Index: trunk/doc/news.html
===================================================================
--- trunk/doc/news.html	(revision 11598)
+++ trunk/doc/news.html	(revision 11599)
@@ -31,6 +31,22 @@
 
 	<tr>
 		<th align=right valign=top bgcolor="#ccccff" width="20%">
+			2017-09-15
+			<br>
+			release: 1.2.5b
+		<td bgcolor="#ddddff">
+			Release 1.2.5b is <a href="releases"> is an 1.2.5 with a <b><a href="security/bug1.html">security fix</a>, please upgrade as soon as possible!</b>  </a>
+
+	<tr>
+		<th align=right valign=top bgcolor="#ccccff" width="20%">
+			2017-08-21
+			<br>
+			release: 1.2.5
+		<td bgcolor="#ddddff">
+			Release 1.2.5 is <a href="releases"> available: it is an 1.2.4 with a few critical bugfixes  </a>
+
+	<tr>
+		<th align=right valign=top bgcolor="#ccccff" width="20%">
 			2017-08-07
 			<br>
 			release: 1.2.4
Index: trunk/doc/security/bug1.html
===================================================================
--- trunk/doc/security/bug1.html	(nonexistent)
+++ trunk/doc/security/bug1.html	(revision 11599)
@@ -0,0 +1,69 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+	<title> pcb-rnd - news </title>
+	<meta http-equiv="Content-Type" content="text/html;charset=us-ascii">
+</head>
+<body>
+
+<!--content-->
+<h1> pcb-rnd security related bug #1: execbug </h1>
+<p>
+Users opening untrusted boards or projects may unintentionally execute
+external programs.
+
+<h2> 1. Bug description </h2>
+<p>
+pcb-rnd inherited 5 settings from gEDA/PCB that let pcb-rnd (and PCB)
+execute external processes, wrapping certain file operations:
+<ul>
+	<li> conf_core.rc.save_command
+	<li> conf_core.rc.rat_command
+	<li> conf_core.rc.library_shell
+	<li> conf_core.rc.file_command
+	<li> conf_core.rc.font_command
+</ul>
+<p>
+The old Settings system has been replaced in pcb-rnd; the new conf system
+allows any configuration setting to be specified in a project file or a
+board file. This includes the above 5 items as well.
+<p>
+An attacker may produce a project or a single board file in .pcb or .lht format
+that contains the above config settings, executing arbitrary code on the
+user's computer when pcb-rnd opens or saves the file or loads fonts or
+footprints or netlists.
+
+<h2> 2. How to prevent the attack </h2>
+
+<h3> 2.1. By using a version that is not affected </h3>
+<p>
+<ul>
+	<li> from svn /trunk, any revision newer than r11597
+	<li> last stable release, patched: <a href="releases/pcb-rnd-1.2.5b.tar.gz">1.2.5b</a>
+	<li> old stable release, patched: <a href="releases/pcb-rnd-1.1.4b.tar.gz">1.1.4b</a>
+</ul>
+
+<h3> 2.2. By manually checking board and project files from untrusted source</h3>
+<p>
+Before opening the file, grep for _command and _shell in it, remove
+the offending lines.
+
+
+<h2> 3. What did the patch/fix do </h2>
+<p>
+The patch prevents these 5 settings to take effect when the source of
+the setting is not from one of these:
+<ul>
+	<li> internal (embedded in the executable, used as the ultimate fallback when no config is available)
+	<li> system installed config file (typically under /usr/)
+	<li> user config file (typically in ~/.pcb-rnd/)
+	<li> command line argument (-c)
+</ul>
+<p>
+This bans sources like the board file, the project file and environmental
+variable.
+
+</body>
+</html>
+
+