad` files.
+
+### Notable enhancements and fixes
+
+* Fixed several `.etherpad` import bugs.
+* Improved support for large `.etherpad` imports.
+
 # 1.8.15
 
 ### Security fixes

src/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "ep_etherpad-lite",
-  "version": "1.8.15",
+  "version": "1.8.16",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {

src/package.json

@@ -246,6 +246,6 @@
     "test": "mocha --timeout 120000 --recursive tests/backend/specs ../node_modules/ep_*/static/tests/backend/specs",
     "test-container": "mocha --timeout 5000 tests/container/specs/api"
   },
-  "version": "1.8.15",
+  "version": "1.8.16",
   "license": "Apache-2.0"
 }