Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

[1.6.x] Fixed #21121: Added archive of security issues.

Backport of 9d3e60a, 8e134c2, 8b3bae9, c65ae7c, bbabc53,
and a2e25e8 from master.
  • Loading branch information...
commit 886e876c7230bf2b3364d89f4240d00d8a3ab394 1 parent 091ae7f
Russell Keith-Magee authored September 19, 2013
1  docs/index.txt
@@ -211,6 +211,7 @@ Security is a topic of paramount importance in the development of Web
211 211
 applications and Django provides multiple protection tools and mechanisms:
212 212
 
213 213
 * :doc:`Security overview <topics/security>`
  214
+* :doc:`Disclosed security issues in Django <releases/security>`
214 215
 * :doc:`Clickjacking protection <ref/clickjacking>`
215 216
 * :doc:`Cross Site Request Forgery protection <ref/contrib/csrf>`
216 217
 * :doc:`Cryptographic signing <topics/signing>`
6  docs/internals/security.txt
... ...
@@ -1,3 +1,5 @@
  1
+.. _internals-security:
  2
+
1 3
 ==========================
2 4
 Django's security policies
3 5
 ==========================
@@ -124,6 +126,10 @@ may privately contact and discuss those issues with the appropriate
124 126
 maintainers, and coordinate our own disclosure and resolution with
125 127
 theirs.
126 128
 
  129
+The Django team also maintains an :doc:`archive of security issues
  130
+disclosed in Django</releases/security>`.
  131
+
  132
+
127 133
 .. _security-notifications:
128 134
 
129 135
 Who receives advance notification
11  docs/releases/index.txt
@@ -105,6 +105,16 @@ Pre-1.0 releases
105 105
    0.96
106 106
    0.95
107 107
 
  108
+Security releases
  109
+=================
  110
+
  111
+Whenever a security issue is disclosed via :doc:`Django's security
  112
+policies </internals/security>`, appropriate release notes are now
  113
+added to all affected release series.
  114
+
  115
+Additionally, :doc:`an archive of disclosed security issues
  116
+</releases/security>` is maintained.
  117
+
108 118
 Development releases
109 119
 ====================
110 120
 
@@ -115,6 +125,7 @@ notes.
115 125
 .. toctree::
116 126
    :maxdepth: 1
117 127
 
