Loading docs/releases/1.4.13.txt +9 −9 Original line number Diff line number Diff line ========================== =========================== Django 1.4.13 release notes ========================== =========================== *May 13, 2014* *May 14, 2014* Django 1.4.13 fixes two security issues in 1.4.12. Caches may incorrectly be allowed to store and serve private data ================================================================= In certain situations, Django may allow caches to store private data related to a particular session and then serve that data to requests with a different session, or no session at all. This can both lead to information disclosure, and can be a vector for cache poisoning. with a different session, or no session at all. This can lead to information disclosure and can be a vector for cache poisoning. When using Django sessions, Django will set a ``Vary: Cookie`` header to ensure caches do not serve cached data to requests from other sessions. Loading @@ -22,15 +22,15 @@ Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server types. Therefore, Django would remove the header if the request was made by Internet Explorer. To remedy this, the special behaviour for these older Internet Explorer versions To remedy this, the special behavior for these older Internet Explorer versions has been removed, and the ``Vary`` header is no longer stripped from the response. In addition, modifications to the ``Cache-Control`` header for all Internet Explorer requests with a ``Content-Disposition`` header, have also been removed as they requests with a ``Content-Disposition`` header have also been removed as they were found to have similar issues. Malformed redirect URLs from user input not correctly validated =============================================================== The validation for redirects did not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly. Loading docs/releases/1.5.8.txt +8 −8 Original line number Diff line number Diff line Loading @@ -2,17 +2,17 @@ Django 1.5.8 release notes ========================== *May 13, 2014* *May 14, 2014* Django 1.5.8 fixes two security issues in 1.5.8. Caches may incorrectly be allowed to store and serve private data ================================================================= In certain situations, Django may allow caches to store private data related to a particular session and then serve that data to requests with a different session, or no session at all. This can both lead to information disclosure, and can be a vector for cache poisoning. with a different session, or no session at all. This can lead to information disclosure and can be a vector for cache poisoning. When using Django sessions, Django will set a ``Vary: Cookie`` header to ensure caches do not serve cached data to requests from other sessions. Loading @@ -22,15 +22,15 @@ Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server types. Therefore, Django would remove the header if the request was made by Internet Explorer. To remedy this, the special behaviour for these older Internet Explorer versions To remedy this, the special behavior for these older Internet Explorer versions has been removed, and the ``Vary`` header is no longer stripped from the response. In addition, modifications to the ``Cache-Control`` header for all Internet Explorer requests with a ``Content-Disposition`` header, have also been removed as they requests with a ``Content-Disposition`` header have also been removed as they were found to have similar issues. Malformed redirect URLs from user input not correctly validated =============================================================== The validation for redirects did not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly. Loading Loading
docs/releases/1.4.13.txt +9 −9 Original line number Diff line number Diff line ========================== =========================== Django 1.4.13 release notes ========================== =========================== *May 13, 2014* *May 14, 2014* Django 1.4.13 fixes two security issues in 1.4.12. Caches may incorrectly be allowed to store and serve private data ================================================================= In certain situations, Django may allow caches to store private data related to a particular session and then serve that data to requests with a different session, or no session at all. This can both lead to information disclosure, and can be a vector for cache poisoning. with a different session, or no session at all. This can lead to information disclosure and can be a vector for cache poisoning. When using Django sessions, Django will set a ``Vary: Cookie`` header to ensure caches do not serve cached data to requests from other sessions. Loading @@ -22,15 +22,15 @@ Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server types. Therefore, Django would remove the header if the request was made by Internet Explorer. To remedy this, the special behaviour for these older Internet Explorer versions To remedy this, the special behavior for these older Internet Explorer versions has been removed, and the ``Vary`` header is no longer stripped from the response. In addition, modifications to the ``Cache-Control`` header for all Internet Explorer requests with a ``Content-Disposition`` header, have also been removed as they requests with a ``Content-Disposition`` header have also been removed as they were found to have similar issues. Malformed redirect URLs from user input not correctly validated =============================================================== The validation for redirects did not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly. Loading
docs/releases/1.5.8.txt +8 −8 Original line number Diff line number Diff line Loading @@ -2,17 +2,17 @@ Django 1.5.8 release notes ========================== *May 13, 2014* *May 14, 2014* Django 1.5.8 fixes two security issues in 1.5.8. Caches may incorrectly be allowed to store and serve private data ================================================================= In certain situations, Django may allow caches to store private data related to a particular session and then serve that data to requests with a different session, or no session at all. This can both lead to information disclosure, and can be a vector for cache poisoning. with a different session, or no session at all. This can lead to information disclosure and can be a vector for cache poisoning. When using Django sessions, Django will set a ``Vary: Cookie`` header to ensure caches do not serve cached data to requests from other sessions. Loading @@ -22,15 +22,15 @@ Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server types. Therefore, Django would remove the header if the request was made by Internet Explorer. To remedy this, the special behaviour for these older Internet Explorer versions To remedy this, the special behavior for these older Internet Explorer versions has been removed, and the ``Vary`` header is no longer stripped from the response. In addition, modifications to the ``Cache-Control`` header for all Internet Explorer requests with a ``Content-Disposition`` header, have also been removed as they requests with a ``Content-Disposition`` header have also been removed as they were found to have similar issues. Malformed redirect URLs from user input not correctly validated =============================================================== The validation for redirects did not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly. Loading
