[3.1.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths.

Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports. Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main.
author: Florian Apolloner <florian@apolloner.eu> 2021-11-29 11:52:03 +0100
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2021-12-07 06:56:06 +0100
commit: 22bd17488159601bf0741b70ae7932bffea8eced (patch)
tree: 4071770d041ca672e79cc9e87a33016b60703db9 /docs/releases/2.2.25.txt
parent: cfb780dafe29e2243d9b48d0783b729b315341bb (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/docs/releases/2.2.25.txt b/docs/releases/2.2.25.txt
index e8e552d80e..1662451a30 100644
--- a/docs/releases/2.2.25.txt
+++ b/docs/releases/2.2.25.txt
@@ -6,4 +6,8 @@ Django 2.2.25 release notes
 
 Django 2.2.25 fixes a security issue with severity "low" in 2.2.24.
 
-...
+CVE-2021-44420: Potential bypass of an upstream access control based on URL paths
+=================================================================================
+
+HTTP requests for URLs with trailing newlines could bypass an upstream access
+control based on URL paths.
author	Florian Apolloner <florian@apolloner.eu>	2021-11-29 11:52:03 +0100
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2021-12-07 06:56:06 +0100
commit	22bd17488159601bf0741b70ae7932bffea8eced (patch)
tree	4071770d041ca672e79cc9e87a33016b60703db9 /docs/releases/2.2.25.txt
parent	cfb780dafe29e2243d9b48d0783b729b315341bb (diff)