summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorMariusz Felisiak <felisiak.mariusz@gmail.com>2021-03-16 10:19:00 +0100
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2021-04-06 08:33:16 +0200
commite7fba62248f604c76da4f23dcf1db4a57b0808ea (patch)
tree3275a467085c0a34b82592da37332bc556728bf6 /docs
parent232d5f61e6afd9cd6f10a47ddb4375f86818717e (diff)
[3.0.x] Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files.
Thanks Claude Paroz for the initial patch. Thanks Dennis Brinkrolf for the report. Backport of d4d800ca1addc4141e03c5440a849bb64d1582cd from main.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/2.2.20.txt15
-rw-r--r--docs/releases/3.0.14.txt15
-rw-r--r--docs/releases/index.txt2
3 files changed, 32 insertions, 0 deletions
diff --git a/docs/releases/2.2.20.txt b/docs/releases/2.2.20.txt
new file mode 100644
index 0000000000..a67c515021
--- /dev/null
+++ b/docs/releases/2.2.20.txt
@@ -0,0 +1,15 @@
+===========================
+Django 2.2.20 release notes
+===========================
+
+*April 6, 2021*
+
+Django 2.2.20 fixes a security issue with severity "low" in 2.2.19.
+
+CVE-2021-28658: Potential directory-traversal via uploaded files
+================================================================
+
+``MultiPartParser`` allowed directory-traversal via uploaded files with
+suitably crafted file names.
+
+Built-in upload handlers were not affected by this vulnerability.
diff --git a/docs/releases/3.0.14.txt b/docs/releases/3.0.14.txt
new file mode 100644
index 0000000000..c324428745
--- /dev/null
+++ b/docs/releases/3.0.14.txt
@@ -0,0 +1,15 @@
+===========================
+Django 3.0.14 release notes
+===========================
+
+*April 6, 2021*
+
+Django 3.0.14 fixes a security issue with severity "low" in 3.0.13.
+
+CVE-2021-28658: Potential directory-traversal via uploaded files
+================================================================
+
+``MultiPartParser`` allowed directory-traversal via uploaded files with
+suitably crafted file names.
+
+Built-in upload handlers were not affected by this vulnerability.
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index aee1d42231..bc30665aea 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -25,6 +25,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 3.0.14
3.0.13
3.0.12
3.0.11
@@ -45,6 +46,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 2.2.20
2.2.19
2.2.18
2.2.17