p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[1.8.x] Backported the latest version of the security issue archive.

This commit is contained in:
Tim Graham 2015-11-24 14:05:09 -05:00
parent 843208990b
commit 2be1bdcfd0
1 changed files with 168 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

213
docs/releases/security.txt
View File

@ -42,7 +42,7 @@ issued at the time and CVEs may not have been assigned.
August 16, 2006 - CVE-2007-0404
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2007-0404 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0404&cid=3>`_: Filename validation issue in translation framework. `Full description <https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/>`__
`CVE-2007-0404 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0404&cid=3>`_: Filename validation issue in translation framework. `Full description <https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/>`__
Versions affected
-----------------
@ -54,7 +54,7 @@ Versions affected
January 21, 2007 - CVE-2007-0405
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2007-0405 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0405&cid=3>`_: Apparent "caching" of authenticated user. `Full description <https://www.djangoproject.com/weblog/2007/jan/21/0951/>`__
`CVE-2007-0405 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0405&cid=3>`_: Apparent "caching" of authenticated user. `Full description <https://www.djangoproject.com/weblog/2007/jan/21/0951/>`__
Versions affected
-----------------
@ -70,7 +70,7 @@ security process. These are listed below.
October 26, 2007 - CVE-2007-5712
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2007-5712 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5712&cid=3>`_: Denial-of-service via arbitrarily-large ``Accept-Language`` header. `Full description <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>`__
`CVE-2007-5712 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5712&cid=3>`_: Denial-of-service via arbitrarily-large ``Accept-Language`` header. `Full description <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>`__
Versions affected
-----------------
@ -82,7 +82,7 @@ Versions affected
May 14, 2008 - CVE-2008-2302
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2008-2302 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2302&cid=3>`_: XSS via admin login redirect. `Full description <https://www.djangoproject.com/weblog/2008/may/14/security/>`__
`CVE-2008-2302 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2302&cid=3>`_: XSS via admin login redirect. `Full description <https://www.djangoproject.com/weblog/2008/may/14/security/>`__
Versions affected
-----------------
@ -94,7 +94,7 @@ Versions affected
September 2, 2008 - CVE-2008-3909
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2008-3909 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3909&cid=3>`_: CSRF via preservation of POST data during admin login. `Full description <https://www.djangoproject.com/weblog/2008/sep/02/security/>`__
`CVE-2008-3909 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3909&cid=3>`_: CSRF via preservation of POST data during admin login. `Full description <https://www.djangoproject.com/weblog/2008/sep/02/security/>`__
Versions affected
-----------------
@ -106,7 +106,7 @@ Versions affected
July 28, 2009 - CVE-2009-2659
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2009-2659 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2659&cid=3>`_: Directory-traversal in development server media handler. `Full description <https://www.djangoproject.com/weblog/2009/jul/28/security/>`__
`CVE-2009-2659 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2659&cid=3>`_: Directory-traversal in development server media handler. `Full description <https://www.djangoproject.com/weblog/2009/jul/28/security/>`__
Versions affected
-----------------
@ -117,7 +117,7 @@ Versions affected
October 9, 2009 - CVE-2009-3965
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2009-3965 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3695&cid=3>`_: Denial-of-service via pathological regular expression performance. `Full description <https://www.djangoproject.com/weblog/2009/oct/09/security/>`__
`CVE-2009-3965 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3695&cid=3>`_: Denial-of-service via pathological regular expression performance. `Full description <https://www.djangoproject.com/weblog/2009/oct/09/security/>`__
Versions affected
-----------------
@ -128,7 +128,7 @@ Versions affected
September 8, 2010 - CVE-2010-3082
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2010-3082 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3082&cid=3>`_: XSS via trusting unsafe cookie value. `Full description <https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`__
`CVE-2010-3082 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3082&cid=3>`_: XSS via trusting unsafe cookie value. `Full description <https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`__
Versions affected
-----------------
@ -138,7 +138,7 @@ Versions affected
December 22, 2010 - CVE-2010-4534
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2010-4534 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4534&cid=3>`_: Information leakage in administrative interface. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
`CVE-2010-4534 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4534&cid=3>`_: Information leakage in administrative interface. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
Versions affected
-----------------
@ -149,7 +149,7 @@ Versions affected
December 22, 2010 - CVE-2010-4535
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2010-4535 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4535&cid=2>`_: Denial-of-service in password-reset mechanism. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
`CVE-2010-4535 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4535&cid=2>`_: Denial-of-service in password-reset mechanism. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
Versions affected
-----------------
@ -160,7 +160,7 @@ Versions affected
February 8, 2011 - CVE-2011-0696
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2011-0696 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0696&cid=2>`_: CSRF via forged HTTP headers. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
`CVE-2011-0696 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0696&cid=2>`_: CSRF via forged HTTP headers. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
Versions affected
-----------------
@ -171,7 +171,7 @@ Versions affected
February 8, 2011 - CVE-2011-0697
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2011-0697 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0697&cid=2>`_: XSS via unsanitized names of uploaded files. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
`CVE-2011-0697 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0697&cid=2>`_: XSS via unsanitized names of uploaded files. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
Versions affected
-----------------
@ -182,7 +182,7 @@ Versions affected
February 8, 2011 - CVE-2011-0698
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2011-0698 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0698&cid=2>`_: Directory-traversal on Windows via incorrect path-separator handling. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
`CVE-2011-0698 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0698&cid=2>`_: Directory-traversal on Windows via incorrect path-separator handling. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
Versions affected
-----------------
@ -193,7 +193,7 @@ Versions affected
September 9, 2011 - CVE-2011-4136
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2011-4136 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4136&cid=2>`_: Session manipulation when using memory-cache-backed session. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
`CVE-2011-4136 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4136&cid=2>`_: Session manipulation when using memory-cache-backed session. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
Versions affected
-----------------
@ -204,7 +204,7 @@ Versions affected
September 9, 2011 - CVE-2011-4137
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2011-4137 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4137&cid=2>`_: Denial-of-service via via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
`CVE-2011-4137 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4137&cid=2>`_: Denial-of-service via via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
Versions affected
-----------------
@ -215,7 +215,7 @@ Versions affected
September 9, 2011 - CVE-2011-4138
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2011-4138 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4138&cid=2>`_: Information leakage/arbitrary request issuance via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
`CVE-2011-4138 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4138&cid=2>`_: Information leakage/arbitrary request issuance via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
Versions affected
-----------------
@ -226,7 +226,7 @@ Versions affected
September 9, 2011 - CVE-2011-4139
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2011-4139 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4139&cid=2>`_: ``Host`` header cache poisoning. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
`CVE-2011-4139 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4139&cid=2>`_: ``Host`` header cache poisoning. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
Versions affected
-----------------
@ -237,7 +237,7 @@ Versions affected
September 9, 2011 - CVE-2011-4140
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2011-4140 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4140&cid=2>`_: Potential CSRF via ``Host`` header. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
`CVE-2011-4140 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4140&cid=2>`_: Potential CSRF via ``Host`` header. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
Versions affected
-----------------
@ -250,7 +250,7 @@ This notification was an advisory only, so no patches were issued.
July 30, 2012 - CVE-2012-3442
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2012-3442 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3442&cid=2>`_: XSS via failure to validate redirect scheme. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
`CVE-2012-3442 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3442&cid=2>`_: XSS via failure to validate redirect scheme. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
Versions affected
-----------------
@ -261,7 +261,7 @@ Versions affected
July 30, 2012 - CVE-2012-3443
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2012-3443 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3443&cid=2>`_: Denial-of-service via compressed image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
`CVE-2012-3443 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3443&cid=2>`_: Denial-of-service via compressed image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
Versions affected
-----------------
@ -272,7 +272,7 @@ Versions affected
July 30, 2012 - CVE-2012-3444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2012-3444 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3444&cid=2>`_: Denial-of-service via large image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
`CVE-2012-3444 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3444&cid=2>`_: Denial-of-service via large image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
Versions affected
-----------------
@ -283,7 +283,7 @@ Versions affected
October 17, 2012 - CVE-2012-4520
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2012-4520 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4520&cid=2>`_: ``Host`` header poisoning. `Full description <https://www.djangoproject.com/weblog/2012/oct/17/security/>`__
