diff options
| author | Simon Charette <charette.s@gmail.com> | 2019-12-31 12:46:06 -0500 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2020-02-03 08:49:13 +0100 |
| commit | eb31d845323618d688ad429479c6dda973056136 (patch) | |
| tree | e674d03c67e50a9a2c519c656a9e0553d1349163 /docs | |
| parent | 6b178a3e930f72069f3cda2e6a09d1b320fc09ec (diff) | |
Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.11.28.txt | 13 | ||||
| -rw-r--r-- | docs/releases/2.2.10.txt | 13 | ||||
| -rw-r--r-- | docs/releases/3.0.3.txt | 8 | ||||
| -rw-r--r-- | docs/releases/index.txt | 2 |
4 files changed, 35 insertions, 1 deletions
diff --git a/docs/releases/1.11.28.txt b/docs/releases/1.11.28.txt new file mode 100644 index 0000000000..81ccb0ce06 --- /dev/null +++ b/docs/releases/1.11.28.txt @@ -0,0 +1,13 @@ +============================ +Django 1.11.28 release notes +============================ + +*February 3, 2020* + +Django 1.11.28 fixes a security issue in 1.11.27. + +CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)`` +=================================================================== + +:class:`~django.contrib.postgres.aggregates.StringAgg` aggregation function was +subject to SQL injection, using a suitably crafted ``delimiter``. diff --git a/docs/releases/2.2.10.txt b/docs/releases/2.2.10.txt new file mode 100644 index 0000000000..f82774dea0 --- /dev/null +++ b/docs/releases/2.2.10.txt @@ -0,0 +1,13 @@ +=========================== +Django 2.2.10 release notes +=========================== + +*February 3, 2020* + +Django 2.2.10 fixes a security issue in 2.2.9. + +CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)`` +=================================================================== + +:class:`~django.contrib.postgres.aggregates.StringAgg` aggregation function was +subject to SQL injection, using a suitably crafted ``delimiter``. diff --git a/docs/releases/3.0.3.txt b/docs/releases/3.0.3.txt index ed92938e09..2eed2654c8 100644 --- a/docs/releases/3.0.3.txt +++ b/docs/releases/3.0.3.txt @@ -4,7 +4,13 @@ Django 3.0.3 release notes *Expected February 3, 2020* -Django 3.0.3 fixes several bugs in 3.0.2. +Django 3.0.3 fixes a security issue and several bugs in 3.0.2. + +CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)`` +=================================================================== + +:class:`~django.contrib.postgres.aggregates.StringAgg` aggregation function was +subject to SQL injection, using a suitably crafted ``delimiter``. Bugfixes ======== diff --git a/docs/releases/index.txt b/docs/releases/index.txt index 411ca4805c..6a688587ef 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -42,6 +42,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 2.2.10 2.2.9 2.2.8 2.2.7 @@ -100,6 +101,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.11.28 1.11.27 1.11.26 1.11.25 |
