Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter.

author: Simon Charette <charette.s@gmail.com> 2019-12-31 12:46:06 -0500
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2020-02-03 08:49:13 +0100
commit: eb31d845323618d688ad429479c6dda973056136 (patch)
tree: e674d03c67e50a9a2c519c656a9e0553d1349163 /docs/releases/3.0.3.txt
parent: 6b178a3e930f72069f3cda2e6a09d1b320fc09ec (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/docs/releases/3.0.3.txt b/docs/releases/3.0.3.txt
index ed92938e09..2eed2654c8 100644
--- a/docs/releases/3.0.3.txt
+++ b/docs/releases/3.0.3.txt
@@ -4,7 +4,13 @@ Django 3.0.3 release notes
 
 *Expected February 3, 2020*
 
-Django 3.0.3 fixes several bugs in 3.0.2.
+Django 3.0.3 fixes a security issue and several bugs in 3.0.2.
+
+CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``
+===================================================================
+
+:class:`~django.contrib.postgres.aggregates.StringAgg` aggregation function was
+subject to SQL injection, using a suitably crafted ``delimiter``.
 
 Bugfixes
 ========
author	Simon Charette <charette.s@gmail.com>	2019-12-31 12:46:06 -0500
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2020-02-03 08:49:13 +0100
commit	eb31d845323618d688ad429479c6dda973056136 (patch)
tree	e674d03c67e50a9a2c519c656a9e0553d1349163 /docs/releases/3.0.3.txt
parent	6b178a3e930f72069f3cda2e6a09d1b320fc09ec (diff)