django-cms · fsbraun · Nov 13, 2024 · Nov 13, 2024 · Nov 13, 2024 · Nov 13, 2024
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -2,6 +2,28 @@
 Changelog
 =========
 
+3.11.9 (2024-11-13)
+===================
+
+Bug Fixes:
+----------
+* XSS vulnerability for page title (#8075) (699f04e9b) -- Fabian Braun
+* fix: Accept legacy action names for page permission check (#8022) (fc4838f99) -- Fabian Braun
+
+
+Statistics:
+-----------
+
+This release includes 4 pull requests, and was created with the help of the following contributors (in alphabetical order):
+
+* Fabian Braun (2 pull requests)
+
+With the review help of the following contributors:
+
+* Mark Walker
+
+Thanks to all contributors for their efforts!
+
 3.11.8 (2024-09-10)
 ===================
 

diff --git a/cms/__init__.py b/cms/__init__.py
@@ -1 +1 @@
-__version__ = '3.11.8'
+__version__ = '3.11.9'
diff --git a/cms/static/cms/css/3.11.8/cms.base.css → cms/static/cms/css/3.11.9/cms.base.css b/cms/static/cms/css/3.11.8/cms.base.css → cms/static/cms/css/3.11.9/cms.base.css
diff --git a/cms/static/cms/css/3.11.8/cms.pagetree.css → cms/static/cms/css/3.11.9/cms.pagetree.css b/cms/static/cms/css/3.11.8/cms.pagetree.css → cms/static/cms/css/3.11.9/cms.pagetree.css
diff --git a/cms/static/cms/css/3.11.8/cms.welcome.css → cms/static/cms/css/3.11.9/cms.welcome.css b/cms/static/cms/css/3.11.8/cms.welcome.css → cms/static/cms/css/3.11.9/cms.welcome.css
diff --git a/cms/static/cms/css/3.11.8/cms.wizard.css → cms/static/cms/css/3.11.9/cms.wizard.css b/cms/static/cms/css/3.11.8/cms.wizard.css → cms/static/cms/css/3.11.9/cms.wizard.css
diff --git a/cms/static/cms/fonts/3.11.8/django-cms-iconfont.woff2 b/cms/static/cms/fonts/3.11.8/django-cms-iconfont.woff2
diff --git a/.../cms/fonts/3.11.8/django-cms-iconfont.eot → .../cms/fonts/3.11.9/django-cms-iconfont.eot b/.../cms/fonts/3.11.8/django-cms-iconfont.eot → .../cms/fonts/3.11.9/django-cms-iconfont.eot
diff --git a/.../cms/fonts/3.11.8/django-cms-iconfont.svg → .../cms/fonts/3.11.9/django-cms-iconfont.svg b/.../cms/fonts/3.11.8/django-cms-iconfont.svg → .../cms/fonts/3.11.9/django-cms-iconfont.svg
diff --git a/.../cms/fonts/3.11.8/django-cms-iconfont.ttf → .../cms/fonts/3.11.9/django-cms-iconfont.ttf b/.../cms/fonts/3.11.8/django-cms-iconfont.ttf → .../cms/fonts/3.11.9/django-cms-iconfont.ttf
diff --git a/...cms/fonts/3.11.8/django-cms-iconfont.woff → ...cms/fonts/3.11.9/django-cms-iconfont.woff b/...cms/fonts/3.11.8/django-cms-iconfont.woff → ...cms/fonts/3.11.9/django-cms-iconfont.woff
diff --git a/cms/static/cms/fonts/3.11.9/django-cms-iconfont.woff2 b/cms/static/cms/fonts/3.11.9/django-cms-iconfont.woff2
diff --git a/...s/js/dist/3.11.8/bundle.admin.base.min.js → ...s/js/dist/3.11.9/bundle.admin.base.min.js b/...s/js/dist/3.11.8/bundle.admin.base.min.js → ...s/js/dist/3.11.9/bundle.admin.base.min.js
diff --git a/...ist/3.11.8/bundle.admin.changeform.min.js → ...ist/3.11.9/bundle.admin.changeform.min.js b/...ist/3.11.8/bundle.admin.changeform.min.js → ...ist/3.11.9/bundle.admin.changeform.min.js
diff --git a/.../dist/3.11.8/bundle.admin.pagetree.min.js → .../dist/3.11.9/bundle.admin.pagetree.min.js b/.../dist/3.11.8/bundle.admin.pagetree.min.js → .../dist/3.11.9/bundle.admin.pagetree.min.js
diff --git a/...js/dist/3.11.8/bundle.admin.widget.min.js → ...js/dist/3.11.9/bundle.admin.widget.min.js b/...js/dist/3.11.8/bundle.admin.widget.min.js → ...js/dist/3.11.9/bundle.admin.widget.min.js
diff --git a/.../3.11.8/bundle.forms.apphookselect.min.js → .../3.11.9/bundle.forms.apphookselect.min.js b/.../3.11.8/bundle.forms.apphookselect.min.js → .../3.11.9/bundle.forms.apphookselect.min.js
diff --git a/...11.8/bundle.forms.pageselectwidget.min.js → ...11.9/bundle.forms.pageselectwidget.min.js b/...11.8/bundle.forms.pageselectwidget.min.js → ...11.9/bundle.forms.pageselectwidget.min.js
diff --git a/...8/bundle.forms.pagesmartlinkwidget.min.js → ...9/bundle.forms.pagesmartlinkwidget.min.js b/...8/bundle.forms.pagesmartlinkwidget.min.js → ...9/bundle.forms.pagesmartlinkwidget.min.js
diff --git a/...ist/3.11.8/bundle.forms.slugwidget.min.js → ...ist/3.11.9/bundle.forms.slugwidget.min.js b/...ist/3.11.8/bundle.forms.slugwidget.min.js → ...ist/3.11.9/bundle.forms.slugwidget.min.js
diff --git a/.../cms/js/dist/3.11.8/bundle.toolbar.min.js → .../cms/js/dist/3.11.9/bundle.toolbar.min.js b/.../cms/js/dist/3.11.8/bundle.toolbar.min.js → .../cms/js/dist/3.11.9/bundle.toolbar.min.js
diff --git a/cms/static/cms/sass/components/_iconography.scss b/cms/static/cms/sass/components/_iconography.scss
@@ -4,12 +4,12 @@
 // default font file generated by gulp
 @font-face {
     font-family: "django-cms-iconfont";
-    src: url("../../fonts/3.11.8/django-cms-iconfont.eot");
-    src: url("../../fonts/3.11.8/django-cms-iconfont.eot#iefix") format("eot"),
-         url("../../fonts/3.11.8/django-cms-iconfont.woff2") format("woff2"),
-         url("../../fonts/3.11.8/django-cms-iconfont.woff") format("woff"),
-         url("../../fonts/3.11.8/django-cms-iconfont.ttf") format("truetype"),
-         url("../../fonts/3.11.8/django-cms-iconfont.svg#django-cms-iconfont") format("svg");
+    src: url("../../fonts/3.11.9/django-cms-iconfont.eot");
+    src: url("../../fonts/3.11.9/django-cms-iconfont.eot#iefix") format("eot"),
+         url("../../fonts/3.11.9/django-cms-iconfont.woff2") format("woff2"),
+         url("../../fonts/3.11.9/django-cms-iconfont.woff") format("woff"),
+         url("../../fonts/3.11.9/django-cms-iconfont.ttf") format("truetype"),
+         url("../../fonts/3.11.9/django-cms-iconfont.svg#django-cms-iconfont") format("svg");
     font-weight: normal;
     font-style: normal;
 }

