diff options
author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-02-24 14:46:28 +0100 |
---|---|---|
committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-03-04 09:04:50 +0100 |
commit | 6695d29b1c1ce979725816295a26ecc64ae0e927 (patch) | |
tree | 60198870b41a6d88c857cf82373db4adce759685 /docs/releases/1.11.29.txt | |
parent | 65ab4f9f03e70733df6afd9d8454ec3700155111 (diff) | |
download | django-6695d29b1c1ce979725816295a26ecc64ae0e927.tar.gz |
Fixed CVE-2020-9402 -- Properly escaped tolerance parameter in GIS functions and aggregates on Oracle.
Thanks to Norbert Szetei for the report.
Diffstat (limited to 'docs/releases/1.11.29.txt')
-rw-r--r-- | docs/releases/1.11.29.txt | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/docs/releases/1.11.29.txt b/docs/releases/1.11.29.txt new file mode 100644 index 0000000000..d37f3ffc0d --- /dev/null +++ b/docs/releases/1.11.29.txt @@ -0,0 +1,13 @@ +============================ +Django 1.11.29 release notes +============================ + +*March 4, 2020* + +Django 1.11.29 fixes a security issue in 1.11.29. + +CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle +============================================================================================================ + +GIS functions and aggregates on Oracle were subject to SQL injection, +using a suitably crafted ``tolerance``. |