From 2be1bdcfd05b3517370abb2601eaf89929d592a4 Mon Sep 17 00:00:00 2001
From: Tim Graham <timograham@gmail.com>
Date: Tue, 24 Nov 2015 14:05:09 -0500
Subject: [PATCH] [1.8.x] Backported the latest version of the security issue
 archive.

---
 docs/releases/security.txt | 213 +++++++++++++++++++++++++++++--------
 1 file changed, 168 insertions(+), 45 deletions(-)

diff --git a/docs/releases/security.txt b/docs/releases/security.txt
index 0c5e859831..f6f2534baa 100644
--- a/docs/releases/security.txt
+++ b/docs/releases/security.txt
@@ -42,7 +42,7 @@ issued at the time and CVEs may not have been assigned.
 August 16, 2006 - CVE-2007-0404
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2007-0404 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0404&cid=3>`_: Filename validation issue in translation framework. `Full description <https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/>`__
+`CVE-2007-0404 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0404&cid=3>`_: Filename validation issue in translation framework. `Full description <https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/>`__
 
 Versions affected
 -----------------
@@ -54,7 +54,7 @@ Versions affected
 January 21, 2007 - CVE-2007-0405
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2007-0405 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0405&cid=3>`_: Apparent "caching" of authenticated user. `Full description <https://www.djangoproject.com/weblog/2007/jan/21/0951/>`__
+`CVE-2007-0405 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0405&cid=3>`_: Apparent "caching" of authenticated user. `Full description <https://www.djangoproject.com/weblog/2007/jan/21/0951/>`__
 
 Versions affected
 -----------------
@@ -70,7 +70,7 @@ security process. These are listed below.
 October 26, 2007 - CVE-2007-5712
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2007-5712 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5712&cid=3>`_: Denial-of-service via arbitrarily-large ``Accept-Language`` header. `Full description <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>`__
+`CVE-2007-5712 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5712&cid=3>`_: Denial-of-service via arbitrarily-large ``Accept-Language`` header. `Full description <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>`__
 
 Versions affected
 -----------------
@@ -82,7 +82,7 @@ Versions affected
 May 14, 2008 - CVE-2008-2302
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2008-2302 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2302&cid=3>`_: XSS via admin login redirect. `Full description <https://www.djangoproject.com/weblog/2008/may/14/security/>`__
+`CVE-2008-2302 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2302&cid=3>`_: XSS via admin login redirect. `Full description <https://www.djangoproject.com/weblog/2008/may/14/security/>`__
 
 Versions affected
 -----------------
@@ -94,7 +94,7 @@ Versions affected
 September 2, 2008 - CVE-2008-3909
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2008-3909 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3909&cid=3>`_: CSRF via preservation of POST data during admin login. `Full description <https://www.djangoproject.com/weblog/2008/sep/02/security/>`__
+`CVE-2008-3909 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3909&cid=3>`_: CSRF via preservation of POST data during admin login. `Full description <https://www.djangoproject.com/weblog/2008/sep/02/security/>`__
 
 Versions affected
 -----------------
@@ -106,7 +106,7 @@ Versions affected
 July 28, 2009 - CVE-2009-2659
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2009-2659 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2659&cid=3>`_: Directory-traversal in development server media handler. `Full description <https://www.djangoproject.com/weblog/2009/jul/28/security/>`__
+`CVE-2009-2659 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2659&cid=3>`_: Directory-traversal in development server media handler. `Full description <https://www.djangoproject.com/weblog/2009/jul/28/security/>`__
 
 Versions affected
 -----------------
@@ -117,7 +117,7 @@ Versions affected
 October 9, 2009 - CVE-2009-3965
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2009-3965 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3695&cid=3>`_: Denial-of-service via pathological regular expression performance. `Full description <https://www.djangoproject.com/weblog/2009/oct/09/security/>`__
+`CVE-2009-3965 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3695&cid=3>`_: Denial-of-service via pathological regular expression performance. `Full description <https://www.djangoproject.com/weblog/2009/oct/09/security/>`__
 
 Versions affected
 -----------------
@@ -128,7 +128,7 @@ Versions affected
 September 8, 2010 - CVE-2010-3082
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2010-3082 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3082&cid=3>`_: XSS via trusting unsafe cookie value. `Full description <https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`__
+`CVE-2010-3082 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3082&cid=3>`_: XSS via trusting unsafe cookie value. `Full description <https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`__
 
 Versions affected
 -----------------
@@ -138,7 +138,7 @@ Versions affected
 December 22, 2010 - CVE-2010-4534
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2010-4534 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4534&cid=3>`_: Information leakage in administrative interface. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
+`CVE-2010-4534 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4534&cid=3>`_: Information leakage in administrative interface. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
 
