1 files changed, 26 insertions, 0 deletions

diff --git a/docs/releases/1.4.21.txt b/docs/releases/1.4.21.txt
index da69b26564..477f9a722c 100644
--- a/docs/releases/1.4.21.txt
+++ b/docs/releases/1.4.21.txt
@@ -26,3 +26,29 @@ As each built-in session backend was fixed separately (rather than a fix in the
 core sessions framework), maintainers of third-party session backends should
 check whether the same vulnerability is present in their backend and correct
 it if so.
+
+Header injection possibility since validators accept newlines in input
+======================================================================
+
+Some of Django's built-in validators
+(``django.core.validators.EmailValidator``, most seriously) didn't
+prohibit newline characters (due to the usage of ``$`` instead of ``\Z`` in the
+regular expressions). If you use values with newlines in HTTP response or email
+headers, you can suffer from header injection attacks. Django itself isn't
+vulnerable because :class:`~django.http.HttpResponse` and the mail sending
+utilities in :mod:`django.core.mail` prohibit newlines in HTTP and SMTP
+headers, respectively. While the validators have been fixed in Django, if
+you're creating HTTP responses or email messages in other ways, it's a good
+idea to ensure that those methods prohibit newlines as well. You might also
+want to validate that any existing data in your application doesn't contain
+unexpected newlines.
+
+:func:`~django.core.validators.validate_ipv4_address`,
+:func:`~django.core.validators.validate_slug`, and
+:class:`~django.core.validators.URLValidator` and their usage in the
+corresponding form fields ``GenericIPAddresseField``, ``IPAddressField``,
+``SlugField``, and ``URLField`` are also affected.
+
+The undocumented, internally unused ``validate_integer()`` function is now
+stricter as it validates using a regular expression instead of simply casting
+the value using ``int()`` and checking if an exception was raised.