From dae83a24519d6f284c74414e0b81d64d9b5a0db4 Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Fri, 18 Jun 2021 01:16:10 -0400
Subject: [PATCH] Forwardported release notes for CVE-2021-35042.

---
 docs/releases/3.1.13.txt | 14 +++++++++++++-
 docs/releases/3.2.5.txt  | 18 ++++++++++++++++--
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/docs/releases/3.1.13.txt b/docs/releases/3.1.13.txt
index 9f5b2b38cd..af8ccec535 100644
--- a/docs/releases/3.1.13.txt
+++ b/docs/releases/3.1.13.txt
@@ -6,4 +6,16 @@ Django 3.1.13 release notes
 
 Django 3.1.13 fixes a security issues with severity "high" in 3.1.12.
 
-...
+CVE-2021-35042: Potential SQL injection via unsanitized ``QuerySet.order_by()`` input
+=====================================================================================
+
+Unsanitized user input passed to ``QuerySet.order_by()`` could bypass intended
+column reference validation in path marked for deprecation resulting in a
+potential SQL injection even if a deprecation warning is emitted.
+
+As a mitigation the strict column reference validation was restored for the
+duration of the deprecation period. This regression appeared in 3.1 as a side
+effect of fixing :ticket:`31426`.
+
+The issue is not present in the main branch as the deprecated path has been
+removed.
diff --git a/docs/releases/3.2.5.txt b/docs/releases/3.2.5.txt
index 9cc49e0ea1..533ecec4dd 100644
--- a/docs/releases/3.2.5.txt
+++ b/docs/releases/3.2.5.txt
@@ -4,8 +4,22 @@ Django 3.2.5 release notes
 
 *July 1, 2021*
 
-Django 3.2.5 fixes several bugs in 3.2.4. Also, the latest string translations
-from Transifex are incorporated.
+Django 3.2.5 fixes a security issue with severity "high" and several bugs in
+3.2.4. Also, the latest string translations from Transifex are incorporated.
+
+CVE-2021-35042: Potential SQL injection via unsanitized ``QuerySet.order_by()`` input
+=====================================================================================
+
+Unsanitized user input passed to ``QuerySet.order_by()`` could bypass intended
+column reference validation in path marked for deprecation resulting in a
+potential SQL injection even if a deprecation warning is emitted.
+
+As a mitigation the strict column reference validation was restored for the
+duration of the deprecation period. This regression appeared in 3.1 as a side
+effect of fixing :ticket:`31426`.
+
+The issue is not present in the main branch as the deprecated path has been
+removed.
 
 Bugfixes
 ========