diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2021-04-14 18:23:44 +0200 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2021-05-04 08:43:52 +0200 |
| commit | c98f446c188596d4ba6de71d1b77b4a6c5c2a007 (patch) | |
| tree | 88c04654a0a355813023a5fd2920d16100294666 /docs/releases | |
| parent | 8e1900d4f37c85dfec35fbc785d891dc775fc15f (diff) | |
[3.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.
Diffstat (limited to 'docs/releases')
| -rw-r--r-- | docs/releases/2.2.21.txt | 17 | ||||
| -rw-r--r-- | docs/releases/3.1.9.txt | 17 | ||||
| -rw-r--r-- | docs/releases/3.2.1.txt | 14 | ||||
| -rw-r--r-- | docs/releases/index.txt | 2 |
4 files changed, 48 insertions, 2 deletions
diff --git a/docs/releases/2.2.21.txt b/docs/releases/2.2.21.txt new file mode 100644 index 0000000000..f32aeadff7 --- /dev/null +++ b/docs/releases/2.2.21.txt @@ -0,0 +1,17 @@ +=========================== +Django 2.2.21 release notes +=========================== + +*May 4, 2021* + +Django 2.2.21 fixes a security issue in 2.2.20. + +CVE-2021-31542: Potential directory-traversal via uploaded files +================================================================ + +``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed +directory-traversal via uploaded files with suitably crafted file names. + +In order to mitigate this risk, stricter basename and path sanitation is now +applied. Specifically, empty file names and paths with dot segments will be +rejected. diff --git a/docs/releases/3.1.9.txt b/docs/releases/3.1.9.txt new file mode 100644 index 0000000000..682270b901 --- /dev/null +++ b/docs/releases/3.1.9.txt @@ -0,0 +1,17 @@ +========================== +Django 3.1.9 release notes +========================== + +*May 4, 2021* + +Django 3.1.9 fixes a security issue in 3.1.8. + +CVE-2021-31542: Potential directory-traversal via uploaded files +================================================================ + +``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed +directory-traversal via uploaded files with suitably crafted file names. + +In order to mitigate this risk, stricter basename and path sanitation is now +applied. Specifically, empty file names and paths with dot segments will be +rejected. diff --git a/docs/releases/3.2.1.txt b/docs/releases/3.2.1.txt index 545c9adce3..97ac4ebc94 100644 --- a/docs/releases/3.2.1.txt +++ b/docs/releases/3.2.1.txt @@ -2,9 +2,19 @@ Django 3.2.1 release notes ========================== -*Expected May 4, 2021* +*May 4, 2021* -Django 3.2.1 fixes several bugs in 3.2. +Django 3.2.1 fixes a security issue and several bugs in 3.2. + +CVE-2021-31542: Potential directory-traversal via uploaded files +================================================================ + +``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed +directory-traversal via uploaded files with suitably crafted file names. + +In order to mitigate this risk, stricter basename and path sanitation is now +applied. Specifically, empty file names and paths with dot segments will be +rejected. Bugfixes ======== diff --git a/docs/releases/index.txt b/docs/releases/index.txt index ca1d1ed8ea..ea53ca0063 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -33,6 +33,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 3.1.9 3.1.8 3.1.7 3.1.6 @@ -69,6 +70,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 2.2.21 2.2.20 2.2.19 2.2.18 |