From 5c65aa924365aeac81d44dd912e68f704fe78cba Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Thu, 15 May 2014 07:11:29 -0400 Subject: [PATCH] [1.5.x] Minor edits to latest release notes. Backport of 860d31ac7a3bdd4b27db8b34b110b3d801ddaf8a from master --- docs/releases/1.4.13.txt | 18 +++++++++--------- docs/releases/1.5.8.txt | 16 ++++++++-------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/docs/releases/1.4.13.txt b/docs/releases/1.4.13.txt index bcbe460af5..978f93580c 100644 --- a/docs/releases/1.4.13.txt +++ b/docs/releases/1.4.13.txt @@ -1,18 +1,18 @@ -========================== +=========================== Django 1.4.13 release notes -========================== +=========================== -*May 13, 2014* +*May 14, 2014* Django 1.4.13 fixes two security issues in 1.4.12. - Caches may incorrectly be allowed to store and serve private data ================================================================= + In certain situations, Django may allow caches to store private data related to a particular session and then serve that data to requests -with a different session, or no session at all. This can both lead to -information disclosure, and can be a vector for cache poisoning. +with a different session, or no session at all. This can lead to +information disclosure and can be a vector for cache poisoning. When using Django sessions, Django will set a ``Vary: Cookie`` header to ensure caches do not serve cached data to requests from other sessions. @@ -22,15 +22,15 @@ Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server types. Therefore, Django would remove the header if the request was made by Internet Explorer. -To remedy this, the special behaviour for these older Internet Explorer versions +To remedy this, the special behavior for these older Internet Explorer versions has been removed, and the ``Vary`` header is no longer stripped from the response. In addition, modifications to the ``Cache-Control`` header for all Internet Explorer -requests with a ``Content-Disposition`` header, have also been removed as they +requests with a ``Content-Disposition`` header have also been removed as they were found to have similar issues. - Malformed redirect URLs from user input not correctly validated =============================================================== + The validation for redirects did not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly. diff --git a/docs/releases/1.5.8.txt b/docs/releases/1.5.8.txt index 0fe3c95f62..16d3db65cd 100644 --- a/docs/releases/1.5.8.txt +++ b/docs/releases/1.5.8.txt @@ -2,17 +2,17 @@ Django 1.5.8 release notes ========================== -*May 13, 2014* - -Django 1.5.8 fixes two security issues in 1.5.8. +*May 14, 2014* +Django 1.5.8 fixes two security issues in 1.5.8. Caches may incorrectly be allowed to store and serve private data ================================================================= + In certain situations, Django may allow caches to store private data related to a particular session and then serve that data to requests -with a different session, or no session at all. This can both lead to -information disclosure, and can be a vector for cache poisoning. +with a different session, or no session at all. This can lead to +information disclosure and can be a vector for cache poisoning. When using Django sessions, Django will set a ``Vary: Cookie`` header to ensure caches do not serve cached data to requests from other sessions. @@ -22,15 +22,15 @@ Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server types. Therefore, Django would remove the header if the request was made by Internet Explorer. -To remedy this, the special behaviour for these older Internet Explorer versions +To remedy this, the special behavior for these older Internet Explorer versions has been removed, and the ``Vary`` header is no longer stripped from the response. In addition, modifications to the ``Cache-Control`` header for all Internet Explorer -requests with a ``Content-Disposition`` header, have also been removed as they +requests with a ``Content-Disposition`` header have also been removed as they were found to have similar issues. - Malformed redirect URLs from user input not correctly validated =============================================================== + The validation for redirects did not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly.