diff --git a/docs/releases/security.txt b/docs/releases/security.txt index ddb4871a7b..c8d29ef7ba 100644 --- a/docs/releases/security.txt +++ b/docs/releases/security.txt @@ -691,8 +691,8 @@ Versions affected * Django 1.8 `(patch) `__ * Django 1.7 `(patch) `__ -February 1, 2016 -- CVE-2016-2048 ---------------------------------- +February 1, 2016 - CVE-2016-2048 +-------------------------------- `CVE-2016-2048 `_: User with "change" but not "add" permission can create objects for ``ModelAdmin``’s with ``save_as=True``. @@ -702,3 +702,29 @@ Versions affected ~~~~~~~~~~~~~~~~~ * Django 1.9 `(patch) `__ + +March 1, 2016 - CVE-2016-2512 +----------------------------- + +`CVE-2016-2512 `_: +Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth. +`Full description `__ + +Versions affected +~~~~~~~~~~~~~~~~~ + +* Django 1.9 `(patch) `__ +* Django 1.8 `(patch) `__ + +March 1, 2016 - CVE-2016-2513 +----------------------------- + +`CVE-2016-2513 `_: +User enumeration through timing difference on password hasher work factor upgrade. +`Full description `__ + +Versions affected +~~~~~~~~~~~~~~~~~ + +* Django 1.9 `(patch) `__ +* Django 1.8 `(patch) `__