From cd031a31052c884a31b01896cbbb35174c283fae Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: May 14 2018 17:11:53 +0000
Subject: Release 4.0.2


Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>

---

diff --git a/UPGRADING.rst b/UPGRADING.rst
index 4b62c69..be2105e 100644
--- a/UPGRADING.rst
+++ b/UPGRADING.rst
@@ -1,6 +1,59 @@
 Upgrading Pagure
 ================
 
+From 4.0 or 4.0.1 to 4.0.2
+--------------------------
+
+This is an important security release fixing CVE-2018-1002151.
+This CVE would let anyone with an API token with the modify_project ACL create
+any git branches in any project.
+Create git branches via the API now has a dedicated ACL, so if you are using the
+API to create git branches, you will have to get a new API token with this ACL.
+
+
+From 3.13.1 to 4.0
+------------------
+
+The release 4.0 brings in some major changes (thus the bump in major version).
+The API and user facing code should not have changed but many of the internal
+pieces have. So if you have a script that used some parts of the internal APIs,
+it will likely break.
+
+This release also includes some changes to the database schema:
+
+* Update the data schema using alembic: ``alembic upgrade head``
+
+And some new configuration keys:
+* SESSION_TYPE
+* GITOLITE_HAS_COMPILE_1
+* FAST_CELERY_QUEUE
+* MEDIUM_CELERY_QUEUE
+* SLOW_CELERY_QUEUE
+* STOMP_NOTIFICATIONS
+* STOMP_BROKERS
+* STOMP_HIERARCHY
+* STOMP_SSL
+* STOMP_KEY_FILE
+* STOMP_CERT_FILE
+* STOMP_CREDS_PASSWORD
+* PROJECT_TEMPLATE_PATH
+* FORK_TEMPLATE_PATH
+* ENABLE_DOCS
+* FEDMSG_NOTIFICATIONS
+* ALWAYS_FEDMSG_ON_COMMITS
+* FLAG_STATUSES_LABELS
+* FLAG_SUCCESS
+* FLAG_FAILURE
+* FLAG_PENDING
+
+The following configuration keys have been removed/deprecated:
+* DOCS_FOLDER
+* REQUESTS_FOLDER
+* TICKETS_FOLDER
+
+All of these are documentated at: https://docs.pagure.org/pagure/configuration.html
+
+
 From 3.13 to 3.13.1
 -------------------
 
diff --git a/doc/changelog.rst b/doc/changelog.rst
index 1fe4014..e07f141 100644
--- a/doc/changelog.rst
+++ b/doc/changelog.rst
@@ -3,6 +3,20 @@ Changelog
 
 This document records all notable changes to `Pagure <https://pagure.io>`_.
 
+4.0.2 (2018-05-14)
+------------------
+
+.. note:: This release fixes CVE-2018-1002151
+
+- Fix showing the list of issues in a timely fashion (Patrick Uiterwijk)
+- Fix stats for commits without author (Lubomír Sedlář)
+- Explain how to fetch a pull request locally and some grammar fixes
+  (Todd Zullinger)
+- Drop the constraint on the requirement on straight.plugin but document it
+- Fix the requirement on bcrypt, it's optional
+- Make API endpoint for creating new git branch have its own ACL
+  fixes CVE-2018-1002151
+
 4.0.1 (2018-04-26)
 ------------------
 
diff --git a/doc/contributors.rst b/doc/contributors.rst
index abfb010..d3fdd65 100644
--- a/doc/contributors.rst
+++ b/doc/contributors.rst
@@ -3,23 +3,23 @@ Contributors to pagure
 
 Pagure would be nothing without its contributors.
 
-On April 26, 2018 (release 4.0.1) the list looks as follow:
+On May 14, 2018 (release 4.0.2) the list looks as follow:
 
 =================  ===========
 Number of commits  Contributor
 =================  ===========
-  5831              Pierre-Yves Chibon <pingou@pingoured.fr>
+  5839              Pierre-Yves Chibon <pingou@pingoured.fr>
    193              Ryan Lerch <rlerch@redhat.com>
    172              Vivek Anand <vivekanand1101@gmail.com>
    139              farhaanbukhsh <farhaan.bukhsh@gmail.com>
-   130              Patrick Uiterwijk <puiterwijk@redhat.com>
+   131              Patrick Uiterwijk <puiterwijk@redhat.com>
    125              Clement Verna <cverna@tutanota.com>
     85              Farhaan Bukhsh <farhaan.bukhsh@gmail.com>
     59              Johan Cwiklinski <johan@x-tnd.be>
     47              Mark Reynolds <mreynolds@redhat.com>
     32              Matt Prahl <mprahl@redhat.com>
     32              Pradeep CE (cep) <breathingcode@gmail.com>
-    30              Lubomír Sedlář <lsedlar@redhat.com>
+    31              Lubomír Sedlář <lsedlar@redhat.com>
     26              Slavek Kabrda <bkabrda@redhat.com>
     23              rahul Bajaj <you@example.com>
     20              Jeremy Cline <jeremy@jcline.org>
@@ -82,6 +82,7 @@ Number of commits  Contributor
      2              Richard Marko <rmarko@fedoraproject.org>
      2              Simo Sorce <simo@redhat.com>
      2              Tim Flink <tflink@fedoraproject.org>
+     2              Todd Zullinger <tmz@pobox.com>
      2              William Moreno Reyes <williamjmorenor@gmail.com>
      2              bruno <bruno@wolff.to>
      2              dhrish20 <dhrish20@gmail.com>
diff --git a/files/pagure.spec b/files/pagure.spec
index fece355..1703bb6 100644
--- a/files/pagure.spec
+++ b/files/pagure.spec
@@ -1,5 +1,5 @@
 Name:               pagure
-Version:            4.0.1
+Version:            4.0.2
 Release:            1%{?dist}
 Summary:            A git-centered forge
 
@@ -453,6 +453,9 @@ install -p -m 644 pagure-ev/pagure_ev.service \
 
 
 %changelog
+* Mon May 14 2018 Pierre-Yves Chibon <pingou@pingoured.fr> - 4.0.2-1
+- Update to 4.0.2
+
 * Thu Apr 26 2018 Pierre-Yves Chibon <pingou@pingoured.fr> - 4.0.1-1
 - Update to 4.0.1
 
diff --git a/pagure/__init__.py b/pagure/__init__.py
index 61af657..5249f7c 100644
--- a/pagure/__init__.py
+++ b/pagure/__init__.py
@@ -9,5 +9,5 @@
 """
 
 
-__version__ = '4.0.1'
+__version__ = '4.0.2'
 __api_version__ = '0.23'