meta: add changelog for v1.4.5

1 files changed, 11 insertions, 0 deletions

diff --git a/docs/changelog.md b/docs/changelog.md
index a6794ab9d..7190777b7 100644
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,3 +1,14 @@
+v1.4.5
+------
+
+🔒 This is a security release to address CVE-2023-22742: when compiled using the optional, included libssh2 backend, libgit2 fails to verify SSH keys by default.
+
+When using an SSH remote with the optional, included libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack.
+
+The libgit2 security team would like to thank the Julia and Rust security teams for responsibly disclosing this vulnerability and assisting with fixing the vulnerability.
+
+All users of the v1.4 release line are recommended to upgrade.
+
 v1.4.4
 ------