diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-02-24 14:46:28 +0100 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-03-04 09:16:03 +0100 |
| commit | 26a5cf834526e291db00385dd33d319b8271fc4c (patch) | |
| tree | 805c3f6ec9ffd7a6998e3f4917ca3666c9b17731 /docs | |
| parent | c5cfaad2f1f08b31ba04b9534f1a46a6ef1003bf (diff) | |
[3.0.x] Fixed CVE-2020-9402 -- Properly escaped tolerance parameter in GIS functions and aggregates on Oracle.
Thanks to Norbert Szetei for the report.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.11.29.txt | 13 | ||||
| -rw-r--r-- | docs/releases/2.2.11.txt | 10 | ||||
| -rw-r--r-- | docs/releases/3.0.4.txt | 10 | ||||
| -rw-r--r-- | docs/releases/index.txt | 1 |
4 files changed, 30 insertions, 4 deletions
diff --git a/docs/releases/1.11.29.txt b/docs/releases/1.11.29.txt new file mode 100644 index 0000000000..d37f3ffc0d --- /dev/null +++ b/docs/releases/1.11.29.txt @@ -0,0 +1,13 @@ +============================ +Django 1.11.29 release notes +============================ + +*March 4, 2020* + +Django 1.11.29 fixes a security issue in 1.11.29. + +CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle +============================================================================================================ + +GIS functions and aggregates on Oracle were subject to SQL injection, +using a suitably crafted ``tolerance``. diff --git a/docs/releases/2.2.11.txt b/docs/releases/2.2.11.txt index b14d961ac3..9738ef4470 100644 --- a/docs/releases/2.2.11.txt +++ b/docs/releases/2.2.11.txt @@ -2,9 +2,15 @@ Django 2.2.11 release notes =========================== -*Expected March 2, 2020* +*March 4, 2020* -Django 2.2.11 fixes a data loss bug in 2.2.10. +Django 2.2.11 fixes a security issue and a data loss bug in 2.2.10. + +CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle +============================================================================================================ + +GIS functions and aggregates on Oracle were subject to SQL injection, +using a suitably crafted ``tolerance``. Bugfixes ======== diff --git a/docs/releases/3.0.4.txt b/docs/releases/3.0.4.txt index ad9752addb..647e593749 100644 --- a/docs/releases/3.0.4.txt +++ b/docs/releases/3.0.4.txt @@ -2,9 +2,15 @@ Django 3.0.4 release notes ========================== -*Expected March 2, 2020* +*March 4, 2020* -Django 3.0.4 fixes several bugs in 3.0.3. +Django 3.0.4 fixes a security issue and several bugs in 3.0.3. + +CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle +============================================================================================================ + +GIS functions and aggregates on Oracle were subject to SQL injection, +using a suitably crafted ``tolerance``. Bugfixes ======== diff --git a/docs/releases/index.txt b/docs/releases/index.txt index 8598dfeb29..f95aee459e 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -96,6 +96,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.11.29 1.11.28 1.11.27 1.11.26 |
