[2.1.x] Fixed #30070, CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page.

Co-Authored-By: Tim Graham <timograham@gmail.com> Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master.
author: Tom Hacohen <tasn@users.noreply.github.com> 2019-01-04 02:21:55 +0000
committer: Tim Graham <timograham@gmail.com> 2019-01-03 21:22:14 -0500
commit: 64d2396e83aedba3fcc84ca40f23fbd22f0b9b5b (patch)
tree: 09d4128c86d14d24f81a1989d81c17ba1edf0071 /docs/releases/2.0.10.txt
parent: e45d466d37af4b58c0a3201d31335db2883e2983 (diff)
1 files changed, 13 insertions, 2 deletions
diff --git a/docs/releases/2.0.10.txt b/docs/releases/2.0.10.txt
index 18901490e0..8b0bf3a2a2 100644
--- a/docs/releases/2.0.10.txt
+++ b/docs/releases/2.0.10.txt
@@ -2,9 +2,20 @@
 Django 2.0.10 release notes
 ===========================
 
-*Release date TBD*
+*January 4, 2019*
 
-Django 2.0.10 fixes several bugs in 2.0.9.
+Django 2.0.10 fixes a security issue and several bugs in 2.0.9.
+
+CVE-2019-3498: Content spoofing possibility in the default 404 page
+-------------------------------------------------------------------
+
+An attacker could craft a malicious URL that could make spoofed content appear
+on the default page generated by the ``django.views.defaults.page_not_found()``
+view.
+
+The URL path is no longer displayed in the default 404 template and the
+``request_path`` context variable is now quoted to fix the issue for custom
+templates that use the path.
 
 Bugfixes
 ========
author	Tom Hacohen <tasn@users.noreply.github.com>	2019-01-04 02:21:55 +0000
committer	Tim Graham <timograham@gmail.com>	2019-01-03 21:22:14 -0500
commit	64d2396e83aedba3fcc84ca40f23fbd22f0b9b5b (patch)
tree	09d4128c86d14d24f81a1989d81c17ba1edf0071 /docs/releases/2.0.10.txt
parent	e45d466d37af4b58c0a3201d31335db2883e2983 (diff)