diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2021-04-14 18:23:44 +0200 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2021-05-04 08:44:42 +0200 |
| commit | 0b79eb36915d178aef5c6a7bbce71b1e76d376d3 (patch) | |
| tree | ceb3f3df98ca1ee553f793121b6e43dc67ee2607 /docs | |
| parent | 8de4ca74ba49b3f97a252e2b9d385cb2e70c442c (diff) | |
Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/2.2.21.txt | 17 | ||||
| -rw-r--r-- | docs/releases/3.1.9.txt | 17 | ||||
| -rw-r--r-- | docs/releases/3.2.1.txt | 14 | ||||
| -rw-r--r-- | docs/releases/index.txt | 2 |
4 files changed, 48 insertions, 2 deletions
diff --git a/docs/releases/2.2.21.txt b/docs/releases/2.2.21.txt new file mode 100644 index 0000000000..f32aeadff7 --- /dev/null +++ b/docs/releases/2.2.21.txt @@ -0,0 +1,17 @@ +=========================== +Django 2.2.21 release notes +=========================== + +*May 4, 2021* + +Django 2.2.21 fixes a security issue in 2.2.20. + +CVE-2021-31542: Potential directory-traversal via uploaded files +================================================================ + +``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed +directory-traversal via uploaded files with suitably crafted file names. + +In order to mitigate this risk, stricter basename and path sanitation is now +applied. Specifically, empty file names and paths with dot segments will be +rejected. diff --git a/docs/releases/3.1.9.txt b/docs/releases/3.1.9.txt new file mode 100644 index 0000000000..682270b901 --- /dev/null +++ b/docs/releases/3.1.9.txt @@ -0,0 +1,17 @@ +========================== +Django 3.1.9 release notes +========================== + +*May 4, 2021* + +Django 3.1.9 fixes a security issue in 3.1.8. + +CVE-2021-31542: Potential directory-traversal via uploaded files +================================================================ + +``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed +directory-traversal via uploaded files with suitably crafted file names. + +In order to mitigate this risk, stricter basename and path sanitation is now +applied. Specifically, empty file names and paths with dot segments will be +rejected. diff --git a/docs/releases/3.2.1.txt b/docs/releases/3.2.1.txt index 545c9adce3..97ac4ebc94 100644 --- a/docs/releases/3.2.1.txt +++ b/docs/releases/3.2.1.txt @@ -2,9 +2,19 @@ Django 3.2.1 release notes ========================== -*Expected May 4, 2021* +*May 4, 2021* -Django 3.2.1 fixes several bugs in 3.2. +Django 3.2.1 fixes a security issue and several bugs in 3.2. + +CVE-2021-31542: Potential directory-traversal via uploaded files +================================================================ + +``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed +directory-traversal via uploaded files with suitably crafted file names. + +In order to mitigate this risk, stricter basename and path sanitation is now +applied. Specifically, empty file names and paths with dot segments will be +rejected. Bugfixes ======== diff --git a/docs/releases/index.txt b/docs/releases/index.txt index 0249642d87..6421478c9c 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -40,6 +40,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 3.1.9 3.1.8 3.1.7 3.1.6 @@ -76,6 +77,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 2.2.21 2.2.20 2.2.19 2.2.18 |
