mirror of
https://github.com/django/django.git
synced 2025-10-14 20:41:00 +00:00
Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files.
Thanks Claude Paroz for the initial patch. Thanks Dennis Brinkrolf for the report.
This commit is contained in:
Mariusz Felisiak
parent
78fea27f69
commit
d4d800ca1a
9 changed files with 159 additions and 23 deletions
15
docs/releases/2.2.20.txt
Normal file
15
docs/releases/2.2.20.txt
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
===========================
|
||||
Django 2.2.20 release notes
|
||||
===========================
|
||||
|
||||
*April 6, 2021*
|
||||
|
||||
Django 2.2.20 fixes a security issue with severity "low" in 2.2.19.
|
||||
|
||||
CVE-2021-28658: Potential directory-traversal via uploaded files
|
||||
================================================================
|
||||
|
||||
``MultiPartParser`` allowed directory-traversal via uploaded files with
|
||||
suitably crafted file names.
|
||||
|
||||
Built-in upload handlers were not affected by this vulnerability.
|
||||
15
docs/releases/3.0.14.txt
Normal file
15
docs/releases/3.0.14.txt
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
===========================
|
||||
Django 3.0.14 release notes
|
||||
===========================
|
||||
|
||||
*April 6, 2021*
|
||||
|
||||
Django 3.0.14 fixes a security issue with severity "low" in 3.0.13.
|
||||
|
||||
CVE-2021-28658: Potential directory-traversal via uploaded files
|
||||
================================================================
|
||||
|
||||
``MultiPartParser`` allowed directory-traversal via uploaded files with
|
||||
suitably crafted file names.
|
||||
|
||||
Built-in upload handlers were not affected by this vulnerability.
|
||||
|
|
@ -2,9 +2,17 @@
|
|||
Django 3.1.8 release notes
|
||||
==========================
|
||||
|
||||
*Expected April 5, 2021*
|
||||
*April 6, 2021*
|
||||
|
||||
Django 3.1.8 fixes several bugs in 3.1.7.
|
||||
Django 3.1.8 fixes a security issue with severity "low" and a bug in 3.1.7.
|
||||
|
||||
CVE-2021-28658: Potential directory-traversal via uploaded files
|
||||
================================================================
|
||||
|
||||
``MultiPartParser`` allowed directory-traversal via uploaded files with
|
||||
suitably crafted file names.
|
||||
|
||||
Built-in upload handlers were not affected by this vulnerability.
|
||||
|
||||
Bugfixes
|
||||
========
|
||||
|
|
|
|||
|
|
@ -54,6 +54,7 @@ versions of the documentation contain the release notes for any later releases.
|
|||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
3.0.14
|
||||
3.0.13
|
||||
3.0.12
|
||||
3.0.11
|
||||
|
|
@ -74,6 +75,7 @@ versions of the documentation contain the release notes for any later releases.
|
|||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
2.2.20
|
||||
2.2.19
|
||||
2.2.18
|
||||
2.2.17
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue