From 82518304b3594f037a2f266231471ea2ae73008c Mon Sep 17 00:00:00 2001
From: SomberNight <somber.night@protonmail.com>
Date: Tue, 7 Jun 2022 16:24:07 +0200
Subject: [PATCH] release notes: mention security fix in 4.2.2

---
 RELEASE-NOTES | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index d8f73733c..24fa5d44b 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -12,6 +12,9 @@
  * fix AppImage failing to run on certain systems (#7784)
  * fix "Automated BIP39 recovery" not scanning change paths (#7804)
  * bypass network proxy for localhost electrum server (#3126)
+ * security fix: remove support of "file://" URIs from BIP70 payment
+   requests, which could be used to trigger "open()" on arbitrary files
+   (see https://github.com/spesmilo/electrum/security/advisories/GHSA-4fh4-hx35-r355)
 
 
 # Release 4.2.1 - (March 26, 2022)