Minor edits to latest release notes.
This commit is contained in:
parent
597ab3ce98
commit
860d31ac7a
|
@ -1,18 +1,18 @@
|
||||||
==========================
|
===========================
|
||||||
Django 1.4.13 release notes
|
Django 1.4.13 release notes
|
||||||
==========================
|
===========================
|
||||||
|
|
||||||
*May 13, 2014*
|
*May 14, 2014*
|
||||||
|
|
||||||
Django 1.4.13 fixes two security issues in 1.4.12.
|
Django 1.4.13 fixes two security issues in 1.4.12.
|
||||||
|
|
||||||
|
|
||||||
Caches may incorrectly be allowed to store and serve private data
|
Caches may incorrectly be allowed to store and serve private data
|
||||||
=================================================================
|
=================================================================
|
||||||
|
|
||||||
In certain situations, Django may allow caches to store private data
|
In certain situations, Django may allow caches to store private data
|
||||||
related to a particular session and then serve that data to requests
|
related to a particular session and then serve that data to requests
|
||||||
with a different session, or no session at all. This can both lead to
|
with a different session, or no session at all. This can lead to
|
||||||
information disclosure, and can be a vector for cache poisoning.
|
information disclosure and can be a vector for cache poisoning.
|
||||||
|
|
||||||
When using Django sessions, Django will set a ``Vary: Cookie`` header to
|
When using Django sessions, Django will set a ``Vary: Cookie`` header to
|
||||||
ensure caches do not serve cached data to requests from other sessions.
|
ensure caches do not serve cached data to requests from other sessions.
|
||||||
|
@ -22,15 +22,15 @@ Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server
|
||||||
types. Therefore, Django would remove the header if the request was made by
|
types. Therefore, Django would remove the header if the request was made by
|
||||||
Internet Explorer.
|
Internet Explorer.
|
||||||
|
|
||||||
To remedy this, the special behaviour for these older Internet Explorer versions
|
To remedy this, the special behavior for these older Internet Explorer versions
|
||||||
has been removed, and the ``Vary`` header is no longer stripped from the response.
|
has been removed, and the ``Vary`` header is no longer stripped from the response.
|
||||||
In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
|
In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
|
||||||
requests with a ``Content-Disposition`` header, have also been removed as they
|
requests with a ``Content-Disposition`` header have also been removed as they
|
||||||
were found to have similar issues.
|
were found to have similar issues.
|
||||||
|
|
||||||
|
|
||||||
Malformed redirect URLs from user input not correctly validated
|
Malformed redirect URLs from user input not correctly validated
|
||||||
===============================================================
|
===============================================================
|
||||||
|
|
||||||
The validation for redirects did not correctly validate some malformed URLs,
|
The validation for redirects did not correctly validate some malformed URLs,
|
||||||
which are accepted by some browsers. This allows a user to be redirected to
|
which are accepted by some browsers. This allows a user to be redirected to
|
||||||
an unsafe URL unexpectedly.
|
an unsafe URL unexpectedly.
|
||||||
|
|
|
@ -2,17 +2,17 @@
|
||||||
Django 1.5.8 release notes
|
Django 1.5.8 release notes
|
||||||
==========================
|
==========================
|
||||||
|
|
||||||
*May 13, 2014*
|
*May 14, 2014*
|
||||||
|
|
||||||
Django 1.5.8 fixes two security issues in 1.5.8.
|
|
||||||
|
|
||||||
|
Django 1.5.8 fixes two security issues in 1.5.8.
|
||||||
|
|
||||||
Caches may incorrectly be allowed to store and serve private data
|
Caches may incorrectly be allowed to store and serve private data
|
||||||
=================================================================
|
=================================================================
|
||||||
|
|
||||||
In certain situations, Django may allow caches to store private data
|
In certain situations, Django may allow caches to store private data
|
||||||
related to a particular session and then serve that data to requests
|
related to a particular session and then serve that data to requests
|
||||||
with a different session, or no session at all. This can both lead to
|
with a different session, or no session at all. This can lead to
|
||||||
information disclosure, and can be a vector for cache poisoning.
|
information disclosure and can be a vector for cache poisoning.
|
||||||
|
|
||||||
When using Django sessions, Django will set a ``Vary: Cookie`` header to
|
When using Django sessions, Django will set a ``Vary: Cookie`` header to
|
||||||
ensure caches do not serve cached data to requests from other sessions.