 Versions affected
 -----------------
@@ -149,7 +149,7 @@ Versions affected
 December 22, 2010 - CVE-2010-4535
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2010-4535 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4535&cid=2>`_: Denial-of-service in password-reset mechanism. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
+`CVE-2010-4535 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4535&cid=2>`_: Denial-of-service in password-reset mechanism. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
 
 Versions affected
 -----------------
@@ -160,7 +160,7 @@ Versions affected
 February 8, 2011 - CVE-2011-0696
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2011-0696 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0696&cid=2>`_: CSRF via forged HTTP headers. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
+`CVE-2011-0696 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0696&cid=2>`_: CSRF via forged HTTP headers. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
 
 Versions affected
 -----------------
@@ -171,7 +171,7 @@ Versions affected
 February 8, 2011 - CVE-2011-0697
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2011-0697 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0697&cid=2>`_: XSS via unsanitized names of uploaded files. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
+`CVE-2011-0697 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0697&cid=2>`_: XSS via unsanitized names of uploaded files. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
 
 Versions affected
 -----------------
@@ -182,7 +182,7 @@ Versions affected
 February 8, 2011 - CVE-2011-0698
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2011-0698 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0698&cid=2>`_: Directory-traversal on Windows via incorrect path-separator handling. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
+`CVE-2011-0698 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0698&cid=2>`_: Directory-traversal on Windows via incorrect path-separator handling. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
 
 Versions affected
 -----------------
@@ -193,7 +193,7 @@ Versions affected
 September 9, 2011 - CVE-2011-4136
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2011-4136 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4136&cid=2>`_: Session manipulation when using memory-cache-backed session. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
+`CVE-2011-4136 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4136&cid=2>`_: Session manipulation when using memory-cache-backed session. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
 
 Versions affected
 -----------------
@@ -204,7 +204,7 @@ Versions affected
 September 9, 2011 - CVE-2011-4137
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2011-4137 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4137&cid=2>`_: Denial-of-service via via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
+`CVE-2011-4137 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4137&cid=2>`_: Denial-of-service via via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
 
 Versions affected
 -----------------
@@ -215,7 +215,7 @@ Versions affected
 September 9, 2011 - CVE-2011-4138
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2011-4138 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4138&cid=2>`_: Information leakage/arbitrary request issuance via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
+`CVE-2011-4138 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4138&cid=2>`_: Information leakage/arbitrary request issuance via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
 
 Versions affected
 -----------------
@@ -226,7 +226,7 @@ Versions affected
 September 9, 2011 - CVE-2011-4139
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2011-4139 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4139&cid=2>`_: ``Host`` header cache poisoning. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
+`CVE-2011-4139 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4139&cid=2>`_: ``Host`` header cache poisoning. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
 
 Versions affected
 -----------------
@@ -237,7 +237,7 @@ Versions affected
 September 9, 2011 - CVE-2011-4140
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2011-4140 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4140&cid=2>`_: Potential CSRF via ``Host`` header.  `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
+`CVE-2011-4140 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4140&cid=2>`_: Potential CSRF via ``Host`` header.  `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
 
 Versions affected
 -----------------
@@ -250,7 +250,7 @@ This notification was an advisory only, so no patches were issued.
 July 30, 2012 - CVE-2012-3442
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2012-3442 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3442&cid=2>`_: XSS via failure to validate redirect scheme. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
+`CVE-2012-3442 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3442&cid=2>`_: XSS via failure to validate redirect scheme. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
 
 Versions affected
 -----------------
@@ -261,7 +261,7 @@ Versions affected
 July 30, 2012 - CVE-2012-3443
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2012-3443 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3443&cid=2>`_: Denial-of-service via compressed image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
+`CVE-2012-3443 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3443&cid=2>`_: Denial-of-service via compressed image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
 
 Versions affected
 -----------------
@@ -272,7 +272,7 @@ Versions affected
 July 30, 2012 - CVE-2012-3444
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2012-3444 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3444&cid=2>`_: Denial-of-service via large image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
+`CVE-2012-3444 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3444&cid=2>`_: Denial-of-service via large image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
 
 Versions affected
 -----------------
@@ -283,7 +283,7 @@ Versions affected
 October 17, 2012 - CVE-2012-4520
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2012-4520 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4520&cid=2>`_: ``Host`` header poisoning. `Full description <https://www.djangoproject.com/weblog/2012/oct/17/security/>`__
+`CVE-2012-4520 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4520&cid=2>`_: ``Host`` header poisoning. `Full description <https://www.djangoproject.com/weblog/2012/oct/17/security/>`__
 
