diff options
Diffstat (limited to 'docs/releases/1.11.18.txt')
| -rw-r--r-- | docs/releases/1.11.18.txt | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/docs/releases/1.11.18.txt b/docs/releases/1.11.18.txt new file mode 100644 index 0000000000..82a229e6dd --- /dev/null +++ b/docs/releases/1.11.18.txt @@ -0,0 +1,18 @@ +============================ +Django 1.11.18 release notes +============================ + +*January 4, 2019* + +Django 1.11.18 fixes a security issue in 1.11.17. + +CVE-2019-3498: Content spoofing possibility in the default 404 page +------------------------------------------------------------------- + +An attacker could craft a malicious URL that could make spoofed content appear +on the default page generated by the ``django.views.defaults.page_not_found()`` +view. + +The URL path is no longer displayed in the default 404 template and the +``request_path`` context variable is now quoted to fix the issue for custom +templates that use the path. |