Add 2.2.3 information to CHANGELOG

Fixes #1693
author: Jeremy Evans <code@jeremyevans.net> 2020-07-16 10:31:26 -0700
committer: Jeremy Evans <code@jeremyevans.net> 2020-07-16 10:46:17 -0700
commit: 297bf998b96dad0636de6affbcc791ff0c26d5bb (patch)
tree: 731e927564aa3ce2594b20c8cca14919d21d2e16
parent: 294fd239a71aab805877790f0a92ee3c72e67d79 (diff)
download: rack-297bf998b96dad0636de6affbcc791ff0c26d5bb.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9e377de6..773585e1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,12 @@ All notable changes to this project will be documented in this file. For info on
 - Avoid NoMethodError when accessing Rack::Session::Cookie without requiring delegate first. ([#1610](https://github.com/rack/rack/issues/1610), [@onigra](https://github.com/onigra))
 - Handle cookies with values that end in '=' ([#1645](https://github.com/rack/rack/pull/1645), [@lukaso](https://github.com/lukaso))
 
+## [2.2.3] - 2020-06-15
+
+### Security
+
+- [[CVE-2020-8184](https://nvd.nist.gov/vuln/detail/CVE-2020-8184)] Do not allow percent-encoded cookie name to override existing cookie names. BREAKING CHANGE: Accessing cookie names that require URL encoding with decoded name no longer works. ([@fletchto99](https://github.com/fletchto99))
+
 ## [2.2.2] - 2020-02-11
 
 ### Fixed
author	Jeremy Evans <code@jeremyevans.net>	2020-07-16 10:31:26 -0700
committer	Jeremy Evans <code@jeremyevans.net>	2020-07-16 10:46:17 -0700
commit	297bf998b96dad0636de6affbcc791ff0c26d5bb (patch)
tree	731e927564aa3ce2594b20c8cca14919d21d2e16
parent	294fd239a71aab805877790f0a92ee3c72e67d79 (diff)
download	rack-297bf998b96dad0636de6affbcc791ff0c26d5bb.tar.gz