mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

Fixed CVE-2020-9402 -- Properly escaped tolerance parameter in GIS functions and aggregates on Oracle.

Browse Source 
Thanks to Norbert Szetei for the report.
This commit is contained in:
Mariusz Felisiak
2020-02-24 14:46:28 +01:00
parent 65ab4f9f03
commit 6695d29b1c
8 changed files with 117 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
docs/releases/1.11.29.txt Normal file
View File

@@ -0,0 +1,13 @@
============================
Django 1.11.29 release notes
============================
*March 4, 2020*
Django 1.11.29 fixes a security issue in 1.11.29.
CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle
============================================================================================================
GIS functions and aggregates on Oracle were subject to SQL injection,
using a suitably crafted ``tolerance``.