diff options
| author | Carlton Gibson <carlton.gibson@noumenal.es> | 2020-01-22 09:03:27 +0100 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2020-01-26 19:02:04 +0100 |
| commit | 001b0634cd309e372edb6d7d95d083d02b8e37bd (patch) | |
| tree | 7dfeed60d2ca78f895b8fe771b13fd6429090005 /docs | |
| parent | 7fd1ca3ef63e5e834205a8208f4dc17d80f9a417 (diff) | |
[1.11.x] Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.11.28.txt | 13 | ||||
| -rw-r--r-- | docs/releases/index.txt | 1 |
2 files changed, 14 insertions, 0 deletions
diff --git a/docs/releases/1.11.28.txt b/docs/releases/1.11.28.txt new file mode 100644 index 0000000000..81ccb0ce06 --- /dev/null +++ b/docs/releases/1.11.28.txt @@ -0,0 +1,13 @@ +============================ +Django 1.11.28 release notes +============================ + +*February 3, 2020* + +Django 1.11.28 fixes a security issue in 1.11.27. + +CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)`` +=================================================================== + +:class:`~django.contrib.postgres.aggregates.StringAgg` aggregation function was +subject to SQL injection, using a suitably crafted ``delimiter``. diff --git a/docs/releases/index.txt b/docs/releases/index.txt index cd13f8695e..c2e913cafc 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -26,6 +26,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.11.28 1.11.27 1.11.26 1.11.25 |
