From 26a5cf834526e291db00385dd33d319b8271fc4c Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Mon, 24 Feb 2020 14:46:28 +0100 Subject: [3.0.x] Fixed CVE-2020-9402 -- Properly escaped tolerance parameter in GIS functions and aggregates on Oracle. Thanks to Norbert Szetei for the report. --- docs/releases/1.11.29.txt | 13 +++++++++++++ docs/releases/2.2.11.txt | 10 ++++++++-- docs/releases/3.0.4.txt | 10 ++++++++-- docs/releases/index.txt | 1 + 4 files changed, 30 insertions(+), 4 deletions(-) create mode 100644 docs/releases/1.11.29.txt (limited to 'docs') diff --git a/docs/releases/1.11.29.txt b/docs/releases/1.11.29.txt new file mode 100644 index 0000000000..d37f3ffc0d --- /dev/null +++ b/docs/releases/1.11.29.txt @@ -0,0 +1,13 @@ +============================ +Django 1.11.29 release notes +============================ + +*March 4, 2020* + +Django 1.11.29 fixes a security issue in 1.11.29. + +CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle +============================================================================================================ + +GIS functions and aggregates on Oracle were subject to SQL injection, +using a suitably crafted ``tolerance``. diff --git a/docs/releases/2.2.11.txt b/docs/releases/2.2.11.txt index b14d961ac3..9738ef4470 100644 --- a/docs/releases/2.2.11.txt +++ b/docs/releases/2.2.11.txt @@ -2,9 +2,15 @@ Django 2.2.11 release notes =========================== -*Expected March 2, 2020* +*March 4, 2020* -Django 2.2.11 fixes a data loss bug in 2.2.10. +Django 2.2.11 fixes a security issue and a data loss bug in 2.2.10. + +CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle +============================================================================================================ + +GIS functions and aggregates on Oracle were subject to SQL injection, +using a suitably crafted ``tolerance``. Bugfixes ======== diff --git a/docs/releases/3.0.4.txt b/docs/releases/3.0.4.txt index ad9752addb..647e593749 100644 --- a/docs/releases/3.0.4.txt +++ b/docs/releases/3.0.4.txt @@ -2,9 +2,15 @@ Django 3.0.4 release notes ========================== -*Expected March 2, 2020* +*March 4, 2020* -Django 3.0.4 fixes several bugs in 3.0.3. +Django 3.0.4 fixes a security issue and several bugs in 3.0.3. + +CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle +============================================================================================================ + +GIS functions and aggregates on Oracle were subject to SQL injection, +using a suitably crafted ``tolerance``. Bugfixes ======== diff --git a/docs/releases/index.txt b/docs/releases/index.txt index 8598dfeb29..f95aee459e 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -96,6 +96,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.11.29 1.11.28 1.11.27 1.11.26 -- cgit v1.3