[2.2.x] Applied jQuery patch for CVE-2019-11358.

Backport of 34ec52269ade54af31a021b12969913129571a3f from master.

2 files changed, 22 insertions, 0 deletions

diff --git a/docs/releases/2.1.9.txt b/docs/releases/2.1.9.txt
index 0022de965c..7a479c89f1 100644
--- a/docs/releases/2.1.9.txt
+++ b/docs/releases/2.1.9.txt
@@ -19,3 +19,14 @@ payload, could result in an clickable JavaScript link.
 link. You may customise the validator by passing a ``validator_class`` kwarg to
 ``AdminURLFieldWidget.__init__()``, e.g. when using
 :attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
+
+Patched bundled jQuery for CVE-2019-11358: Prototype pollution
+--------------------------------------------------------------
+
+jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
+``Object.prototype`` pollution. If an unsanitized source object contained an
+enumerable ``__proto__`` property, it could extend the native
+``Object.prototype``.
+
+The bundled version of jQuery used by the Django admin has been patched to
+allow for the ``select2`` library's use of ``jQuery.extend()``.
diff --git a/docs/releases/2.2.2.txt b/docs/releases/2.2.2.txt
index 8c70d104d7..a9d608c495 100644
--- a/docs/releases/2.2.2.txt
+++ b/docs/releases/2.2.2.txt
@@ -20,6 +20,17 @@ link. You may customise the validator by passing a ``validator_class`` kwarg to
 ``AdminURLFieldWidget.__init__()``, e.g. when using
 :attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
 
+Patched bundled jQuery for CVE-2019-11358: Prototype pollution
+--------------------------------------------------------------
+
+jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
+``Object.prototype`` pollution. If an unsanitized source object contained an
+enumerable ``__proto__`` property, it could extend the native
+``Object.prototype``.
+
+The bundled version of jQuery used by the Django admin has been patched to
+allow for the ``select2`` library's use of ``jQuery.extend()``.
+
 Bugfixes
 ========