summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorCarlton Gibson <carlton.gibson@noumenal.es>2020-01-22 09:03:27 +0100
committerCarlton Gibson <carlton.gibson@noumenal.es>2020-01-26 19:02:04 +0100
commit001b0634cd309e372edb6d7d95d083d02b8e37bd (patch)
tree7dfeed60d2ca78f895b8fe771b13fd6429090005 /docs
parent7fd1ca3ef63e5e834205a8208f4dc17d80f9a417 (diff)
[1.11.x] Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.11.28.txt13
-rw-r--r--docs/releases/index.txt1
2 files changed, 14 insertions, 0 deletions
diff --git a/docs/releases/1.11.28.txt b/docs/releases/1.11.28.txt
new file mode 100644
index 0000000000..81ccb0ce06
--- /dev/null
+++ b/docs/releases/1.11.28.txt
@@ -0,0 +1,13 @@
+============================
+Django 1.11.28 release notes
+============================
+
+*February 3, 2020*
+
+Django 1.11.28 fixes a security issue in 1.11.27.
+
+CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``
+===================================================================
+
+:class:`~django.contrib.postgres.aggregates.StringAgg` aggregation function was
+subject to SQL injection, using a suitably crafted ``delimiter``.
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index cd13f8695e..c2e913cafc 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -26,6 +26,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 1.11.28
1.11.27
1.11.26
1.11.25