From 64d2396e83aedba3fcc84ca40f23fbd22f0b9b5b Mon Sep 17 00:00:00 2001 From: Tom Hacohen Date: Fri, 4 Jan 2019 02:21:55 +0000 Subject: [2.1.x] Fixed #30070, CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page. Co-Authored-By: Tim Graham Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master. --- docs/releases/1.11.18.txt | 18 ++++++++++++++++++ docs/releases/2.0.10.txt | 15 +++++++++++++-- docs/releases/2.1.5.txt | 14 ++++++++++++-- docs/releases/index.txt | 1 + 4 files changed, 44 insertions(+), 4 deletions(-) create mode 100644 docs/releases/1.11.18.txt (limited to 'docs') diff --git a/docs/releases/1.11.18.txt b/docs/releases/1.11.18.txt new file mode 100644 index 0000000000..82a229e6dd --- /dev/null +++ b/docs/releases/1.11.18.txt @@ -0,0 +1,18 @@ +============================ +Django 1.11.18 release notes +============================ + +*January 4, 2019* + +Django 1.11.18 fixes a security issue in 1.11.17. + +CVE-2019-3498: Content spoofing possibility in the default 404 page +------------------------------------------------------------------- + +An attacker could craft a malicious URL that could make spoofed content appear +on the default page generated by the ``django.views.defaults.page_not_found()`` +view. + +The URL path is no longer displayed in the default 404 template and the +``request_path`` context variable is now quoted to fix the issue for custom +templates that use the path. diff --git a/docs/releases/2.0.10.txt b/docs/releases/2.0.10.txt index 18901490e0..8b0bf3a2a2 100644 --- a/docs/releases/2.0.10.txt +++ b/docs/releases/2.0.10.txt @@ -2,9 +2,20 @@ Django 2.0.10 release notes =========================== -*Release date TBD* +*January 4, 2019* -Django 2.0.10 fixes several bugs in 2.0.9. +Django 2.0.10 fixes a security issue and several bugs in 2.0.9. + +CVE-2019-3498: Content spoofing possibility in the default 404 page +------------------------------------------------------------------- + +An attacker could craft a malicious URL that could make spoofed content appear +on the default page generated by the ``django.views.defaults.page_not_found()`` +view. + +The URL path is no longer displayed in the default 404 template and the +``request_path`` context variable is now quoted to fix the issue for custom +templates that use the path. Bugfixes ======== diff --git a/docs/releases/2.1.5.txt b/docs/releases/2.1.5.txt index 27ffbc7510..ebe775a3d3 100644 --- a/docs/releases/2.1.5.txt +++ b/docs/releases/2.1.5.txt @@ -2,10 +2,20 @@ Django 2.1.5 release notes ========================== -*Expected January 1, 2019* +*January 4, 2019* +Django 2.1.5 fixes a security issue and several bugs in 2.1.4. -Django 2.1.5 fixes several bugs in 2.1.4. +CVE-2019-3498: Content spoofing possibility in the default 404 page +------------------------------------------------------------------- + +An attacker could craft a malicious URL that could make spoofed content appear +on the default page generated by the ``django.views.defaults.page_not_found()`` +view. + +The URL path is no longer displayed in the default 404 template and the +``request_path`` context variable is now quoted to fix the issue for custom +templates that use the path. Bugfixes ======== diff --git a/docs/releases/index.txt b/docs/releases/index.txt index c58a7ef071..0550d92f91 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -54,6 +54,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.11.18 1.11.17 1.11.16 1.11.15 -- cgit v1.3