=doc add security advisory for decodeRequest issue (#2137) (#2200)

docs/src/main/paradox/security.md

@@ -17,6 +17,10 @@ to ensure that a fix can be provided without delay.
 
 ## Fixed Security Vulnerabilities
 
+### Fixed in Akka HTTP 10.1.5 & 10.0.14
+
+* @ref:[Denial of Service via unlimited decoding with decodeRequest directive ("zip bomb")](security/2018-09-05-denial-of-service-via-decodeRequest.md)
+
 ### Fixed in Akka HTTP 10.0.6 & 2.4.11.2
 
 * @ref:[Illegal Media Range in Accept Header Causes StackOverflowError Leading to Denial of Service](security/2017-05-03-illegal-media-range-in-accept-header-causes-stackoverflowerror.md)
@@ -28,3 +32,12 @@ to ensure that a fix can be provided without delay.
 ### Fixed in Akka HTTP 2.4.11
 
 * @ref:[Directory Traversal Vulnerability Announcement](security/2016-09-30-windows-directory-traversal.md)
+
+
+@@@ index
+
+ * [2018](security/2018.md)
+ * [2017](security/2017.md)
+ * [2016](security/2016.md)
+
+@@@

docs/src/main/paradox/security/2016.md

@@ -0,0 +1,9 @@
+# 2016
+
+@@ toc
+
+@@@ index
+
+ * [Directory Traversal Vulnerability Announcement](2016-09-30-windows-directory-traversal.md)
+
+@@@

docs/src/main/paradox/security/2017.md

@@ -0,0 +1,10 @@
+# 2017
+
+@@ toc
+
+@@@ index
+
+ * [Illegal Media Range in Accept Header Causes StackOverflowError Leading to Denial of Service](2017-05-03-illegal-media-range-in-accept-header-causes-stackoverflowerror.md)
+ * [Denial-of-Service by stream leak on unconsumed closed connections](2017-01-23-denial-of-service-via-leak-on-unconsumed-closed-connections.md)
+
+@@@

docs/src/main/paradox/security/2018-09-05-denial-of-service-via-decodeRequest.md

@@ -0,0 +1,43 @@
+# CVE-2018-16131: Denial of Service via unlimited decoding with decodeRequest directive ("zip bomb")
+
+## Date
+
+2018-09-05
+
+## Description
+
+Directives `decodeRequest` and `decodeRequestWith` which handle compressed request data did not limit the amount of uncompressed
+data flowing out of it. In combination with common request directives like `entity(as)`, `toStrict`, or `formField`, this can lead
+to excessive memory usage ultimately leading to an out of memory situation when highly compressed data is received
+(so-called "Zip Bomb").
+
+Any code that uses `decodeRequest` or `decodeRequestWith` is likely to be affected.
+
+## Severity
+
+The CVSS score of this vulnerability is 7.3 (High), based on vector
+[AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:W/RC:C](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:W/RC:C).
+
+Rationale for the score:
+
+ * A:H: Server runs into OOM, so availability is highly affected.
+ * E:H: It's relatively simple to exploit.
+
+## Affected Versions
+
+All previously released Akka HTTP versions are affected:
+
+ * `10.1.x` versions prior to `10.1.5`
+ * `10.0.x` versions prior to `10.0.14`
+ * Earlier end-of-lifed versions
+
+Not affected:
+
+ * Play and Lagom applications, even though both are using Akka HTTP as their server backend,
+   remain unaffected by this vulnerability. This is because they implement their own content
+   length validations on top of the underlying models (by using `BodyParser`s).
+
+## Fixed Versions
+
+ * 10.1.5
+ * 10.0.14

docs/src/main/paradox/security/2018.md

@@ -0,0 +1,9 @@
+# 2018
+
+@@ toc
+
+@@@ index
+
+ * [Denial of Service via unlimited decoding with decodeRequest directive ("zip bomb")](2018-09-05-denial-of-service-via-decodeRequest.md)
+
+@@@