summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/2.2.21.txt17
-rw-r--r--docs/releases/3.1.9.txt17
-rw-r--r--docs/releases/3.2.1.txt14
-rw-r--r--docs/releases/index.txt2
4 files changed, 48 insertions, 2 deletions
diff --git a/docs/releases/2.2.21.txt b/docs/releases/2.2.21.txt
new file mode 100644
index 0000000000..f32aeadff7
--- /dev/null
+++ b/docs/releases/2.2.21.txt
@@ -0,0 +1,17 @@
+===========================
+Django 2.2.21 release notes
+===========================
+
+*May 4, 2021*
+
+Django 2.2.21 fixes a security issue in 2.2.20.
+
+CVE-2021-31542: Potential directory-traversal via uploaded files
+================================================================
+
+``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
+directory-traversal via uploaded files with suitably crafted file names.
+
+In order to mitigate this risk, stricter basename and path sanitation is now
+applied. Specifically, empty file names and paths with dot segments will be
+rejected.
diff --git a/docs/releases/3.1.9.txt b/docs/releases/3.1.9.txt
new file mode 100644
index 0000000000..682270b901
--- /dev/null
+++ b/docs/releases/3.1.9.txt
@@ -0,0 +1,17 @@
+==========================
+Django 3.1.9 release notes
+==========================
+
+*May 4, 2021*
+
+Django 3.1.9 fixes a security issue in 3.1.8.
+
+CVE-2021-31542: Potential directory-traversal via uploaded files
+================================================================
+
+``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
+directory-traversal via uploaded files with suitably crafted file names.
+
+In order to mitigate this risk, stricter basename and path sanitation is now
+applied. Specifically, empty file names and paths with dot segments will be
+rejected.
diff --git a/docs/releases/3.2.1.txt b/docs/releases/3.2.1.txt
index 545c9adce3..97ac4ebc94 100644
--- a/docs/releases/3.2.1.txt
+++ b/docs/releases/3.2.1.txt
@@ -2,9 +2,19 @@
Django 3.2.1 release notes
==========================
-*Expected May 4, 2021*
+*May 4, 2021*
-Django 3.2.1 fixes several bugs in 3.2.
+Django 3.2.1 fixes a security issue and several bugs in 3.2.
+
+CVE-2021-31542: Potential directory-traversal via uploaded files
+================================================================
+
+``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
+directory-traversal via uploaded files with suitably crafted file names.
+
+In order to mitigate this risk, stricter basename and path sanitation is now
+applied. Specifically, empty file names and paths with dot segments will be
+rejected.
Bugfixes
========
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index 0249642d87..6421478c9c 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -40,6 +40,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 3.1.9
3.1.8
3.1.7
3.1.6
@@ -76,6 +77,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 2.2.21
2.2.20
2.2.19
2.2.18