1 files changed, 22 insertions, 2 deletions

diff --git a/docs/releases/2.2.3.txt b/docs/releases/2.2.3.txt
index 2bb8736192..1dd20d3bfd 100644
--- a/docs/releases/2.2.3.txt
+++ b/docs/releases/2.2.3.txt
@@ -4,8 +4,28 @@ Django 2.2.3 release notes
 
 *Expected July 1, 2019*
 
-Django 2.2.3 fixes several bugs in 2.2.2. Also, the latest string translations
-from Transifex are incorporated.
+Django 2.2.3 fixes a security issue and several bugs in 2.2.2. Also, the latest
+string translations from Transifex are incorporated.
+
+CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
+--------------------------------------------------------------------------------
+
+When deployed behind a reverse-proxy connecting to Django via HTTPS,
+:attr:`django.http.HttpRequest.scheme` would incorrectly detect client
+requests made via HTTP as using HTTPS. This entails incorrect results for
+:meth:`~django.http.HttpRequest.is_secure`, and
+:meth:`~django.http.HttpRequest.build_absolute_uri`, and that HTTP
+requests would not be redirected to HTTPS in accordance with
+:setting:`SECURE_SSL_REDIRECT`.
+
+``HttpRequest.scheme`` now respects :setting:`SECURE_PROXY_SSL_HEADER`, if it is
+configured, and the appropriate header is set on the request, for both HTTP and
+HTTPS requests.
+
+If you deploy Django behind a reverse-proxy that forwards HTTP requests, and
+that connects to Django via HTTPS, be sure to verify that your application
+correctly handles code paths relying on ``scheme``, ``is_secure()``,
+``build_absolute_uri()``, and ``SECURE_SSL_REDIRECT``.
 
 Bugfixes
 ========