From 95649bc08547a878cebfa1d019edec8cb1b80829 Mon Sep 17 00:00:00 2001 From: Carlton Gibson Date: Mon, 27 May 2019 11:07:46 +0200 Subject: [2.1.x] Applied jQuery patch for CVE-2019-11358. Backport of 34ec52269ade54af31a021b12969913129571a3f from master. --- docs/releases/2.1.9.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'docs') diff --git a/docs/releases/2.1.9.txt b/docs/releases/2.1.9.txt index 0022de965c..7a479c89f1 100644 --- a/docs/releases/2.1.9.txt +++ b/docs/releases/2.1.9.txt @@ -19,3 +19,14 @@ payload, could result in an clickable JavaScript link. link. You may customise the validator by passing a ``validator_class`` kwarg to ``AdminURLFieldWidget.__init__()``, e.g. when using :attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`. + +Patched bundled jQuery for CVE-2019-11358: Prototype pollution +-------------------------------------------------------------- + +jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of +``Object.prototype`` pollution. If an unsanitized source object contained an +enumerable ``__proto__`` property, it could extend the native +``Object.prototype``. + +The bundled version of jQuery used by the Django admin has been patched to +allow for the ``select2`` library's use of ``jQuery.extend()``. -- cgit v1.3