[2.0.x] Forwardported 1.11.22 release notes.stable/2.0.x

2 files changed, 28 insertions, 0 deletions

diff --git a/docs/releases/1.11.22.txt b/docs/releases/1.11.22.txt
new file mode 100644
index 0000000000..58ea68146e
--- /dev/null
+++ b/docs/releases/1.11.22.txt
@@ -0,0 +1,27 @@
+============================
+Django 1.11.22 release notes
+============================
+
+*July 1, 2019*
+
+Django 1.11.22 fixes a security issue in 1.11.21.
+
+CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
+--------------------------------------------------------------------------------
+
+When deployed behind a reverse-proxy connecting to Django via HTTPS,
+:attr:`django.http.HttpRequest.scheme` would incorrectly detect client
+requests made via HTTP as using HTTPS. This entails incorrect results for
+:meth:`~django.http.HttpRequest.is_secure`, and
+:meth:`~django.http.HttpRequest.build_absolute_uri`, and that HTTP
+requests would not be redirected to HTTPS in accordance with
+:setting:`SECURE_SSL_REDIRECT`.
+
+``HttpRequest.scheme`` now respects :setting:`SECURE_PROXY_SSL_HEADER`, if it
+is configured, and the appropriate header is set on the request, for both HTTP
+and HTTPS requests.
+
+If you deploy Django behind a reverse-proxy that forwards HTTP requests, and
+that connects to Django via HTTPS, be sure to verify that your application
+correctly handles code paths relying on ``scheme``, ``is_secure()``,
+``build_absolute_uri()``, and ``SECURE_SSL_REDIRECT``.
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index 38ab2fb1e2..4ad7f9e2d1 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -45,6 +45,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
    :maxdepth: 1
 
+   1.11.22
    1.11.21
    1.11.20
    1.11.19