From a2e25e8a830b1d8b3daa9afb1c2ad4f954bb7d3c Mon Sep 17 00:00:00 2001 From: James Bennett Date: Wed, 18 Sep 2013 23:13:04 -0500 Subject: [PATCH] Fix #21121: Add archive of security issues. --- docs/internals/security.txt | 6 + docs/releases/index.txt | 10 + docs/releases/security.txt | 527 ++++++++++++++++++++++++++++++++++++ 3 files changed, 543 insertions(+) create mode 100644 docs/releases/security.txt diff --git a/docs/internals/security.txt b/docs/internals/security.txt index 327a6a5f603..7451dbdca40 100644 --- a/docs/internals/security.txt +++ b/docs/internals/security.txt @@ -1,3 +1,5 @@ +.. _internals-security: + ========================== Django's security policies ========================== @@ -126,6 +128,10 @@ may privately contact and discuss those issues with the appropriate maintainers, and coordinate our own disclosure and resolution with theirs. +The Django team also maintains an :ref:`archive of security issues +disclosed in Django `. + + .. _security-notifications: Who receives advance notification diff --git a/docs/releases/index.txt b/docs/releases/index.txt index 5574ee964f3..33dc780cace 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -112,6 +112,16 @@ Pre-1.0 releases 0.96 0.95 +Security releases +================= + +Whenever a security issue is disclosed via :ref:`Django's security +policies `, appropriate release notes are now +added to all affected release series. + +Additionally, :ref:`an archive of disclosed security issues +` is maintained. + Development releases ==================== diff --git a/docs/releases/security.txt b/docs/releases/security.txt new file mode 100644 index 00000000000..022e240866b --- /dev/null +++ b/docs/releases/security.txt @@ -0,0 +1,527 @@ +.. _security-releases: + +========================== +Archive of security issues +========================== + +Django's development team is strongly committed to responsible +reporting and disclosure of security-related issues, as outlined in +:ref:`Django's security policies `. + +As part of that commitment, we maintain the following historical list +of issues which have been fixed and disclosed. For each issue, the +list below includes the date, a brief description, the `CVE identifier +`_ +if applicable, a list of affected versions, a link to the full +disclosure and links to the appropriate patch(es). + +Some important caveats apply to this information: + +* Lists of affected versions include only those versions of Django + which had stable, security-supported releases at the time of + disclosure. This means older versions (whose security support had + expired) and versions which were in pre-release (alpha/beta/RC) + states at the time of disclosure may have been affected, but are not + listed. + +* The Django project has on occasion issued security advisories, + pointing out potential security problems which can arise from + improper configuration or from other issues outside of Django + itself. Some of these advisories have received CVEs; when that is + the case, they are listed here, but as they have no accompanying + patches or releases, only the description, disclosure and CVE will + be listed. + + +Issues prior to Django's security process +========================================= + +Some security issues were handled before Django had a formalized +security process in use. For these, new releases may not have been +issued at the time and CVEs may not have been assigned. + + +August 16, 2006 +--------------- + +* **Issues:** + + * Filename