`CVE-2012-4520 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4520&cid=2>`_: ``Host`` header poisoning. `Full description <https://www.djangoproject.com/weblog/2012/oct/17/security/>`__
Versions affected
-----------------
@ -327,7 +327,7 @@ Versions affected
February 19, 2013 - CVE-2013-1664/1665
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2013-1664 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1664&cid=2>`_ and `CVE-2013-1665 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1665&cid=2>`_: Entity-based attacks against Python XML libraries. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
`CVE-2013-1664 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1664&cid=2>`_ and `CVE-2013-1665 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1665&cid=2>`_: Entity-based attacks against Python XML libraries. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
Versions affected
-----------------
@ -338,7 +338,7 @@ Versions affected
February 19, 2013 - CVE-2013-0305
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2013-0305 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0305&cid=2>`_: Information leakage via admin history log. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
`CVE-2013-0305 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0305&cid=2>`_: Information leakage via admin history log. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
Versions affected
-----------------
@ -349,7 +349,7 @@ Versions affected
February 19, 2013 - CVE-2013-0306
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2013-0306 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0306&cid=2>`_: Denial-of-service via formset ``max_num`` bypass. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
`CVE-2013-0306 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0306&cid=2>`_: Denial-of-service via formset ``max_num`` bypass. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
Versions affected
-----------------
@ -357,20 +357,20 @@ Versions affected
* Django 1.3 `(patch) <https://github.com/django/django/commit/d7094bbce8cb838f3b40f504f198c098ff1cf727>`__
* Django 1.4 `(patch) <https://github.com/django/django/commit/0cc350a896f70ace18280410eb616a9197d862b0>`__
August 13, 2013 - Awaiting CVE 1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
August 13, 2013 - CVE-2013-4249
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(CVE not yet issued): XSS via admin trusting ``URLField`` values. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
`CVE-2013-4249 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4249&cid=2>`_: XSS via admin trusting ``URLField`` values. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
Versions affected
-----------------
* Django 1.5 `(patch) <https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78>`__
August 13, 2013 - Awaiting CVE 2
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
August 13, 2013 - CVE-2013-6044
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(CVE not yet issued): Possible XSS via unvalidated URL redirect schemes. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
`CVE-2013-6044 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6044&cid=2>`_: Possible XSS via unvalidated URL redirect schemes. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
Versions affected
-----------------
@ -381,7 +381,7 @@ Versions affected
September 10, 2013 - CVE-2013-4315
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2013-4315 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4315&cid=2>`_ Directory-traversal via ``ssi`` template tag. `Full description <https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/>`__
`CVE-2013-4315 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4315&cid=2>`_ Directory-traversal via ``ssi`` template tag. `Full description <https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/>`__
Versions affected
-----------------
@ -403,7 +403,7 @@ Versions affected
April 21, 2014 - CVE-2014-0472
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2014-0472 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0472&cid=2>`_: Unexpected code execution using ``reverse()``. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__
`CVE-2014-0472 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0472&cid=2>`_: Unexpected code execution using ``reverse()``. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__
Versions affected
-----------------
@ -416,7 +416,7 @@ Versions affected
April 21, 2014 - CVE-2014-0473
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2014-0473 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0473&cid=2>`_: Caching of anonymous pages could reveal CSRF token. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__
`CVE-2014-0473 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0473&cid=2>`_: Caching of anonymous pages could reveal CSRF token. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__
Versions affected
-----------------
@ -429,7 +429,7 @@ Versions affected
April 21, 2014 - CVE-2014-0474
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2014-0474 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0474&cid=2>`_: MySQL typecasting causes unexpected query results. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__
`CVE-2014-0474 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0474&cid=2>`_: MySQL typecasting causes unexpected query results. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__
Versions affected
-----------------
@ -442,7 +442,7 @@ Versions affected
May 18, 2014 - CVE-2014-1418
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2014-1418 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1418&cid=2>`_: Caches may be allowed to store and serve private data. `Full description <https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/>`__
`CVE-2014-1418 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1418&cid=2>`_: Caches may be allowed to store and serve private data. `Full description <https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/>`__
Versions affected
-----------------
@ -455,7 +455,7 @@ Versions affected
