Fixed #30070, CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page.

Co-Authored-By: Tim Graham <timograham@gmail.com>
author: Tom Hacohen <tasn@users.noreply.github.com> 2019-01-04 02:21:55 +0000
committer: Tim Graham <timograham@gmail.com> 2019-01-03 21:21:55 -0500
commit: 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 (patch)
tree: 764f6a8caab6943e1e5ad49d04e03ab2f4864a20 /docs/releases
parent: e49ab7263763d653b3acaa88db9b6ebb4505d639 (diff)
4 files changed, 44 insertions, 4 deletions
diff --git a/docs/releases/1.11.18.txt b/docs/releases/1.11.18.txt
new file mode 100644
index 0000000000..82a229e6dd
--- /dev/null
+++ b/docs/releases/1.11.18.txt
@@ -0,0 +1,18 @@
+============================
+Django 1.11.18 release notes
+============================
+
+*January 4, 2019*
+
+Django 1.11.18 fixes a security issue in 1.11.17.
+
+CVE-2019-3498: Content spoofing possibility in the default 404 page
+-------------------------------------------------------------------
+
+An attacker could craft a malicious URL that could make spoofed content appear
+on the default page generated by the ``django.views.defaults.page_not_found()``
+view.
+
+The URL path is no longer displayed in the default 404 template and the
+``request_path`` context variable is now quoted to fix the issue for custom
+templates that use the path.
diff --git a/docs/releases/2.0.10.txt b/docs/releases/2.0.10.txt
index 18901490e0..8b0bf3a2a2 100644
--- a/docs/releases/2.0.10.txt
+++ b/docs/releases/2.0.10.txt
@@ -2,9 +2,20 @@
 Django 2.0.10 release notes
 ===========================
 
-*Release date TBD*
+*January 4, 2019*
 
-Django 2.0.10 fixes several bugs in 2.0.9.
+Django 2.0.10 fixes a security issue and several bugs in 2.0.9.
+
+CVE-2019-3498: Content spoofing possibility in the default 404 page
+-------------------------------------------------------------------
+
+An attacker could craft a malicious URL that could make spoofed content appear
+on the default page generated by the ``django.views.defaults.page_not_found()``
+view.
+
+The URL path is no longer displayed in the default 404 template and the
+``request_path`` context variable is now quoted to fix the issue for custom
+templates that use the path.
 
 Bugfixes
 ========
diff --git a/docs/releases/2.1.5.txt b/docs/releases/2.1.5.txt
index 27ffbc7510..ebe775a3d3 100644
--- a/docs/releases/2.1.5.txt
+++ b/docs/releases/2.1.5.txt
@@ -2,10 +2,20 @@
 Django 2.1.5 release notes
 ==========================
 
-*Expected January 1, 2019*
+*January 4, 2019*
 
+Django 2.1.5 fixes a security issue and several bugs in 2.1.4.
 
-Django 2.1.5 fixes several bugs in 2.1.4.
+CVE-2019-3498: Content spoofing possibility in the default 404 page
+-------------------------------------------------------------------
+
+An attacker could craft a malicious URL that could make spoofed content appear
+on the default page generated by the ``django.views.defaults.page_not_found()``
+view.
+
+The URL path is no longer displayed in the default 404 template and the
+``request_path`` context variable is now quoted to fix the issue for custom
+templates that use the path.
 
 Bugfixes
 ========
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index f292a4d566..239d27b3ec 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -61,6 +61,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
    :maxdepth: 1
 
+   1.11.18
    1.11.17
    1.11.16
    1.11.15
author	Tom Hacohen <tasn@users.noreply.github.com>	2019-01-04 02:21:55 +0000
committer	Tim Graham <timograham@gmail.com>	2019-01-03 21:21:55 -0500
commit	1ecc0a395be721e987e8e9fdfadde952b6dee1c7 (patch)
tree	764f6a8caab6943e1e5ad49d04e03ab2f4864a20 /docs/releases
parent	e49ab7263763d653b3acaa88db9b6ebb4505d639 (diff)