diff --git a/docs/upgrade/3.11.9.rst b/docs/upgrade/3.11.9.rst
@@ -0,0 +1,76 @@
+.. _upgrade-to-3.11.9:
+
+####################
+Release notes 3.11.9
+####################
+
+************
+Security fix
+************
+
+django CMS 3.11.9 closes a security vulnerability that could allow an attacker
+to inject malicious code into the page title allowing to load arbitrary
+javascript code when viewing the page. We recommend that you upgrade to
+this version as soon as possible.
+
+The security issue is of low severity, since an attacker needs to have access
+to the django CMS admin interface to exploit it.
+
+Thanks to `Ali İltizar (@alii76tt) <https://twitter.com/alii76tt>`_ for
+reporting the issue.
+
+.. note::
+
+   As ever, we remind our users and contributors that all security reports,
+   patches and concerns be addressed only to our security team by email, at
+   `security@django-cms.org <mailto:security@django-cms.org>`_.
+
+
+
+********************
+What's new in 3.11.9
+********************
+
+Bug Fixes:
+----------
+* XSS vulnerability for page title (#8075) (699f04e9b) -- Fabian Braun
+* fix: Accept legacy action names for page permission check (#8022) (fc4838f99) -- Fabian Braun
+
+
+Statistics:
+-----------
+
+This release includes 4 pull requests, and was created with the help of the following contributors (in alphabetical order):
+
+* Fabian Braun (2 pull requests)
+
+With the review help of the following contributors:
+
+* Mark Walker
+
+Thanks to all contributors for their efforts!
+
+************************
+How to upgrade to 3.11.9
+************************
+
+We assume you are upgrading from django CMS 3.11.8.
+
+Please make sure that your current database is consistent and in a healthy
+state, and **make a copy of the database before proceeding further.**
+
+Then run::
+
+    python manage.py migrate  # to ensure that your database is up-to-date with migrations
+    python manage.py cms fix-tree
+
+Check custom code and third-party applications for use of deprecated or removed functionality or
+APIs (see above). Some third-party components may need to be updated.
+
+Install the new version of django CMS from GitHub or via pip.
+
+Run::
+
+    python manage.py migrate
+
+to apply the new migrations.
diff --git a/docs/upgrade/index.rst b/docs/upgrade/index.rst
@@ -13,6 +13,7 @@ makes changes to your database.
 .. toctree::
     :maxdepth: 1
 
+    3.11.9
     3.11.8
     3.11.7
     3.11.6
-Original file line number
+Diff line change
@@ Expand Up / @@ -13,6 +13,7 @@ makes changes to your database. @@
     .. toctree::
         :maxdepth: 1
+.11.9
 .11.8
 .11.7
 .11.6
@@ Expand Down @@