Add release notes for 2.12.9
Change-Id: Ieb0beeccb38dd407201e3e053365e3134bec862b
diff --git a/pages/site/releases/2.12.md b/pages/site/releases/2.12.md
index 78d151c..cb405db 100644
--- a/pages/site/releases/2.12.md
+++ b/pages/site/releases/2.12.md
@@ -5,7 +5,8 @@
hide_navtoggle: true
toc: true
---
-Download: **[2.12.8](https://gerrit-releases.storage.googleapis.com/gerrit-2.12.8.war)**
+Download: **[2.12.9](https://gerrit-releases.storage.googleapis.com/gerrit-2.12.9.war)**
+| [2.12.8](https://gerrit-releases.storage.googleapis.com/gerrit-2.12.8.war)
| [2.12.7](https://gerrit-releases.storage.googleapis.com/gerrit-2.12.7.war)
| [2.12.6](https://gerrit-releases.storage.googleapis.com/gerrit-2.12.6.war)
| [2.12.5](https://gerrit-releases.storage.googleapis.com/gerrit-2.12.5.war)
@@ -15,7 +16,8 @@
| [2.12.1](https://gerrit-releases.storage.googleapis.com/gerrit-2.12.1.war)
| [2.12](https://gerrit-releases.storage.googleapis.com/gerrit-2.12.war)
-Documentation: **[2.12.8](https://gerrit-documentation.storage.googleapis.com/Documentation/2.12.8/index.html)**
+Documentation: **[2.12.9](https://gerrit-documentation.storage.googleapis.com/Documentation/2.12.9/index.html)**
+| [2.12.8](https://gerrit-documentation.storage.googleapis.com/Documentation/2.12.8/index.html)
| [2.12.7](https://gerrit-documentation.storage.googleapis.com/Documentation/2.12.7/index.html)
| [2.12.6](https://gerrit-documentation.storage.googleapis.com/Documentation/2.12.6/index.html)
| [2.12.5](https://gerrit-documentation.storage.googleapis.com/Documentation/2.12.5/index.html)
@@ -441,6 +443,46 @@
## Bugfix Releases
+### 2.12.9
+
+* [Issue 10262](https://bugs.chromium.org/p/gerrit/issues/detail?id=10262):
+Fix validation of `wants` in `git-upload-pack` for protocol v0 bidirectional transports.
+
+ See the following section for details.
+
+* Upgrade JGit to 4.5.5.201812240535-r.
+
+ This upgrade includes several versions since 4.1.2 used in Gerrit
+ version 2.12.8. Important fixes are summarized below. Please refer to the
+ corresponding JGit release notes for full details.
+
+ * [JGit 4.5.5](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.5):
+
+ * [Issue 10262](https://bugs.chromium.org/p/gerrit/issues/detail?id=10262):
+ Fix validation of `wants` in `git-upload-pack` for protocol v0 bidirectional transports.
+
+ AdvertiseRefsHook was not called for `git-upload-pack` in protocol v0
+ bidirectional transports, meaning that `wants` were not validated and
+ a user could fetch anything that is pointed to by any ref (using fetch-by-sha1),
+ as long as they could guess the object name.
+
+ * [JGit 4.5.4](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.4):
+
+ * Fix LockFile semantics when running on NFS.
+ * Honor trustFolderStats also when reading packed-refs.
+
+ * [JGit 4.5.3](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.3):
+
+ * Fix exception handling for opening bitmap index files.
+
+ * [JGit 4.5.2](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.2):
+
+ * Fix pack marked as corrupted even if it isn't.
+
+ * [JGit 4.5.1](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.2):
+
+ * Don't remove Pack when FileNotFoundException is transient.
+
### 2.12.8
* Upgrade jsch to 0.1.54 to fix [CVE-2016-5725](https://nvd.nist.gov/vuln/detail/CVE-2016-5725):
Directory traversal vulnerability.