From dcd5e48d7b47e824821f96b575e1cad7349dc86f Mon Sep 17 00:00:00 2001
From: Timm Fitschen <t.fitschen@indiscale.com>
Date: Wed, 13 Dec 2023 16:13:58 +0100
Subject: [PATCH] REL: prepare release 0.12.1

---
 CHANGELOG.md    | 29 ++++++++++++++++++++---------
 CITATION.cff    |  4 ++--
 caosdb-webui    |  2 +-
 pom.xml         |  2 +-
 src/doc/conf.py |  4 ++--
 5 files changed, 26 insertions(+), 15 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fc91c68a..22e9479e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,20 +5,31 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
-
-### Added
-
-### Changed
-
-### Deprecated
-
-### Removed
+## [0.12.1] - 2023-12-13
+(Timm Fitschen)
 
 ### Fixed
 
+* Insufficient permission checks during subproperty filters of SELECT queries
+  when an entity with retrieve permissions references one without
+  [linkahead-server#244](https://gitlab.com/linkahead/linkahead-server/-/issues/244)
+* Insufficient permission checks in queries when a name of an invisible record
+  is used in a filter where a visible record references the invisible one
+  [linkahead-server#242](https://gitlab.com/linkahead/linkahead-server/-/issues/242)
+
 ### Security
 
+This is an important security patch release. The bugs
+[linkahead-server#244](https://gitlab.com/linkahead/linkahead-server/-/issues/244)
+and
+[linkahead-server#242](https://gitlab.com/linkahead/linkahead-server/-/issues/242)
+possibly leak sensitive data when an attacker with read access to linkahead
+(i.e. the attacker needs an active user account or anonymous needs to be
+enabled) can guess the name of entities or properties of referenced entities
+and construct a malicious FIND or SELECT statement and when the attacker has
+read permissions for an entity which references the entities containing the
+sensitive information. See the bug reports for more information.
+
 ## [0.12.0] - 2023-10-25
 (Timm Fitschen)
 
diff --git a/CITATION.cff b/CITATION.cff
index a7c72943..77f72467 100644
--- a/CITATION.cff
+++ b/CITATION.cff
@@ -23,6 +23,6 @@ authors:
     given-names: Stefan
     orcid: https://orcid.org/0000-0001-7214-8125
 title: "CaosDB - Server"
-version: 0.12.0
+version: 0.12.1
 doi: 10.3390/data4020083
-date-released: 2023-10-25
+date-released: 2023-12-13
diff --git a/caosdb-webui b/caosdb-webui
index d5f9090e..6e4db2f9 160000
--- a/caosdb-webui
+++ b/caosdb-webui
@@ -1 +1 @@
-Subproject commit d5f9090eca25a92fc44dbeeba305768e8d9f4bcb
+Subproject commit 6e4db2f99e1d441bbda9ccca85fae45526018406
diff --git a/pom.xml b/pom.xml
index abe5e282..82ac0c1e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -25,7 +25,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>org.caosdb</groupId>
   <artifactId>caosdb-server</artifactId>
-  <version>0.13.0-SNAPSHOT</version>
+  <version>0.12.1</version>
   <packaging>jar</packaging>
   <name>CaosDB Server</name>
   <scm>
diff --git a/src/doc/conf.py b/src/doc/conf.py
index 530d8d65..e1471488 100644
--- a/src/doc/conf.py
+++ b/src/doc/conf.py
@@ -26,9 +26,9 @@ copyright = '2023, IndiScale GmbH'
 author = 'Daniel Hornung, Timm Fitschen'
 
 # The short X.Y version
-version = '0.13.0'
+version = '0.12.1'
 # The full version, including alpha/beta/rc tags
-release = '0.13.0-dev'
+release = '0.12.1'
 
 
 # -- General configuration ---------------------------------------------------
-- 
GitLab