Add release notes for 4.5.9

2025/01/04/cakephp_459.rst

@@ -0,0 +1,37 @@
+CakePHP 4.5.9
+==============
+
+The CakePHP core team is happy to announce the immediate availability of CakePHP
+4.5.9. This is a maintenance release for the 4.4 branch that fixes a few
+community reported issues and a security fix.
+
+Bugfixes
+--------
+
+You can expect the following changes in 4.5.9. See the `changelog
+<https://github.com/cakephp/cakephp/compare/4.5.8...4.5.9>`_ for every commit.
+
+- Requests now read the uri from REQUEST_URI instead of PATH_INFO. PATH_INFO
+  has urlescaping applied which enables requests with %2f to be routed when they
+  should not. This could create a security risk for applications that use CDN or
+  loadbalancer rules with paths to be bypassed.
+- Fix ORM queries not being able to set read role.
+
+Contributors to 4.5.9
+----------------------
+
+Thank you to all the contributors that helped make this release happen:
+
+- Jeppe Bonde Weikop for reporting the PATH_INFO issue.
+- Kevin Pfeifer
+- Mark Story
+
+As always, we would like to thank all the contributors that opened issues,
+created pull requests or updated the documentation.
+
+Download a `packaged release on github
+<https://github.com/cakephp/cakephp/releases>`_.
+
+.. author:: markstory
+.. categories:: release, news, security
+.. tags:: release, news, security

master.rst

@@ -4,6 +4,7 @@ Sitemap
 .. toctree::
    :maxdepth: 1
 
+   2025/01/04/cakephp_459
    2024/12/12/cakephp_514
    2024/11/24/cakephp_458
    2024/11/09/cakephp_512