summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.11.18.txt18
-rw-r--r--docs/releases/index.txt1
2 files changed, 19 insertions, 0 deletions
diff --git a/docs/releases/1.11.18.txt b/docs/releases/1.11.18.txt
new file mode 100644
index 0000000000..82a229e6dd
--- /dev/null
+++ b/docs/releases/1.11.18.txt
@@ -0,0 +1,18 @@
+============================
+Django 1.11.18 release notes
+============================
+
+*January 4, 2019*
+
+Django 1.11.18 fixes a security issue in 1.11.17.
+
+CVE-2019-3498: Content spoofing possibility in the default 404 page
+-------------------------------------------------------------------
+
+An attacker could craft a malicious URL that could make spoofed content appear
+on the default page generated by the ``django.views.defaults.page_not_found()``
+view.
+
+The URL path is no longer displayed in the default 404 template and the
+``request_path`` context variable is now quoted to fix the issue for custom
+templates that use the path.
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index 5bd5ba8b81..719e5f416e 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -26,6 +26,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 1.11.18
1.11.17
1.11.16
1.11.15