 Versions affected
 -----------------
@@ -327,7 +327,7 @@ Versions affected
 February 19, 2013 - CVE-2013-1664/1665
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2013-1664 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1664&cid=2>`_ and `CVE-2013-1665 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1665&cid=2>`_: Entity-based attacks against Python XML libraries. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
+`CVE-2013-1664 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1664&cid=2>`_ and `CVE-2013-1665 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1665&cid=2>`_: Entity-based attacks against Python XML libraries. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
 
 Versions affected
 -----------------
@@ -338,7 +338,7 @@ Versions affected
 February 19, 2013 - CVE-2013-0305
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2013-0305 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0305&cid=2>`_: Information leakage via admin history log.  `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
+`CVE-2013-0305 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0305&cid=2>`_: Information leakage via admin history log.  `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
 
 Versions affected
 -----------------
@@ -349,7 +349,7 @@ Versions affected
 February 19, 2013 - CVE-2013-0306
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2013-0306 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0306&cid=2>`_: Denial-of-service via formset ``max_num`` bypass. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
+`CVE-2013-0306 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0306&cid=2>`_: Denial-of-service via formset ``max_num`` bypass. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
 
 Versions affected
 -----------------
@@ -357,20 +357,20 @@ Versions affected
 * Django 1.3 `(patch) <https://github.com/django/django/commit/d7094bbce8cb838f3b40f504f198c098ff1cf727>`__
 * Django 1.4 `(patch) <https://github.com/django/django/commit/0cc350a896f70ace18280410eb616a9197d862b0>`__
 
-August 13, 2013 - Awaiting CVE 1
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+August 13, 2013 - CVE-2013-4249
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-(CVE not yet issued): XSS via admin trusting ``URLField`` values. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
+`CVE-2013-4249 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4249&cid=2>`_: XSS via admin trusting ``URLField`` values. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
 
 Versions affected
 -----------------
 
 * Django 1.5 `(patch) <https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78>`__
 
-August 13, 2013 - Awaiting CVE 2
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+August 13, 2013 - CVE-2013-6044
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-(CVE not yet issued): Possible XSS via unvalidated URL redirect schemes. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
+`CVE-2013-6044 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6044&cid=2>`_: Possible XSS via unvalidated URL redirect schemes. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
 
 Versions affected
 -----------------
@@ -381,7 +381,7 @@ Versions affected
 September 10, 2013 - CVE-2013-4315
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2013-4315 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4315&cid=2>`_ Directory-traversal via ``ssi`` template tag. `Full description <https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/>`__
+`CVE-2013-4315 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4315&cid=2>`_ Directory-traversal via ``ssi`` template tag. `Full description <https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/>`__
 
 Versions affected
 -----------------
@@ -403,7 +403,7 @@ Versions affected
 April 21, 2014 - CVE-2014-0472
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2014-0472 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0472&cid=2>`_: Unexpected code execution using ``reverse()``. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__
+`CVE-2014-0472 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0472&cid=2>`_: Unexpected code execution using ``reverse()``. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__
 
 Versions affected
 -----------------
@@ -416,7 +416,7 @@ Versions affected
 April 21, 2014 - CVE-2014-0473
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2014-0473 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0473&cid=2>`_: Caching of anonymous pages could reveal CSRF token. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__
+`CVE-2014-0473 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0473&cid=2>`_: Caching of anonymous pages could reveal CSRF token. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__
 
 Versions affected
 -----------------
@@ -429,7 +429,7 @@ Versions affected
 April 21, 2014 - CVE-2014-0474
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2014-0474 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0474&cid=2>`_: MySQL typecasting causes unexpected query results. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__
+`CVE-2014-0474 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0474&cid=2>`_: MySQL typecasting causes unexpected query results. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`__
 
 Versions affected
 -----------------
@@ -442,7 +442,7 @@ Versions affected
 May 18, 2014 - CVE-2014-1418
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2014-1418 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1418&cid=2>`_: Caches may be allowed to store and serve private data. `Full description <https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/>`__
+`CVE-2014-1418 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1418&cid=2>`_: Caches may be allowed to store and serve private data. `Full description <https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/>`__
 
 Versions affected
 -----------------
@@ -455,7 +455,7 @@ Versions affected
 May 18, 2014 - CVE-2014-3730
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2014-3730 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3730&cid=2>`_: Malformed URLs from user input incorrectly validated. `Full description <https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/>`__
+`CVE-2014-3730 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3730&cid=2>`_: Malformed URLs from user input incorrectly validated. `Full description <https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/>`__
 