validation issue in translation framework: `CVE-2007-0404 `_ + +* **Versions affected:** + + * Django 0.90 + + * Django 0.91 + +* `Full description `_ + +* Patch: `unified 0.90/0.91 `_ + + +January 21, 2007 +---------------- + +* **Issues:** + + * Patch CVE-2007-0404 for Django 0.95 + + * Apparent "caching" of authenticated user: `CVE-2007-0405 `_ + +* **Versions affected:** + + * Django 0.95 + +* `Full description `_ + +* **Patches:** + + * `2006-08-26 issue `_ + + * `User caching issue `_ + + + +Issues under Django's security process +====================================== + +All other security issues have been handled under versions of Django's +security process. These are listed below. + + +October 26, 2007 +---------------- + +* **Issues:** + + * Denial-of-service via arbitrarily-large ``Accept-Language`` header: `CVE-2007-5712 `_ + +* **Versions affected:** + + * Django 0.91 + + * Django 0.95 + + * Django 0.96 + +* `Full description `_ + +* **Patches:** + + * `0.91 `_ + + * `0.95 `_ + + * `0.96 `_ + + +May 14, 2008 +------------ + +* **Issues:** + + * XSS via admin login redirect: `CVE-2008-2302 `_ + +* **Versions affected:** + + * Django 0.91 + + * Django 0.95 + + * Django 0.96 + +* `Full description `_ + +* **Patches:** + + * `0.91 `_ + + * `0.95 `_ + + * `0.96 `_ + + +September 2, 2008 +================= + +* **Issues:** + + * CSRF via preservation of POST data during admin login: `CVE-2008-3909 `_ + +* Versions affected + + * Django 0.91 + + * Django 0.95 + + * Django 0.96 + +* `Full description `_ + +* **Patches:** + + * `0.91 `_ + + * `0.95 `_ + + * `0.96 `_ + + +July 28, 2009 +============= + +* **Issues:** + + * Directory-traversal in development server media handler: `CVE-2009-2659 `_ + +* **Versions affected:** + + * Django 0.96 + + * Django 1.0 + +* `Full description `_ + +* **Patches:** + + * `0.96 `_ + + * `1.0 `_ + + +October 9, 2009 +=============== + +* **Issues:** + + * Denial-of-service via pathological regular expression performance: `CVE-2009-3965 `_ + +* **Versions affected:** + + * Django 1.0 + + * Django 1.1 + +* `Full description `_ + +* **Patches:** + + * `1.0 `_ + + * `1.1 `_ + + +September 8, 2010 +================= + +* **Issues:** + + * XSS via trusting unsafe cookie value: `CVE-2010-3082 `_ + +* **Versions affected:** + + * Django 1.2 + +* `Full description `_ + +* **Patches:** + + * `1.2 `_ + + +December 22, 2010 +================= + +* **Issues:** + + * Information leakage in administrative interface: `CVE-2010-4534 `_ + + * Denial-of-service in password-reset mechanism: `CVE-2010-4535 `_ + +* **Versions affected:** + + * Django 1.1 + + * Django 1.2 + +* `Full description `_ + +* **Patches:** + + * `1.1 CVE-2010-4534 `_ + + * `1.1 CVE-2010-4535 `_ + + * `1.2 CVE-2010-4534 `_ + + * `1.2 CVE-2010-4535 `_ + + +February 8, 2011 +================ + +* **Issues:** + + * CSRF via forged HTTP headers: `CVE-2011-0696 `_ + + * XSS via unsanitized names of uploaded files: `CVE-2011-0697 `_ + + * Directory-traversal on Windows via incorrect path-separator handling: `CVE-2011-0698 `_ + +* **Versions affected:** + + * Django 1.1 + + * Django 1.2 + +* `Full description `_ + +* **Patches:** + + * `1.1 CVE-2010-0696 `_ + + * `1.1 CVE-2010-0697 `_ + + * `1.1 CVE-2010-0698 `_ + + * `1.2 CVE-2010-0696 `_ + + * `1.2 CVE-2010-0697 `_ + + * `1.2 CVE-2010-0698 `_ + + +September 9, 2011 +================= + +* **Issues:** + + * Session manipulation when using memory-cache-backed session: `CVE-2011-4136 `_ + + * Denial-of-service via via ``URLField.verify_exists``: `CVE-2011-4137 `_ + + * Information leakage/arbitrary request issuance via ``URLField.verify_exists``: `CVE-2011-4138 `_ + + * ``Host`` header cache poisoning: `CVE-2011-4139 `_ + +* Advisories: + + * Potential CSRF via ``Host`` header: `CVE-2011-4140 `_ + +* **Versions affected:** + + * Django 1.2 + + * Django 1.3 + +* `Full description `_ + +* **Patches:** + + * `1.2 CVE-2011-4136 `_ + + * `1.2 CVE-2011-4137 and CVE-2011-4138 `_ + + * `1.2 CVE-2011-4139 `_ + + * `1.3 CVE-2011-4136 `_ + + * `1.3 CVE-2011-4137 and CVE-2011-4138 `_ + + * `1.3 CVE-2011-4139 `_ + + +July 30, 2012 +============= + +* **Issues:** + + * XSS via failure to validate redirect scheme: `CVE-2012-3442 `_ + + * Denial-of-service via compressed image files: `CVE-2012-3443 `_ + + * Denial-of-service via large image viles: `CVE-2012-3444 `_ + +* **Versions affected:** + + * Django 1.3 + + * Django 1.4 + +* `Full description `_ + +* **Patches:** + + * `1.3 CVE-2012-3442 `_ + + * `1.3 CVE-2012-3443 `_ + + * `1.3 CVE-2012-3444 `_ + + * `1.4 CVE-2012-3442 `_ + + * `1.4 CVE-2012-3443 `_ + + * `1.4 CVE-2012-3444 `_ + + +October 17, 2012 +================ + +* **Issues:** + + * ``Host`` header poisoning: `CVE-2012-4520 `_ + +* **Patches:** + + * `1.3 `_ + + * `1.4 `_ + + +December 10, 2012 +================= + +* **Issues:** + + * Additional hardening of ``Host`` header handling (no CVE issued) + + * Additional hardening of redirect validation (no CVE issued) + +* **Versions affected:** + + * Django 1.3 + + * Django 1.4 + +* `Full description `_ + +* **Patches:** + + * `1.3 Host hardening `_ + + * `1.3 redirect hardening `_ + + * `1.4 Host hardening `_ + + * `1.4 redirect hardning `_ + + +February 19, 2013 +================= + +* **Issues:** + + * Additional hardening of ``Host`` header handling (no CVE issued) + + * Entity-based attacks against Python XML libraries: `CVE-2013-1664 `_ and `CVE-2013-1665 `_ + + * Information leakage via admin history log: `CVE-2013-0305 `_ + + * Denial-of-service via formset ``max_num`` bypass `CVE-2013-0306 `_ + +* **Versions affected:** + + * Django 1.3 + + * Django 1.4 + +* Full description `_ + +* **Patches:** + + * `1.3 Host hardening `_ + + * `1.3 XML attacks `_ + + * `1.3 CVE-2013-0305 `_ + + * `1.3 CVE-2013-0306 `_ + + * `1.4 Host hardening `_ + + * `1.4 XML attacks `_ + + * `1.4 CVE-2013-0305 `_ + + * `1.4 CVE-2013-0306 `_ + + +August 13, 2013 +=============== + +* **Issues:** + + * XSS via admin trusting ``URLField`` values (CVE not yet issued) + + * Possible XSS via unvalidated URL redirect schemes (CVE not yet issued) + +* **Versions affected:** + + * Django 1.4 (redirect scheme issue only) + + * Django 1.5 + +* Full description `_ + +* **Patches:** + + * `1.4 redirect validation `_ + + * `1.5 URLField trusting `_ + + * `1.5 redirect validation `_ + + +September 10, 2013 +================== + +* **Issues:** + + * Directory-traversal via ``ssi`` template tag: `CVE-2013-4315 `_ + +* **Versions affected:** + + * Django 1.4 + + * Django 1.5 + +* `Full description `_ + +* **Patches:** + + * `1.4 CVE-2013-4315 `_ + + * `1.5 CVE-2013-4315 `_ + + +September 14, 2013 +================== + +* **Issues:** + + * Denial-of-service via large passwords: CVE-2013-1443 + +* **Versions affected:** + + * Django 1.4 + + * Django 1.5 + +* `Full description `_ + +* **Patches:** + + * `1.4 CVE-2013-1443 `_ and `Python compatibility fix `_ + + * `1.5 CVE-2013-1443 `_ + + \ No newline at end of file