Minor edits to latest release notes.

This commit is contained in:
Tim Graham 2014-05-15 07:11:29 -04:00
parent 597ab3ce98
commit 860d31ac7a
3 changed files with 24 additions and 23 deletions

View File

@ -1,18 +1,18 @@
========================== ===========================
Django 1.4.13 release notes Django 1.4.13 release notes
========================== ===========================
*May 13, 2014* *May 14, 2014*
Django 1.4.13 fixes two security issues in 1.4.12. Django 1.4.13 fixes two security issues in 1.4.12.
Caches may incorrectly be allowed to store and serve private data Caches may incorrectly be allowed to store and serve private data
================================================================= =================================================================
In certain situations, Django may allow caches to store private data In certain situations, Django may allow caches to store private data
related to a particular session and then serve that data to requests related to a particular session and then serve that data to requests
with a different session, or no session at all. This can both lead to with a different session, or no session at all. This can lead to
information disclosure, and can be a vector for cache poisoning. information disclosure and can be a vector for cache poisoning.
When using Django sessions, Django will set a ``Vary: Cookie`` header to When using Django sessions, Django will set a ``Vary: Cookie`` header to
ensure caches do not serve cached data to requests from other sessions. ensure caches do not serve cached data to requests from other sessions.
@ -22,15 +22,15 @@ Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server
types. Therefore, Django would remove the header if the request was made by types. Therefore, Django would remove the header if the request was made by
Internet Explorer. Internet Explorer.
To remedy this, the special behaviour for these older Internet Explorer versions To remedy this, the special behavior for these older Internet Explorer versions
has been removed, and the ``Vary`` header is no longer stripped from the response. has been removed, and the ``Vary`` header is no longer stripped from the response.
In addition, modifications to the ``Cache-Control`` header for all Internet Explorer In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
requests with a ``Content-Disposition`` header, have also been removed as they requests with a ``Content-Disposition`` header have also been removed as they
were found to have similar issues. were found to have similar issues.
Malformed redirect URLs from user input not correctly validated Malformed redirect URLs from user input not correctly validated
=============================================================== ===============================================================
The validation for redirects did not correctly validate some malformed URLs, The validation for redirects did not correctly validate some malformed URLs,
which are accepted by some browsers. This allows a user to be redirected to which are accepted by some browsers. This allows a user to be redirected to
an unsafe URL unexpectedly. an unsafe URL unexpectedly.

View File

@ -2,17 +2,17 @@
Django 1.5.8 release notes Django 1.5.8 release notes
========================== ==========================
*May 13, 2014* *May 14, 2014*
Django 1.5.8 fixes two security issues in 1.5.8.
Django 1.5.8 fixes two security issues in 1.5.8.
Caches may incorrectly be allowed to store and serve private data Caches may incorrectly be allowed to store and serve private data
================================================================= =================================================================
In certain situations, Django may allow caches to store private data In certain situations, Django may allow caches to store private data
related to a particular session and then serve that data to requests related to a particular session and then serve that data to requests
with a different session, or no session at all. This can both lead to with a different session, or no session at all. This can lead to
information disclosure, and can be a vector for cache poisoning. information disclosure and can be a vector for cache poisoning.
When using Django sessions, Django will set a ``Vary: Cookie`` header to When using Django sessions, Django will set a ``Vary: Cookie`` header to
ensure caches do not serve cached data to requests from other sessions. ensure caches do not serve cached data to requests from other sessions.
@ -22,15 +22,15 @@ Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server
types. Therefore, Django would remove the header if the request was made by types. Therefore, Django would remove the header if the request was made by
Internet Explorer. Internet Explorer.
To remedy this, the special behaviour for these older Internet Explorer versions To remedy this, the special behavior for these older Internet Explorer versions
has been removed, and the ``Vary`` header is no longer stripped from the response. has been removed, and the ``Vary`` header is no longer stripped from the response.
In addition, modifications to the ``Cache-Control`` header for all Internet Explorer In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
requests with a ``Content-Disposition`` header, have also been removed as they requests with a ``Content-Disposition`` header have also been removed as they
were found to have similar issues. were found to have similar issues.
Malformed redirect URLs from user input not correctly validated Malformed redirect URLs from user input not correctly validated
=============================================================== ===============================================================
The validation for redirects did not correctly validate some malformed URLs, The validation for redirects did not correctly validate some malformed URLs,
which are accepted by some browsers. This allows a user to be redirected to which are accepted by some browsers. This allows a user to be redirected to
an unsafe URL unexpectedly. an unsafe URL unexpectedly.

View File

@ -4,14 +4,15 @@ Django 1.6.5 release notes
*May 14, 2014* *May 14, 2014*
Django 1.6.5 fixes two security issues and several several bugs in 1.6.4. Django 1.6.5 fixes two security issues and several bugs in 1.6.4.
Issue: Caches may incorrectly be allowed to store and serve private data Issue: Caches may incorrectly be allowed to store and serve private data
======================================================================== ========================================================================
In certain situations, Django may allow caches to store private data In certain situations, Django may allow caches to store private data
related to a particular session and then serve that data to requests related to a particular session and then serve that data to requests
with a different session, or no session at all. This can both lead to with a different session, or no session at all. This can lead to
information disclosure, and can be a vector for cache poisoning. information disclosure and can be a vector for cache poisoning.
When using Django sessions, Django will set a ``Vary: Cookie`` header to When using Django sessions, Django will set a ``Vary: Cookie`` header to
ensure caches do not serve cached data to requests from other sessions. ensure caches do not serve cached data to requests from other sessions.
@ -21,15 +22,15 @@ Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server
types. Therefore, Django would remove the header if the request was made by types. Therefore, Django would remove the header if the request was made by
Internet Explorer. Internet Explorer.
To remedy this, the special behaviour for these older Internet Explorer versions To remedy this, the special behavior for these older Internet Explorer versions
has been removed, and the ``Vary`` header is no longer stripped from the response. has been removed, and the ``Vary`` header is no longer stripped from the response.
In addition, modifications to the ``Cache-Control`` header for all Internet Explorer In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
requests with a ``Content-Disposition`` header, have also been removed as they requests with a ``Content-Disposition`` header have also been removed as they
were found to have similar issues. were found to have similar issues.
Issue: Malformed redirect URLs from user input not correctly validated Issue: Malformed redirect URLs from user input not correctly validated
====================================================================== ======================================================================
The validation for redirects did not correctly validate some malformed URLs, The validation for redirects did not correctly validate some malformed URLs,
which are accepted by some browsers. This allows a user to be redirected to which are accepted by some browsers. This allows a user to be redirected to
an unsafe URL unexpectedly. an unsafe URL unexpectedly.