[2.2.x] Applied jQuery patch for CVE-2019-11358.

Backport of 34ec52269ade54af31a021b12969913129571a3f from master.
author: Carlton Gibson <carlton.gibson@noumenal.es> 2019-05-27 11:07:46 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2019-06-03 11:38:57 +0200
commit: baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad (patch)
tree: 5b14a1df76ea436eb0e8da48e410cd812dbc97ab /docs/releases/2.1.9.txt
parent: afddabf8428ddc89a332f7a78d0d21eaf2b5a673 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/docs/releases/2.1.9.txt b/docs/releases/2.1.9.txt
index 0022de965c..7a479c89f1 100644
--- a/docs/releases/2.1.9.txt
+++ b/docs/releases/2.1.9.txt
@@ -19,3 +19,14 @@ payload, could result in an clickable JavaScript link.
 link. You may customise the validator by passing a ``validator_class`` kwarg to
 ``AdminURLFieldWidget.__init__()``, e.g. when using
 :attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
+
+Patched bundled jQuery for CVE-2019-11358: Prototype pollution
+--------------------------------------------------------------
+
+jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
+``Object.prototype`` pollution. If an unsanitized source object contained an
+enumerable ``__proto__`` property, it could extend the native
+``Object.prototype``.
+
+The bundled version of jQuery used by the Django admin has been patched to
+allow for the ``select2`` library's use of ``jQuery.extend()``.
author	Carlton Gibson <carlton.gibson@noumenal.es>	2019-05-27 11:07:46 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2019-06-03 11:38:57 +0200
commit	baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad (patch)
tree	5b14a1df76ea436eb0e8da48e410cd812dbc97ab /docs/releases/2.1.9.txt
parent	afddabf8428ddc89a332f7a78d0d21eaf2b5a673 (diff)