From 7b9dba6afa48d95d6edae34d7d8911400274ba2a Mon Sep 17 00:00:00 2001
From: gotjosh <josue.abreu@gmail.com>
Date: Fri, 25 Aug 2023 11:20:52 +0100
Subject: [PATCH] Add a `[SECURITY]` to the changelog and update CVE-2023-40577

Some users have been vocal about the security fix not visible enough in the changelog, it seems like prometheus uses [SECURITY] to disclose these and I think it's a good practice.

A copy of #3487 but for the release branch of 0.26

Signed-off-by: gotjosh <josue.abreu@gmail.com>
---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index db8da016..2dd13ca3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,6 @@
 ## 0.26.0 / 2023-08-23
 
+* [SECURITY] Fix stored XSS via the /api/v1/alerts endpoint in the Alertmanager UI. CVE-2023-40577
 * [CHANGE] Telegram Integration: `api_url` is now optional. #2981
 * [CHANGE] Telegram Integration: `ParseMode` default is now `HTML` instead of `MarkdownV2`. #2981
 * [CHANGE] Webhook Integration: `url` is now marked as a secret. It will no longer show up in the logs as clear-text. #3228
@@ -25,7 +26,6 @@
 * [BUGFIX] API: Fixed duplicate receiver names in the `api/v2/receivers` API endpoint. #3338
 * [BUGFIX] API: Attempting to delete a silence now returns the correct status code, `404` instead of `500`. #3352
 * [BUGFIX] Clustering: Fixes a panic when `tls_client_config` is empty. #3443
-* [BUGFIX] Fix stored XSS via the /api/v1/alerts endpoint in the Alertmanager UI.
 
 ## 0.25.0 / 2022-12-22