summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorFlorian Apolloner <florian@apolloner.eu>2021-04-14 18:23:44 +0200
committerCarlton Gibson <carlton.gibson@noumenal.es>2021-05-04 08:44:42 +0200
commit0b79eb36915d178aef5c6a7bbce71b1e76d376d3 (patch)
treeceb3f3df98ca1ee553f793121b6e43dc67ee2607 /docs
parent8de4ca74ba49b3f97a252e2b9d385cb2e70c442c (diff)
Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/2.2.21.txt17
-rw-r--r--docs/releases/3.1.9.txt17
-rw-r--r--docs/releases/3.2.1.txt14
-rw-r--r--docs/releases/index.txt2
4 files changed, 48 insertions, 2 deletions
diff --git a/docs/releases/2.2.21.txt b/docs/releases/2.2.21.txt
new file mode 100644
index 0000000000..f32aeadff7
--- /dev/null
+++ b/docs/releases/2.2.21.txt
@@ -0,0 +1,17 @@
+===========================
+Django 2.2.21 release notes
+===========================
+
+*May 4, 2021*
+
+Django 2.2.21 fixes a security issue in 2.2.20.
+
+CVE-2021-31542: Potential directory-traversal via uploaded files
+================================================================
+
+``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
+directory-traversal via uploaded files with suitably crafted file names.
+
+In order to mitigate this risk, stricter basename and path sanitation is now
+applied. Specifically, empty file names and paths with dot segments will be
+rejected.
diff --git a/docs/releases/3.1.9.txt b/docs/releases/3.1.9.txt
new file mode 100644
index 0000000000..682270b901
--- /dev/null
+++ b/docs/releases/3.1.9.txt
@@ -0,0 +1,17 @@
+==========================
+Django 3.1.9 release notes
+==========================
+
+*May 4, 2021*
+
+Django 3.1.9 fixes a security issue in 3.1.8.
+
+CVE-2021-31542: Potential directory-traversal via uploaded files
+================================================================
+
+``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
+directory-traversal via uploaded files with suitably crafted file names.
+
+In order to mitigate this risk, stricter basename and path sanitation is now
+applied. Specifically, empty file names and paths with dot segments will be
+rejected.
diff --git a/docs/releases/3.2.1.txt b/docs/releases/3.2.1.txt
index 545c9adce3..97ac4ebc94 100644
--- a/docs/releases/3.2.1.txt
+++ b/docs/releases/3.2.1.txt
@@ -2,9 +2,19 @@
Django 3.2.1 release notes
==========================
-*Expected May 4, 2021*
+*May 4, 2021*
-Django 3.2.1 fixes several bugs in 3.2.
+Django 3.2.1 fixes a security issue and several bugs in 3.2.
+
+CVE-2021-31542: Potential directory-traversal via uploaded files
+================================================================
+
+``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
+directory-traversal via uploaded files with suitably crafted file names.
+
+In order to mitigate this risk, stricter basename and path sanitation is now
+applied. Specifically, empty file names and paths with dot segments will be
+rejected.
Bugfixes
========
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index 0249642d87..6421478c9c 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -40,6 +40,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 3.1.9
3.1.8
3.1.7
3.1.6
@@ -76,6 +77,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 2.2.21
2.2.20
2.2.19
2.2.18