summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorCarlton Gibson <carlton.gibson@noumenal.es>2019-05-27 11:07:46 +0200
committerCarlton Gibson <carlton.gibson@noumenal.es>2019-06-03 11:39:15 +0200
commit95649bc08547a878cebfa1d019edec8cb1b80829 (patch)
tree29c9806a7b2ca68fb707d8b63e06850713c77826 /docs
parent09186a13d975de6d049f8b3e05484f66b01ece62 (diff)
[2.1.x] Applied jQuery patch for CVE-2019-11358.
Backport of 34ec52269ade54af31a021b12969913129571a3f from master.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/2.1.9.txt11
1 files changed, 11 insertions, 0 deletions
diff --git a/docs/releases/2.1.9.txt b/docs/releases/2.1.9.txt
index 0022de965c..7a479c89f1 100644
--- a/docs/releases/2.1.9.txt
+++ b/docs/releases/2.1.9.txt
@@ -19,3 +19,14 @@ payload, could result in an clickable JavaScript link.
link. You may customise the validator by passing a ``validator_class`` kwarg to
``AdminURLFieldWidget.__init__()``, e.g. when using
:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
+
+Patched bundled jQuery for CVE-2019-11358: Prototype pollution
+--------------------------------------------------------------
+
+jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
+``Object.prototype`` pollution. If an unsanitized source object contained an
+enumerable ``__proto__`` property, it could extend the native
+``Object.prototype``.
+
+The bundled version of jQuery used by the Django admin has been patched to
+allow for the ``select2`` library's use of ``jQuery.extend()``.