From f844fffd1ebd4178292df09ce181ad0d6db4038f Mon Sep 17 00:00:00 2001
From: Xe Iaso <me@xeiaso.net>
Date: Mon, 31 Mar 2025 18:27:01 -0400
Subject: v1.15.1: Zenos yae Galvus: Echo 1 (#181)

* version 1.15.0 (#144)

Signed-off-by: Xe Iaso <me@xeiaso.net>

* cmd/anubis actually check the result with the correct difficulty

Signed-off-by: Xe Iaso <me@xeiaso.net>

* v1.15.1: Zenos yae Galvus: Echo 1

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>
Co-authored-by: Henri Vasserman <henv@hot.ee>
---
 docs/docs/CHANGELOG.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'docs')

diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md
index 86c728f..d2a6498 100644
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -11,6 +11,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## v1.15.1
+
+Zenos yae Galvus: Echo 1
+
+Fixes a recurrence of [CVE-2025-24369](https://github.com/Xe/x/security/advisories/GHSA-56w8-8ppj-2p4f)
+due to an incorrect logic change in a refactor. This allows an attacker to mint a valid
+access token by passing any SHA-256 hash instead of one that matches the proof-of-work
+test.
+
+This case has been added as a regression test. It was not when CVE-2025-24369 was released
+due to the project not having the maturity required to enable this kind of regression testing.
+
 ## v1.15.0
 
 Zenos yae Galvus
-- 
cgit v1.2.3