May 18, 2014 - CVE-2014-3730
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2014-3730 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3730&cid=2>`_: Malformed URLs from user input incorrectly validated. `Full description <https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/>`__
`CVE-2014-3730 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3730&cid=2>`_: Malformed URLs from user input incorrectly validated. `Full description <https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/>`__
Versions affected
-----------------
@ -468,7 +468,7 @@ Versions affected
August 20, 2014 - CVE-2014-0480
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2014-0480 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0480&cid=2>`_: reverse() can generate URLs pointing to other hosts. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
`CVE-2014-0480 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0480&cid=2>`_: reverse() can generate URLs pointing to other hosts. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
Versions affected
-----------------
@ -481,7 +481,7 @@ Versions affected
August 20, 2014 - CVE-2014-0481
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2014-0481 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0481&cid=2>`_: File upload denial of service. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
`CVE-2014-0481 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0481&cid=2>`_: File upload denial of service. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
Versions affected
-----------------
@ -494,7 +494,7 @@ Versions affected
August 20, 2014 - CVE-2014-0482
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2014-0482 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0482&cid=2>`_: RemoteUserMiddleware session hijacking. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
`CVE-2014-0482 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0482&cid=2>`_: RemoteUserMiddleware session hijacking. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
Versions affected
-----------------
@ -507,7 +507,7 @@ Versions affected
August 20, 2014 - CVE-2014-0483
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2014-0483 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0483&cid=2>`_: Data leakage via querystring manipulation in admin. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
`CVE-2014-0483 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0483&cid=2>`_: Data leakage via querystring manipulation in admin. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
Versions affected
-----------------
@ -520,7 +520,7 @@ Versions affected
January 13, 2015 - CVE-2015-0219
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2015-0219 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0219&cid=2>`_:
`CVE-2015-0219 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0219&cid=2>`_:
WSGI header spoofing via underscore/dash conflation.
`Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__
@ -534,7 +534,7 @@ Versions affected
January 13, 2015 - CVE-2015-0220
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2015-0220 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0220&cid=2>`_: Mitigated possible XSS attack via user-supplied redirect URLs. `Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__
`CVE-2015-0220 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0220&cid=2>`_: Mitigated possible XSS attack via user-supplied redirect URLs. `Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__
Versions affected
-----------------
@ -546,7 +546,7 @@ Versions affected
January 13, 2015 - CVE-2015-0221
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2015-0221 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0221&cid=2>`_:
`CVE-2015-0221 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0221&cid=2>`_:
Denial-of-service attack against ``django.views.static.serve()``.
`Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__
@ -560,7 +560,7 @@ Versions affected
January 13, 2015 - CVE-2015-0222
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2015-0222 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0222&cid=2>`_:
`CVE-2015-0222 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0222&cid=2>`_:
Database denial-of-service with ``ModelMultipleChoiceField``.
`Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__
@ -569,3 +569,126 @@ Versions affected
* Django 1.6 `(patch) <https://github.com/django/django/commit/d7a06ee7e571b6dad07c0f5b519b1db02e2a476c>`__
* Django 1.7 `(patch) <https://github.com/django/django/commit/bcfb47780ce7caecb409a9e9c1c314266e41d392>`__
March 9, 2015 - CVE-2015-2241
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2015-2241 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2241&cid=2>`_:
XSS attack via properties in ``ModelAdmin.readonly_fields``.
`Full description <https://www.djangoproject.com/weblog/2015/mar/09/security-releases/>`__
Versions affected
-----------------
* Django 1.7 `(patch) <https://github.com/django/django/commit/d16e4e1d6f95e6f46bff53cc4fd0ab398b8e5059>`__
* Django 1.8 `(patch) <https://github.com/django/django/commit/2654e1b93923bac55f12b4e66c5e39b16695ace5>`_
March 18, 2015 - CVE-2015-2316
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2015-2316 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2316&cid=2>`_:
Denial-of-service possibility with ``strip_tags()``.
`Full description <https://www.djangoproject.com/weblog/2015/mar/18/security-releases/>`__
Versions affected
-----------------
* Django 1.6 `(patch) <https://github.com/django/django/commit/b6b3cb9899214a23ebb0f4ebf0e0b300b0ee524f>`__
* Django 1.7 `(patch) <https://github.com/django/django/commit/e63363f8e075fa8d66326ad6a1cc3391cc95cd97>`__
* Django 1.8 `(patch) <https://github.com/django/django/commit/5447709a571cd5d95971f1d5d21d4a7edcf85bbd>`__
March 18, 2015 - CVE-2015-2317
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2015-2317 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2317&cid=2>`_:
Mitigated possible XSS attack via user-supplied redirect URLs.