 Versions affected
 -----------------
@@ -468,7 +468,7 @@ Versions affected
 August 20, 2014 - CVE-2014-0480
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2014-0480 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0480&cid=2>`_: reverse() can generate URLs pointing to other hosts. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
+`CVE-2014-0480 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0480&cid=2>`_: reverse() can generate URLs pointing to other hosts. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
 
 Versions affected
 -----------------
@@ -481,7 +481,7 @@ Versions affected
 August 20, 2014 - CVE-2014-0481
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2014-0481 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0481&cid=2>`_: File upload denial of service. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
+`CVE-2014-0481 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0481&cid=2>`_: File upload denial of service. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
 
 Versions affected
 -----------------
@@ -494,7 +494,7 @@ Versions affected
 August 20, 2014 - CVE-2014-0482
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2014-0482 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0482&cid=2>`_: RemoteUserMiddleware session hijacking. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
+`CVE-2014-0482 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0482&cid=2>`_: RemoteUserMiddleware session hijacking. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
 
 Versions affected
 -----------------
@@ -507,7 +507,7 @@ Versions affected
 August 20, 2014 - CVE-2014-0483
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2014-0483 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0483&cid=2>`_: Data leakage via querystring manipulation in admin. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
+`CVE-2014-0483 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0483&cid=2>`_: Data leakage via querystring manipulation in admin. `Full description <https://www.djangoproject.com/weblog/2014/aug/20/security/>`__
 
 Versions affected
 -----------------
@@ -520,7 +520,7 @@ Versions affected
 January 13, 2015 - CVE-2015-0219
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2015-0219 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0219&cid=2>`_:
+`CVE-2015-0219 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0219&cid=2>`_:
 WSGI header spoofing via underscore/dash conflation.
 `Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__
 
@@ -534,7 +534,7 @@ Versions affected
 January 13, 2015 - CVE-2015-0220
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2015-0220 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0220&cid=2>`_: Mitigated possible XSS attack via user-supplied redirect URLs. `Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__
+`CVE-2015-0220 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0220&cid=2>`_: Mitigated possible XSS attack via user-supplied redirect URLs. `Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__
 
 Versions affected
 -----------------
@@ -546,7 +546,7 @@ Versions affected
 January 13, 2015 - CVE-2015-0221
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2015-0221 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0221&cid=2>`_:
+`CVE-2015-0221 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0221&cid=2>`_:
 Denial-of-service attack against ``django.views.static.serve()``.
 `Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__
 
@@ -560,7 +560,7 @@ Versions affected
 January 13, 2015 - CVE-2015-0222
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-`CVE-2015-0222 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0222&cid=2>`_:
+`CVE-2015-0222 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0222&cid=2>`_:
 Database denial-of-service with ``ModelMultipleChoiceField``.
 `Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>`__
 
