summaryrefslogtreecommitdiff
path: root/docs/releases/3.2.2.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/releases/3.2.2.txt')
-rw-r--r--docs/releases/3.2.2.txt19
1 files changed, 17 insertions, 2 deletions
diff --git a/docs/releases/3.2.2.txt b/docs/releases/3.2.2.txt
index d47da08d6c..a899bc6e29 100644
--- a/docs/releases/3.2.2.txt
+++ b/docs/releases/3.2.2.txt
@@ -2,9 +2,24 @@
Django 3.2.2 release notes
==========================
-*Expected June 1, 2021*
+*May 6, 2021*
-Django 3.2.2 fixes several bugs in 3.2.1.
+Django 3.2.2 fixes a security issue and a bug in 3.2.1.
+
+CVE-2021-32052: Header injection possibility since ``URLValidator`` accepted newlines in input on Python 3.9.5+
+===============================================================================================================
+
+On Python 3.9.5+, :class:`~django.core.validators.URLValidator` didn't prohibit
+newlines and tabs. If you used values with newlines in HTTP response, you could
+suffer from header injection attacks. Django itself wasn't vulnerable because
+:class:`~django.http.HttpResponse` prohibits newlines in HTTP headers.
+
+Moreover, the ``URLField`` form field which uses ``URLValidator`` silently
+removes newlines and tabs on Python 3.9.5+, so the possibility of newlines
+entering your data only existed if you are using this validator outside of the
+form fields.
+
+This issue was introduced by the :bpo:`43882` fix.
Bugfixes
========
View Lorry Controller Status