[3.2.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths.

Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports. Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main.
author: Florian Apolloner <florian@apolloner.eu> 2021-11-29 11:52:03 +0100
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2021-12-07 06:32:24 +0100
commit: 333c65603032c377e682cdbd7388657a5463a05a (patch)
tree: b622bb80d13c24f0c84cee70e093458a507adfa1 /docs/releases/3.2.10.txt
parent: 6014b812e2608eae1b0950eed8a5891cadc6ca77 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/docs/releases/3.2.10.txt b/docs/releases/3.2.10.txt
index 18f0f9f09a..290880d684 100644
--- a/docs/releases/3.2.10.txt
+++ b/docs/releases/3.2.10.txt
@@ -4,8 +4,13 @@ Django 3.2.10 release notes
 
 *December 7, 2021*
 
-Django 3.2.10 fixes a security issue with severity "low" and several bugs in
-3.2.9.
+Django 3.2.10 fixes a security issue with severity "low" and a bug in 3.2.9.
+
+CVE-2021-44420: Potential bypass of an upstream access control based on URL paths
+=================================================================================
+
+HTTP requests for URLs with trailing newlines could bypass an upstream access
+control based on URL paths.
 
 Bugfixes
 ========
author	Florian Apolloner <florian@apolloner.eu>	2021-11-29 11:52:03 +0100
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2021-12-07 06:32:24 +0100
commit	333c65603032c377e682cdbd7388657a5463a05a (patch)
tree	b622bb80d13c24f0c84cee70e093458a507adfa1 /docs/releases/3.2.10.txt
parent	6014b812e2608eae1b0950eed8a5891cadc6ca77 (diff)