Update 2.15.8 release notes
Change-Id: I76faf0d57a2725c148b44a00347d2961175807e0
diff --git a/pages/site/releases/2.15.md b/pages/site/releases/2.15.md
index dc91c9c..369d433 100644
--- a/pages/site/releases/2.15.md
+++ b/pages/site/releases/2.15.md
@@ -381,7 +381,7 @@
* Update Jetty to 9.3.18.v20170406 (updated to 9.3.24.v20180605 in 2.15.7)
-* Update JGit to 4.9.0.201710071750-r (updated to 4.9.7.201810191756-r in 2.15.6)
+* Update JGit to 4.9.0.201710071750-r (updated to 4.9.8.201812241815-r in 2.15.8)
* Update Joda-Time to 2.9.9
@@ -399,6 +399,23 @@
### 2.15.8
+* [Issue 10262](https://bugs.chromium.org/p/gerrit/issues/detail?id=10262):
+Upgrade JGit to 4.9.8.201812241815-r to fix validation of `wants` in
+`git-upload-pack` for protocol v0 bidirectional transports.
+
+ AdvertiseRefsHook was not called for `git-upload-pack` in protocol v0
+ bidirectional transports, meaning that `wants` were not validated and
+ a user could fetch anything that is pointed to by any ref (using fetch-by-sha1),
+ as long as they could guess the object name.
+
+* [Issue 10242](https://bugs.chromium.org/p/gerrit/issues/detail?id=10242):
+Fix regression that allows a user's account to be taken over when multiple
+authentication providers are in use.
+
+ A regression introduced in 2.14.7 allowed a user's account to be taken
+ over by creating an account on a different provider with exactly the same
+ username as the existing Gerrit account.
+
* [Issue 10082](https://bugs.chromium.org/p/gerrit/issues/detail?id=10082):
Decouple online reindex activation from index module.