`Full description <https://www.djangoproject.com/weblog/2015/mar/18/security-releases/>`__
Versions affected
-----------------
* Django 1.4 `(patch) <https://github.com/django/django/commit/2342693b31f740a422abf7267c53b4e7bc487c1b>`__
* Django 1.6 `(patch) <https://github.com/django/django/commit/5510f070711540aaa8d3707776cd77494e688ef9>`__
* Django 1.7 `(patch) <https://github.com/django/django/commit/2a4113dbd532ce952308992633d802dc169a75f1>`__
* Django 1.8 `(patch) <https://github.com/django/django/commit/770427c2896a078925abfca2317486b284d22f04>`__
May 20, 2015 - CVE-2015-3982
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2015-3982 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3982&cid=2>`_:
Fixed session flushing in the cached_db backend.
`Full description <https://www.djangoproject.com/weblog/2015/may/20/security-release/>`__
Versions affected
-----------------
* Django 1.8 `(patch) <https://github.com/django/django/commit/31cb25adecba930bdeee4556709f5a1c42d88fd6>`__
July 8, 2015 - CVE-2015-5143
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2015-5143 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5143&cid=2>`_:
Denial-of-service possibility by filling session store.
`Full description <https://www.djangoproject.com/weblog/2015/jul/08/security-releases/>`__
Versions affected
-----------------
* Django 1.8 `(patch) <https://github.com/django/django/commit/66d12d1ababa8f062857ee5eb43276493720bf16>`__
* Django 1.7 `(patch) <https://github.com/django/django/commit/1828f4341ec53a8684112d24031b767eba557663>`__
* Django 1.4 `(patch) <https://github.com/django/django/commit/2e47f3e401c29bc2ba5ab794d483cb0820855fb9>`__
July 8, 2015 - CVE-2015-5144
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2015-5144 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5144&cid=2>`_:
Header injection possibility since validators accept newlines in input.
`Full description <https://www.djangoproject.com/weblog/2015/jul/08/security-releases/>`__
Versions affected
-----------------
* Django 1.8 `(patch) <https://github.com/django/django/commit/574dd5e0b0fbb877ae5827b1603d298edc9bb2a0>`__
* Django 1.7 `(patch) <https://github.com/django/django/commit/ae49b4d994656bc037513dcd064cb9ce5bb85649>`__
* Django 1.4 `(patch) <https://github.com/django/django/commit/1ba1cdce7d58e6740fe51955d945b56ae51d072a>`__
July 8, 2015 - CVE-2015-5145
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2015-5145 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5145&cid=2>`_:
Denial-of-service possibility in URL validation.
`Full description <https://www.djangoproject.com/weblog/2015/jul/08/security-releases/>`__
Versions affected
-----------------
* Django 1.8 `(patch) <https://github.com/django/django/commit/8f9a4d3a2bc42f14bb437defd30c7315adbff22c>`__
August 18, 2015 - CVE-2015-5963/CVE-2015-5964
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2015-5963 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5963&cid=2>`_
and
`CVE-2015-5964 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5964&cid=2>`_:
Denial-of-service possibility in ``logout()`` view by filling session store.
`Full description <https://www.djangoproject.com/weblog/2015/aug/18/security-releases/>`__
Versions affected
-----------------
* Django 1.8 `(patch) <https://github.com/django/django/commit/2eb86b01d7b59be06076f6179a454d0fd0afaff6>`__
* Django 1.7 `(patch) <https://github.com/django/django/commit/2f5485346ee6f84b4e52068c04e043092daf55f7>`__
* Django 1.4 `(patch) <https://github.com/django/django/commit/575f59f9bc7c59a5e41a081d1f5f55fc859c5012>`__
November 24, 2015 - CVE-2015-8213
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`CVE-2015-8213 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8213&cid=2>`_:
Settings leak possibility in ``date`` template filter.
`Full description <https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/>`__
Versions affected
-----------------
* Django 1.8 `(patch) <https://github.com/django/django/commit/9f83fc2f66f5a0bac7c291aec55df66050bb6991>`__
* Django 1.7 `(patch) <https://github.com/django/django/commit/8a01c6b53169ee079cb21ac5919fdafcc8c5e172>`__