[2.2.x] Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter.

3 files changed, 28 insertions, 0 deletions

diff --git a/docs/releases/1.11.28.txt b/docs/releases/1.11.28.txt
new file mode 100644
index 0000000000..81ccb0ce06
--- /dev/null
+++ b/docs/releases/1.11.28.txt
@@ -0,0 +1,13 @@
+============================
+Django 1.11.28 release notes
+============================
+
+*February 3, 2020*
+
+Django 1.11.28 fixes a security issue in 1.11.27.
+
+CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``
+===================================================================
+
+:class:`~django.contrib.postgres.aggregates.StringAgg` aggregation function was
+subject to SQL injection, using a suitably crafted ``delimiter``.
diff --git a/docs/releases/2.2.10.txt b/docs/releases/2.2.10.txt
new file mode 100644
index 0000000000..f82774dea0
--- /dev/null
+++ b/docs/releases/2.2.10.txt
@@ -0,0 +1,13 @@
+===========================
+Django 2.2.10 release notes
+===========================
+
+*February 3, 2020*
+
+Django 2.2.10 fixes a security issue in 2.2.9.
+
+CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``
+===================================================================
+
+:class:`~django.contrib.postgres.aggregates.StringAgg` aggregation function was
+subject to SQL injection, using a suitably crafted ``delimiter``.
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index 6a1e2e07d7..8a8756ee11 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -25,6 +25,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
    :maxdepth: 1
 
+   2.2.10
    2.2.9
    2.2.8
    2.2.7
@@ -83,6 +84,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
    :maxdepth: 1
 
+   1.11.28
    1.11.27
    1.11.26
    1.11.25