@@ -569,3 +569,126 @@ Versions affected
 
 * Django 1.6 `(patch) <https://github.com/django/django/commit/d7a06ee7e571b6dad07c0f5b519b1db02e2a476c>`__
 * Django 1.7 `(patch) <https://github.com/django/django/commit/bcfb47780ce7caecb409a9e9c1c314266e41d392>`__
+
+March 9, 2015 - CVE-2015-2241
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+`CVE-2015-2241 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2241&cid=2>`_:
+XSS attack via properties in ``ModelAdmin.readonly_fields``.
+`Full description <https://www.djangoproject.com/weblog/2015/mar/09/security-releases/>`__
+
+Versions affected
+-----------------
+
+* Django 1.7 `(patch) <https://github.com/django/django/commit/d16e4e1d6f95e6f46bff53cc4fd0ab398b8e5059>`__
+* Django 1.8 `(patch) <https://github.com/django/django/commit/2654e1b93923bac55f12b4e66c5e39b16695ace5>`_
+
+March 18, 2015 - CVE-2015-2316
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+`CVE-2015-2316 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2316&cid=2>`_:
+Denial-of-service possibility with ``strip_tags()``.
+`Full description <https://www.djangoproject.com/weblog/2015/mar/18/security-releases/>`__
+
+Versions affected
+-----------------
+
+* Django 1.6 `(patch) <https://github.com/django/django/commit/b6b3cb9899214a23ebb0f4ebf0e0b300b0ee524f>`__
+* Django 1.7 `(patch) <https://github.com/django/django/commit/e63363f8e075fa8d66326ad6a1cc3391cc95cd97>`__
+* Django 1.8 `(patch) <https://github.com/django/django/commit/5447709a571cd5d95971f1d5d21d4a7edcf85bbd>`__
+
+March 18, 2015 - CVE-2015-2317
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+`CVE-2015-2317 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2317&cid=2>`_:
+Mitigated possible XSS attack via user-supplied redirect URLs.
+`Full description <https://www.djangoproject.com/weblog/2015/mar/18/security-releases/>`__
+
+Versions affected
+-----------------
+
+* Django 1.4 `(patch) <https://github.com/django/django/commit/2342693b31f740a422abf7267c53b4e7bc487c1b>`__
+* Django 1.6 `(patch) <https://github.com/django/django/commit/5510f070711540aaa8d3707776cd77494e688ef9>`__
+* Django 1.7 `(patch) <https://github.com/django/django/commit/2a4113dbd532ce952308992633d802dc169a75f1>`__
+* Django 1.8 `(patch) <https://github.com/django/django/commit/770427c2896a078925abfca2317486b284d22f04>`__
+
+May 20, 2015 - CVE-2015-3982
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+`CVE-2015-3982 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3982&cid=2>`_:
+Fixed session flushing in the cached_db backend.
+`Full description <https://www.djangoproject.com/weblog/2015/may/20/security-release/>`__
+
+Versions affected
+-----------------
+
+* Django 1.8 `(patch) <https://github.com/django/django/commit/31cb25adecba930bdeee4556709f5a1c42d88fd6>`__
+
+July 8, 2015 - CVE-2015-5143
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+`CVE-2015-5143 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5143&cid=2>`_:
+Denial-of-service possibility by filling session store.
+`Full description <https://www.djangoproject.com/weblog/2015/jul/08/security-releases/>`__
+
+Versions affected
+-----------------
+
+* Django 1.8 `(patch) <https://github.com/django/django/commit/66d12d1ababa8f062857ee5eb43276493720bf16>`__
+* Django 1.7 `(patch) <https://github.com/django/django/commit/1828f4341ec53a8684112d24031b767eba557663>`__
+* Django 1.4 `(patch) <https://github.com/django/django/commit/2e47f3e401c29bc2ba5ab794d483cb0820855fb9>`__
+
+July 8, 2015 - CVE-2015-5144
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+`CVE-2015-5144 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5144&cid=2>`_:
+Header injection possibility since validators accept newlines in input.
+`Full description <https://www.djangoproject.com/weblog/2015/jul/08/security-releases/>`__
+
+Versions affected
+-----------------
+
+* Django 1.8 `(patch) <https://github.com/django/django/commit/574dd5e0b0fbb877ae5827b1603d298edc9bb2a0>`__
+* Django 1.7 `(patch) <https://github.com/django/django/commit/ae49b4d994656bc037513dcd064cb9ce5bb85649>`__
+* Django 1.4 `(patch) <https://github.com/django/django/commit/1ba1cdce7d58e6740fe51955d945b56ae51d072a>`__
+
+July 8, 2015 - CVE-2015-5145
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+`CVE-2015-5145 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5145&cid=2>`_:
+Denial-of-service possibility in URL validation.
+`Full description <https://www.djangoproject.com/weblog/2015/jul/08/security-releases/>`__
+
+Versions affected
+-----------------
+
+* Django 1.8 `(patch) <https://github.com/django/django/commit/8f9a4d3a2bc42f14bb437defd30c7315adbff22c>`__
+
+August 18, 2015 - CVE-2015-5963/CVE-2015-5964
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+`CVE-2015-5963 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5963&cid=2>`_
+and
+`CVE-2015-5964 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5964&cid=2>`_:
+Denial-of-service possibility in ``logout()`` view by filling session store.
+`Full description <https://www.djangoproject.com/weblog/2015/aug/18/security-releases/>`__
+
+Versions affected
+-----------------
+
+* Django 1.8 `(patch) <https://github.com/django/django/commit/2eb86b01d7b59be06076f6179a454d0fd0afaff6>`__
+* Django 1.7 `(patch) <https://github.com/django/django/commit/2f5485346ee6f84b4e52068c04e043092daf55f7>`__
+* Django 1.4 `(patch) <https://github.com/django/django/commit/575f59f9bc7c59a5e41a081d1f5f55fc859c5012>`__
+
+November 24, 2015 - CVE-2015-8213
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+`CVE-2015-8213 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8213&cid=2>`_:
+Settings leak possibility in ``date`` template filter.
+`Full description <https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/>`__
+
+Versions affected
+-----------------
+
+* Django 1.8 `(patch) <https://github.com/django/django/commit/9f83fc2f66f5a0bac7c291aec55df66050bb6991>`__
+* Django 1.7 `(patch) <https://github.com/django/django/commit/8a01c6b53169ee079cb21ac5919fdafcc8c5e172>`__