[release] Prepare changelog and version file for 2.3.2 and 2.3.3-dev.0.0
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 950b2ce..299563f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,34 +1,7 @@
-## 2.3.2-dev.XX.0
+## 2.3.3-dev.XX.0
(Add new changes here, and they will be copied to the change section for the
next dev version)
-### Security vulnerability
-
-* **Security improvement:** On Linux and Android, starting a process with
- `Process.run`, `Process.runSync`, or `Process.start` would first search the
- current directory before searching `PATH` (Issue [37101][]). This behavior
- effectively put the current working directory in the front of `PATH`, even if
- it wasn't in the `PATH`. This release changes that behavior to only searching
- the directories in the `PATH` environment variable. Operating systems other
- than Linux and Android didn't have this behavior and aren't affected by this
- vulnerability.
-
- This vulnerability could result in execution of untrusted code if a command
- without a slash in its name was run inside an untrusted directory containing
- an executable file with that name:
-
- ```dart
- Process.run("ls", workingDirectory: "/untrusted/directory")
- ```
-
- This would attempt to run `/untrusted/directory/ls` if it existed, even
- though it is not in the `PATH`. It was always safe to instead use an absolute
- path or a path containing a slash.
-
- This vulnerability was introduced in Dart 2.0.0.
-
-[37101]: https://github.com/dart-lang/sdk/issues/37101
-
### Core libraries
#### `dart:isolate`
@@ -171,6 +144,37 @@
* **Breaking change:** The `await for` allowed `null` as a stream due to a bug
in `StreamIterator` class. This bug has now been fixed.
+## 2.3.2 - 2019-06-11
+
+This is a patch version release with a security improvement.
+
+### Security vulnerability
+
+* **Security improvement:** On Linux and Android, starting a process with
+ `Process.run`, `Process.runSync`, or `Process.start` would first search the
+ current directory before searching `PATH` (Issue [37101][]). This behavior
+ effectively put the current working directory in the front of `PATH`, even if
+ it wasn't in the `PATH`. This release changes that behavior to only searching
+ the directories in the `PATH` environment variable. Operating systems other
+ than Linux and Android didn't have this behavior and aren't affected by this
+ vulnerability.
+
+ This vulnerability could result in execution of untrusted code if a command
+ without a slash in its name was run inside an untrusted directory containing
+ an executable file with that name:
+
+ ```dart
+ Process.run("ls", workingDirectory: "/untrusted/directory")
+ ```
+
+ This would attempt to run `/untrusted/directory/ls` if it existed, even
+ though it is not in the `PATH`. It was always safe to instead use an absolute
+ path or a path containing a slash.
+
+ This vulnerability was introduced in Dart 2.0.0.
+
+[37101]: https://github.com/dart-lang/sdk/issues/37101
+
## 2.3.1 - 2019-05-21
This is a patch version release with bug fixes.
diff --git a/tools/VERSION b/tools/VERSION
index 595324e..aa48b1b 100644
--- a/tools/VERSION
+++ b/tools/VERSION
@@ -32,7 +32,7 @@
CHANNEL be
MAJOR 2
MINOR 3
-PATCH 2
+PATCH 3
PRERELEASE 0
PRERELEASE_PATCH 0
ABI_VERSION 5