docs: Add release notes

Signed-off-by: Tibor Vass <teabee89@gmail.com>

docs/sources/release-notes.md

@@ -4,6 +4,40 @@ understanding, release
 
 #Release Notes
 
+##Version 1.3.3
+(2014-12-11)
+ 
+This release fixes several security issues. In order to encourage immediate
+upgrading, this release also patches some critical bugs. All users are highly
+encouraged to upgrade as soon as possible.
+ 
+*Security fixes*
+ 
+Patches and changes were made to address the following vulnerabilities:
+ 
+* CVE-2014-9356: Path traversal during processing of absolute symlinks. 
+Absolute symlinks were not adequately checked for  traversal which created a
+vulnerability via image extraction and/or volume mounts.
+* CVE-2014-9357: Escalation of privileges during decompression of LZMA (.xz)
+archives. Docker 1.3.2 added `chroot` for archive extraction. This created a
+vulnerability that could allow malicious images or builds to write files to the
+host system and escape containerization, leading to privilege escalation.
+* CVE-2014-9358: Path traversal and spoofing opportunities via image
+identifiers. Image IDs passed either via `docker load` or registry communications
+were not sufficiently validated. This created a vulnerability to path traversal
+attacks wherein malicious images or repository spoofing could lead to graph
+corruption and manipulation.
+ 
+*Runtime fixes*
+ 
+* Fixed an issue that cause image archives to be read slowly.
+ 
+*Client fixes*
+ 
+* Fixed a regression related to STDIN redirection.
+* Fixed a regression involving `docker cp` when the current directory is the
+destination.
+
 ##Version 1.3.2
 (2014-11-24)