|
ensure caches do not serve cached data to requests from other sessions.
|
||||||
|
@ -22,15 +22,15 @@ Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server
|
||||||
types. Therefore, Django would remove the header if the request was made by
|
types. Therefore, Django would remove the header if the request was made by
|
||||||
Internet Explorer.
|
Internet Explorer.
|
||||||
|
|
||||||
To remedy this, the special behaviour for these older Internet Explorer versions
|
To remedy this, the special behavior for these older Internet Explorer versions
|
||||||
has been removed, and the ``Vary`` header is no longer stripped from the response.
|
has been removed, and the ``Vary`` header is no longer stripped from the response.
|
||||||
In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
|
In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
|
||||||
requests with a ``Content-Disposition`` header, have also been removed as they
|
requests with a ``Content-Disposition`` header have also been removed as they
|
||||||
were found to have similar issues.
|
were found to have similar issues.
|
||||||
|
|
||||||
|
|
||||||
Malformed redirect URLs from user input not correctly validated
|
Malformed redirect URLs from user input not correctly validated
|
||||||
===============================================================
|
===============================================================
|
||||||
|
|
||||||
The validation for redirects did not correctly validate some malformed URLs,
|
The validation for redirects did not correctly validate some malformed URLs,
|
||||||
which are accepted by some browsers. This allows a user to be redirected to
|
which are accepted by some browsers. This allows a user to be redirected to
|
||||||
an unsafe URL unexpectedly.
|
an unsafe URL unexpectedly.
|
||||||
|
|
|
@ -4,14 +4,15 @@ Django 1.6.5 release notes
|
||||||
|
|
||||||
*May 14, 2014*
|
*May 14, 2014*
|
||||||
|
|
||||||
Django 1.6.5 fixes two security issues and several several bugs in 1.6.4.
|
Django 1.6.5 fixes two security issues and several bugs in 1.6.4.
|
||||||
|
|
||||||
Issue: Caches may incorrectly be allowed to store and serve private data
|
Issue: Caches may incorrectly be allowed to store and serve private data
|
||||||
========================================================================
|
========================================================================
|
||||||
|
|
||||||
In certain situations, Django may allow caches to store private data
|
In certain situations, Django may allow caches to store private data
|
||||||
related to a particular session and then serve that data to requests
|
related to a particular session and then serve that data to requests
|
||||||
with a different session, or no session at all. This can both lead to
|
with a different session, or no session at all. This can lead to
|
||||||
information disclosure, and can be a vector for cache poisoning.
|
information disclosure and can be a vector for cache poisoning.
|
||||||
|
|
||||||
When using Django sessions, Django will set a ``Vary: Cookie`` header to
|
When using Django sessions, Django will set a ``Vary: Cookie`` header to
|
||||||
ensure caches do not serve cached data to requests from other sessions.
|
ensure caches do not serve cached data to requests from other sessions.
|
||||||
|
@ -21,15 +22,15 @@ Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server
|
||||||
types. Therefore, Django would remove the header if the request was made by
|
types. Therefore, Django would remove the header if the request was made by
|
||||||
Internet Explorer.
|
Internet Explorer.
|
||||||
|
|
||||||
To remedy this, the special behaviour for these older Internet Explorer versions
|
To remedy this, the special behavior for these older Internet Explorer versions
|
||||||
has been removed, and the ``Vary`` header is no longer stripped from the response.
|
has been removed, and the ``Vary`` header is no longer stripped from the response.
|
||||||
In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
|
In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
|
||||||
requests with a ``Content-Disposition`` header, have also been removed as they
|
requests with a ``Content-Disposition`` header have also been removed as they
|
||||||
were found to have similar issues.
|
were found to have similar issues.
|
||||||
|
|
||||||
|
|
||||||
Issue: Malformed redirect URLs from user input not correctly validated
|
Issue: Malformed redirect URLs from user input not correctly validated
|
||||||
======================================================================
|
======================================================================
|
||||||
|
|
||||||
The validation for redirects did not correctly validate some malformed URLs,
|
The validation for redirects did not correctly validate some malformed URLs,
|
||||||
which are accepted by some browsers. This allows a user to be redirected to
|
which are accepted by some browsers. This allows a user to be redirected to
|
||||||
an unsafe URL unexpectedly.
|
an unsafe URL unexpectedly.
|
||||||
|
|
Loading…
Reference in New Issue