From f119c885228a515c7bf1d659ec1549a3587a2098 Mon Sep 17 00:00:00 2001
From: Michael Hawkins <michaelh@moodle.com>
Date: Wed, 19 Jun 2024 01:21:22 +0800
Subject: [PATCH] [docs] Add security announcements to 4.4.1 and friends

---
 general/releases/4.1/4.1.11.md | 9 +++++++--
 general/releases/4.2/4.2.8.md  | 9 +++++++--
 general/releases/4.3/4.3.5.md  | 9 +++++++--
 general/releases/4.4/4.4.1.md  | 9 +++++++--
 4 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/general/releases/4.1/4.1.11.md b/general/releases/4.1/4.1.11.md
index a963178f5b..b5b3cde714 100644
--- a/general/releases/4.1/4.1.11.md
+++ b/general/releases/4.1/4.1.11.md
@@ -18,5 +18,10 @@ import { ReleaseNoteIntro } from '@site/src/components/ReleaseInformation';
 <!-- cspell:enable -->
 
 ## Security fixes
-
-A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
+<!-- cspell:disable -->
+- [MSA-24-0021](https://moodle.org/mod/forum/discuss.php?d=459498) - BigBlueButton web service leaks meeting joining information to users who should not have access
+- [MSA-24-0022](https://moodle.org/mod/forum/discuss.php?d=459499) - Stored XSS via calendar's event title when deleting the event
+- [MSA-24-0023](https://moodle.org/mod/forum/discuss.php?d=459500) - HTTP authorization header is preserved between "emulated redirects"
+- [MSA-24-0024](https://moodle.org/mod/forum/discuss.php?d=459501) - CSRF risks due to misuse of confirm_sesskey
+- [MSA-24-0025](https://moodle.org/mod/forum/discuss.php?d=459502) - QR login key and auto-login key for the Moodle mobile app should be generated as separate keys
+<!-- cspell:enable -->
diff --git a/general/releases/4.2/4.2.8.md b/general/releases/4.2/4.2.8.md
index 4f72985e4a..ff3909a1a9 100644
--- a/general/releases/4.2/4.2.8.md
+++ b/general/releases/4.2/4.2.8.md
@@ -19,5 +19,10 @@ import { ReleaseNoteIntro } from '@site/src/components/ReleaseInformation';
 <!-- cspell:enable -->
 
 ## Security fixes
-
-A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
+<!-- cspell:disable -->
+- [MSA-24-0021](https://moodle.org/mod/forum/discuss.php?d=459498) - BigBlueButton web service leaks meeting joining information to users who should not have access
+- [MSA-24-0022](https://moodle.org/mod/forum/discuss.php?d=459499) - Stored XSS via calendar's event title when deleting the event
+- [MSA-24-0023](https://moodle.org/mod/forum/discuss.php?d=459500) - HTTP authorization header is preserved between "emulated redirects"
+- [MSA-24-0024](https://moodle.org/mod/forum/discuss.php?d=459501) - CSRF risks due to misuse of confirm_sesskey
+- [MSA-24-0025](https://moodle.org/mod/forum/discuss.php?d=459502) - QR login key and auto-login key for the Moodle mobile app should be generated as separate keys
+<!-- cspell:enable -->
diff --git a/general/releases/4.3/4.3.5.md b/general/releases/4.3/4.3.5.md
index f028d9a044..2fd7e80e6c 100644
--- a/general/releases/4.3/4.3.5.md
+++ b/general/releases/4.3/4.3.5.md
@@ -59,5 +59,10 @@ import { ReleaseNoteIntro } from '@site/src/components/ReleaseInformation';
 <!-- cspell:enable -->
 
 ## Security fixes
-
-A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
+<!-- cspell:disable -->
+- [MSA-24-0021](https://moodle.org/mod/forum/discuss.php?d=459498) - BigBlueButton web service leaks meeting joining information to users who should not have access
+- [MSA-24-0022](https://moodle.org/mod/forum/discuss.php?d=459499) - Stored XSS via calendar's event title when deleting the event
+- [MSA-24-0023](https://moodle.org/mod/forum/discuss.php?d=459500) - HTTP authorization header is preserved between "emulated redirects"
+- [MSA-24-0024](https://moodle.org/mod/forum/discuss.php?d=459501) - CSRF risks due to misuse of confirm_sesskey
+- [MSA-24-0025](https://moodle.org/mod/forum/discuss.php?d=459502) - QR login key and auto-login key for the Moodle mobile app should be generated as separate keys
+<!-- cspell:enable -->
diff --git a/general/releases/4.4/4.4.1.md b/general/releases/4.4/4.4.1.md
index 04e2b5f8bc..41c1f33cfc 100644
--- a/general/releases/4.4/4.4.1.md
+++ b/general/releases/4.4/4.4.1.md
@@ -76,5 +76,10 @@ import { ReleaseNoteIntro } from '@site/src/components/ReleaseInformation';
 <!-- cspell:enable -->
 
 ## Security fixes
-
-A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
+<!-- cspell:disable -->
+- [MSA-24-0021](https://moodle.org/mod/forum/discuss.php?d=459498) - BigBlueButton web service leaks meeting joining information to users who should not have access
+- [MSA-24-0022](https://moodle.org/mod/forum/discuss.php?d=459499) - Stored XSS via calendar's event title when deleting the event
+- [MSA-24-0023](https://moodle.org/mod/forum/discuss.php?d=459500) - HTTP authorization header is preserved between "emulated redirects"
+- [MSA-24-0024](https://moodle.org/mod/forum/discuss.php?d=459501) - CSRF risks due to misuse of confirm_sesskey
+- [MSA-24-0025](https://moodle.org/mod/forum/discuss.php?d=459502) - QR login key and auto-login key for the Moodle mobile app should be generated as separate keys
+<!-- cspell:enable -->