summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorSimon Charette <charette.s@gmail.com>2019-12-31 12:46:06 -0500
committerCarlton Gibson <carlton.gibson@noumenal.es>2020-02-03 08:49:13 +0100
commiteb31d845323618d688ad429479c6dda973056136 (patch)
treee674d03c67e50a9a2c519c656a9e0553d1349163 /docs
parent6b178a3e930f72069f3cda2e6a09d1b320fc09ec (diff)
Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.11.28.txt13
-rw-r--r--docs/releases/2.2.10.txt13
-rw-r--r--docs/releases/3.0.3.txt8
-rw-r--r--docs/releases/index.txt2
4 files changed, 35 insertions, 1 deletions
diff --git a/docs/releases/1.11.28.txt b/docs/releases/1.11.28.txt
new file mode 100644
index 0000000000..81ccb0ce06
--- /dev/null
+++ b/docs/releases/1.11.28.txt
@@ -0,0 +1,13 @@
+============================
+Django 1.11.28 release notes
+============================
+
+*February 3, 2020*
+
+Django 1.11.28 fixes a security issue in 1.11.27.
+
+CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``
+===================================================================
+
+:class:`~django.contrib.postgres.aggregates.StringAgg` aggregation function was
+subject to SQL injection, using a suitably crafted ``delimiter``.
diff --git a/docs/releases/2.2.10.txt b/docs/releases/2.2.10.txt
new file mode 100644
index 0000000000..f82774dea0
--- /dev/null
+++ b/docs/releases/2.2.10.txt
@@ -0,0 +1,13 @@
+===========================
+Django 2.2.10 release notes
+===========================
+
+*February 3, 2020*
+
+Django 2.2.10 fixes a security issue in 2.2.9.
+
+CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``
+===================================================================
+
+:class:`~django.contrib.postgres.aggregates.StringAgg` aggregation function was
+subject to SQL injection, using a suitably crafted ``delimiter``.
diff --git a/docs/releases/3.0.3.txt b/docs/releases/3.0.3.txt
index ed92938e09..2eed2654c8 100644
--- a/docs/releases/3.0.3.txt
+++ b/docs/releases/3.0.3.txt
@@ -4,7 +4,13 @@ Django 3.0.3 release notes
*Expected February 3, 2020*
-Django 3.0.3 fixes several bugs in 3.0.2.
+Django 3.0.3 fixes a security issue and several bugs in 3.0.2.
+
+CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``
+===================================================================
+
+:class:`~django.contrib.postgres.aggregates.StringAgg` aggregation function was
+subject to SQL injection, using a suitably crafted ``delimiter``.
Bugfixes
========
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index 411ca4805c..6a688587ef 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -42,6 +42,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 2.2.10
2.2.9
2.2.8
2.2.7
@@ -100,6 +101,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 1.11.28
1.11.27
1.11.26
1.11.25