1 files changed, 10 insertions, 0 deletions

diff --git a/docs/releases/2.2.4.txt b/docs/releases/2.2.4.txt
index 3aac51869c..8a71fec783 100644
--- a/docs/releases/2.2.4.txt
+++ b/docs/releases/2.2.4.txt
@@ -46,6 +46,16 @@ CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONFie
 were subject to SQL injection, using a suitably crafted dictionary, with
 dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.
 
+CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``
+=====================================================================================
+
+If passed certain inputs, :func:`django.utils.encoding.uri_to_iri` could lead
+to significant memory usage due to excessive recursion when re-percent-encoding
+invalid UTF-8 octet sequences.
+
+``uri_to_iri()`` now avoids recursion when re-percent-encoding invalid UTF-8
+octet sequences.
+
 Bugfixes
 ========