[2.2.x] Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files.

Thanks Claude Paroz for the initial patch. Thanks Dennis Brinkrolf for the report. Backport of d4d800ca1addc4141e03c5440a849bb64d1582cd from main.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2021-03-16 10:19:00 +0100
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2021-04-06 08:38:19 +0200
commit: 4036d62bda0e9e9f6172943794b744a454ca49c2 (patch)
tree: 09d0665de185d5af3bd7c01d5b15cef1f9f065cc /docs
parent: 6e58828f8bcd33dfc91f236a972ae5fd23c9b0bc (diff)
2 files changed, 16 insertions, 0 deletions
diff --git a/docs/releases/2.2.20.txt b/docs/releases/2.2.20.txt
new file mode 100644
index 0000000000..a67c515021
--- /dev/null
+++ b/docs/releases/2.2.20.txt
@@ -0,0 +1,15 @@
+===========================
+Django 2.2.20 release notes
+===========================
+
+*April 6, 2021*
+
+Django 2.2.20 fixes a security issue with severity "low" in 2.2.19.
+
+CVE-2021-28658: Potential directory-traversal via uploaded files
+================================================================
+
+``MultiPartParser`` allowed directory-traversal via uploaded files with
+suitably crafted file names.
+
+Built-in upload handlers were not affected by this vulnerability.
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index ec8ce37eed..7ccec86e15 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -25,6 +25,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
    :maxdepth: 1
 
+   2.2.20
    2.2.19
    2.2.18
    2.2.17
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2021-03-16 10:19:00 +0100
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2021-04-06 08:38:19 +0200
commit	4036d62bda0e9e9f6172943794b744a454ca49c2 (patch)
tree	09d0665de185d5af3bd7c01d5b15cef1f9f065cc /docs
parent	6e58828f8bcd33dfc91f236a972ae5fd23c9b0bc (diff)