summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorMariusz Felisiak <felisiak.mariusz@gmail.com>2020-02-24 14:46:28 +0100
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2020-03-04 09:16:03 +0100
commit26a5cf834526e291db00385dd33d319b8271fc4c (patch)
tree805c3f6ec9ffd7a6998e3f4917ca3666c9b17731 /docs
parentc5cfaad2f1f08b31ba04b9534f1a46a6ef1003bf (diff)
[3.0.x] Fixed CVE-2020-9402 -- Properly escaped tolerance parameter in GIS functions and aggregates on Oracle.
Thanks to Norbert Szetei for the report.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.11.29.txt13
-rw-r--r--docs/releases/2.2.11.txt10
-rw-r--r--docs/releases/3.0.4.txt10
-rw-r--r--docs/releases/index.txt1
4 files changed, 30 insertions, 4 deletions
diff --git a/docs/releases/1.11.29.txt b/docs/releases/1.11.29.txt
new file mode 100644
index 0000000000..d37f3ffc0d
--- /dev/null
+++ b/docs/releases/1.11.29.txt
@@ -0,0 +1,13 @@
+============================
+Django 1.11.29 release notes
+============================
+
+*March 4, 2020*
+
+Django 1.11.29 fixes a security issue in 1.11.29.
+
+CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle
+============================================================================================================
+
+GIS functions and aggregates on Oracle were subject to SQL injection,
+using a suitably crafted ``tolerance``.
diff --git a/docs/releases/2.2.11.txt b/docs/releases/2.2.11.txt
index b14d961ac3..9738ef4470 100644
--- a/docs/releases/2.2.11.txt
+++ b/docs/releases/2.2.11.txt
@@ -2,9 +2,15 @@
Django 2.2.11 release notes
===========================
-*Expected March 2, 2020*
+*March 4, 2020*
-Django 2.2.11 fixes a data loss bug in 2.2.10.
+Django 2.2.11 fixes a security issue and a data loss bug in 2.2.10.
+
+CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle
+============================================================================================================
+
+GIS functions and aggregates on Oracle were subject to SQL injection,
+using a suitably crafted ``tolerance``.
Bugfixes
========
diff --git a/docs/releases/3.0.4.txt b/docs/releases/3.0.4.txt
index ad9752addb..647e593749 100644
--- a/docs/releases/3.0.4.txt
+++ b/docs/releases/3.0.4.txt
@@ -2,9 +2,15 @@
Django 3.0.4 release notes
==========================
-*Expected March 2, 2020*
+*March 4, 2020*
-Django 3.0.4 fixes several bugs in 3.0.3.
+Django 3.0.4 fixes a security issue and several bugs in 3.0.3.
+
+CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle
+============================================================================================================
+
+GIS functions and aggregates on Oracle were subject to SQL injection,
+using a suitably crafted ``tolerance``.
Bugfixes
========
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index 8598dfeb29..f95aee459e 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -96,6 +96,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 1.11.29
1.11.28
1.11.27
1.11.26