diff options
Diffstat (limited to 'docs/releases/2.1.9.txt')
| -rw-r--r-- | docs/releases/2.1.9.txt | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/docs/releases/2.1.9.txt b/docs/releases/2.1.9.txt index 0022de965c..7a479c89f1 100644 --- a/docs/releases/2.1.9.txt +++ b/docs/releases/2.1.9.txt @@ -19,3 +19,14 @@ payload, could result in an clickable JavaScript link. link. You may customise the validator by passing a ``validator_class`` kwarg to ``AdminURLFieldWidget.__init__()``, e.g. when using :attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`. + +Patched bundled jQuery for CVE-2019-11358: Prototype pollution +-------------------------------------------------------------- + +jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of +``Object.prototype`` pollution. If an unsanitized source object contained an +enumerable ``__proto__`` property, it could extend the native +``Object.prototype``. + +The bundled version of jQuery used by the Django admin has been patched to +allow for the ``select2`` library's use of ``jQuery.extend()``. |