diff --git a/docs/releases/1.4.13.txt b/docs/releases/1.4.13.txt new file mode 100644 index 00000000000..bcbe460af5b --- /dev/null +++ b/docs/releases/1.4.13.txt @@ -0,0 +1,47 @@ +========================== +Django 1.4.13 release notes +========================== + +*May 13, 2014* + +Django 1.4.13 fixes two security issues in 1.4.12. + + +Caches may incorrectly be allowed to store and serve private data +================================================================= +In certain situations, Django may allow caches to store private data +related to a particular session and then serve that data to requests +with a different session, or no session at all. This can both lead to +information disclosure, and can be a vector for cache poisoning. + +When using Django sessions, Django will set a ``Vary: Cookie`` header to +ensure caches do not serve cached data to requests from other sessions. +However, older versions of Internet Explorer (most likely only Internet +Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server +2003) are unable to handle the ``Vary`` header in combination with many content +types. Therefore, Django would remove the header if the request was made by +Internet Explorer. + +To remedy this, the special behaviour for these older Internet Explorer versions +has been removed, and the ``Vary`` header is no longer stripped from the response. +In addition, modifications to the ``Cache-Control`` header for all Internet Explorer +requests with a ``Content-Disposition`` header, have also been removed as they +were found to have similar issues. + + +Malformed redirect URLs from user input not correctly validated +=============================================================== +The validation for redirects did not correctly validate some malformed URLs, +which are accepted by some browsers. This allows a user to be redirected to +an unsafe URL unexpectedly. + +Django relies on user input in some cases (e.g. +:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and +:doc:`i18n `) to redirect the user to an "on success" URL. +The security checks for these redirects (namely +``django.util.http.is_safe_url()``) did not correctly validate some malformed +URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers +with more liberal URL parsing. + +To remedy this, the validation in ``is_safe_url()`` has been tightened to be able +to handle and correctly validate these malformed URLs. diff --git a/docs/releases/1.5.8.txt b/docs/releases/1.5.8.txt new file mode 100644 index 00000000000..0fe3c95f627 --- /dev/null +++ b/docs/releases/1.5.8.txt @@ -0,0 +1,47 @@ +========================== +Django 1.5.8 release notes +========================== + +*May 13, 2014* + +Django 1.5.8 fixes two security issues in 1.5.8. + + +Caches may incorrectly be allowed to store and serve private data +================================================================= +In certain situations, Django may allow caches to store private data +related to a particular session and then serve that data to requests +with a different session, or no session at all. This can both lead to +information disclosure, and can be a vector for cache poisoning. + +When using Django sessions, Django will set a ``Vary: Cookie`` header to +ensure caches do not serve cached data to requests from other sessions. +However, older versions of Internet Explorer (most likely only Internet +Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server +2003) are unable to handle the ``Vary`` header in combination with many content +types. Therefore, Django would remove the header if the request was made by +Internet Explorer. + +To remedy this, the special behaviour for these older Internet Explorer versions +has been removed, and the ``Vary`` header is no longer stripped from the response. +In addition, modifications to the ``Cache-Control`` header for all Internet Explorer +requests with a ``Content-Disposition`` header, have also been removed as they +were found to have similar issues. + + +Malformed redirect URLs from user input not correctly validated +=============================================================== +The validation for redirects did not correctly validate some malformed URLs, +which are accepted by some browsers. This allows a user to be redirected to +an unsafe URL unexpectedly. + +Django relies on user input in some cases (e.g. +:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and +:doc:`i18n `) to redirect the user to an "on success" URL. +The security checks for these redirects (namely +``django.util.http.is_safe_url()``) did not correctly validate some malformed +URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers +with more liberal URL parsing. + +To remedy this, the validation in ``is_safe_url()`` has been tightened to be able +to handle and correctly validate these malformed URLs. diff --git a/docs/releases/1.6.5.txt b/docs/releases/1.6.5.txt index 674e3d2ee9f..5e650d1eb31 100644 --- a/docs/releases/1.6.5.txt +++ b/docs/releases/1.6.5.txt @@ -2,9 +2,48 @@ Django 1.6.5 release notes ========================== -*Under development* +*May 14, 2014* -Django 1.6.5 fixes several bugs in 1.6.4. +Django 1.6.5 fixes two security issues and several several bugs in 1.6.4. + +Issue: Caches may incorrectly be allowed to store and serve private data +======================================================================== +In certain situations, Django may allow caches to store private data +related to a particular session and then serve that data to requests +with a different session, or no session at all. This can both lead to +information disclosure, and can be a vector for cache poisoning. + +When using Django sessions, Django will set a ``Vary: Cookie`` header to +ensure caches do not serve cached data to requests from other sessions. +However, older versions of Internet Explorer (most likely only Internet +Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server +2003) are unable to handle the ``Vary`` header in combination with many content +types. Therefore, Django would remove the header if the request was made by +Internet Explorer. + +To remedy this, the special behaviour for these older Internet Explorer versions +has been removed, and the ``Vary`` header is no longer stripped from the response. +In addition, modifications to the ``Cache-Control`` header for all Internet Explorer +requests with a ``Content-Disposition`` header, have also been removed as they +were found to have similar issues. + + +Issue: Malformed redirect URLs from user input not correctly validated +====================================================================== +The validation for redirects did not correctly validate some malformed URLs, +which are accepted by some browsers. This allows a user to be redirected to +an unsafe URL unexpectedly. + +Django relies on user input in some cases (e.g. +:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and +:doc:`i18n `) to redirect the user to an "on success" URL. +The security checks for these redirects (namely +``django.util.http.is_safe_url()``) did not correctly validate some malformed +URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers +with more liberal URL parsing. + +To remedy this, the validation in ``is_safe_url()`` has been tightened to be able +to handle and correctly validate these malformed URLs. Bugfixes ======== diff --git a/docs/releases/index.txt b/docs/releases/index.txt index c3b8fa56799..3e5ad7eb6fd 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -34,6 +34,7 @@ Final releases .. toctree:: :maxdepth: 1 + 1.5.8 1.5.7 1.5.6 1.5.5 @@ -48,6 +49,7 @@ Final releases .. toctree:: :maxdepth: 1 + 1.4.13 1.4.12 1.4.11 1.4.10