  128
+   security
118 129
    1.5-beta-1
119 130
    1.5-alpha-1
120 131
    1.4-beta-1
450  docs/releases/security.txt
... ...
@@ -0,0 +1,450 @@
  1
+.. _security-releases:
  2
+
  3
+==========================
  4
+Archive of security issues
  5
+==========================
  6
+
  7
+Django's development team is strongly committed to responsible
  8
+reporting and disclosure of security-related issues, as outlined in
  9
+:doc:`Django's security policies </internals/security>`.
  10
+
  11
+As part of that commitment, we maintain the following historical list
  12
+of issues which have been fixed and disclosed. For each issue, the
  13
+list below includes the date, a brief description, the `CVE identifier
  14
+<http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>`_
  15
+if applicable, a list of affected versions, a link to the full
  16
+disclosure and links to the appropriate patch(es).
  17
+
  18
+Some important caveats apply to this information:
  19
+
  20
+* Lists of affected versions include only those versions of Django
  21
+  which had stable, security-supported releases at the time of
  22
+  disclosure. This means older versions (whose security support had
  23
+  expired) and versions which were in pre-release (alpha/beta/RC)
  24
+  states at the time of disclosure may have been affected, but are not
  25
+  listed.
  26
+
  27
+* The Django project has on occasion issued security advisories,
  28
+  pointing out potential security problems which can arise from
  29
+  improper configuration or from other issues outside of Django
  30
+  itself. Some of these advisories have received CVEs; when that is
  31
+  the case, they are listed here, but as they have no accompanying
  32
+  patches or releases, only the description, disclosure and CVE will
  33
+  be listed.
  34
+
  35
+
  36
+Issues prior to Django's security process
  37
+=========================================
  38
+
  39
+Some security issues were handled before Django had a formalized
  40
+security process in use. For these, new releases may not have been
  41
+issued at the time and CVEs may not have been assigned.
  42
+
  43
+
  44
+August 16, 2006 - CVE-2007-0404
  45
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  46
+
  47
+`CVE-2007-0404 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0404&cid=3>`_: Filename validation issue in translation framework. `Full description <https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/>`__
  48
+
  49
+Versions affected
  50
+-----------------
  51
+
  52
+* Django 0.90 `(patch) <https://github.com/django/django/commit/518d406e53>`__
  53
+
  54
+* Django 0.91 `(patch) <https://github.com/django/django/commit/518d406e53>`__
  55
+
  56
+* Django 0.95 `(patch) <https://github.com/django/django/commit/a132d411c6>`__ (released January 21 2007)
  57
+
  58
+January 21, 2007 - CVE-2007-0405
  59
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  60
+
  61
+`CVE-2007-0405 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0405&cid=3>`_: Apparent "caching" of authenticated user. `Full description <https://www.djangoproject.com/weblog/2007/jan/21/0951/>`__
  62
+
  63
+Versions affected
  64
+-----------------
  65
+
  66
+* Django 0.95 `(patch) <https://github.com/django/django/commit/e89f0a6558>`__
  67
+
  68
+Issues under Django's security process
  69
+======================================
  70
+
  71
+All other security issues have been handled under versions of Django's
  72
+security process. These are listed below.
  73
+
  74
+October 26, 2007 - CVE-2007-5712
  75
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  76
+
  77
+`CVE-2007-5712 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5712&cid=3>`_: Denial-of-service via arbitrarily-large ``Accept-Language`` header. `Full description <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>`__
  78
+
  79
+Versions affected
  80
+-----------------
  81
+
  82
+* Django 0.91 `(patch) <https://github.com/django/django/commit/8bc36e726c9e8c75c681d3ad232df8e882aaac81>`__
  83
+
  84
+* Django 0.95 `(patch) <https://github.com/django/django/commit/412ed22502e11c50dbfee854627594f0e7e2c234>`__
  85
+
  86
+* Django 0.96 `(patch) <https://github.com/django/django/commit/7dd2dd08a79e388732ce00e2b5514f15bd6d0f6f>`__
  87
+
  88
+
  89
+May 14, 2008 - CVE-2008-2302
  90
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  91
+
  92
+`CVE-2008-2302 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2302&cid=3>`_: XSS via admin login redirect. `Full description <https://www.djangoproject.com/weblog/2008/may/14/security/>`__
  93
+
  94
+Versions affected
  95
+-----------------
  96
+
  97
+* Django 0.91 `(patch) <https://github.com/django/django/commit/50ce7fb57d>`__
  98
+
  99
+* Django 0.95 `(patch) <https://github.com/django/django/commit/50ce7fb57d>`__
  100
+
  101
+* Django 0.96 `(patch) <https://github.com/django/django/commit/7791e5c050>`__
  102
+
  103
+
  104
+September 2, 2008 - CVE-2008-3909
  105
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  106
+
  107
+`CVE-2008-3909 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3909&cid=3>`_: CSRF via preservation of POST data during admin login. `Full description <https://www.djangoproject.com/weblog/2008/sep/02/security/>`__
  108
+
  109
+Versions affected
  110
+-----------------
  111
+
  112
+* Django 0.91 `(patch) <https://github.com/django/django/commit/44debfeaa4473bd28872c735dd3d9afde6886752>`__
  113
+
  114
+* Django 0.95 `(patch) <https://github.com/django/django/commit/aee48854a164382c655acb9f18b3c06c3d238e81>`__
  115
+
  116
+* Django 0.96 `(patch) <https://github.com/django/django/commit/7e0972bded362bc4b851c109df2c8a6548481a8e>`__
  117
+
  118
+July 28, 2009 - CVE-2009-2659
  119
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  120
+
  121
+`CVE-2009-2659 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2659&cid=3>`_: Directory-traversal in development server media handler. `Full description <https://www.djangoproject.com/weblog/2009/jul/28/security/>`__
  122
+
  123
+Versions affected
  124
+-----------------
  125
+
  126
+* Django 0.96 `(patch) <https://github.com/django/django/commit/da85d76fd6>`__
  127
+
  128
+* Django 1.0 `(patch) <https://github.com/django/django/commit/df7f917b7f>`__
  129
+
  130
+October 9, 2009 - CVE-2009-3965
  131
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  132
+
  133
+`CVE-2009-3965 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3695&cid=3>`_: Denial-of-service via pathological regular expression performance. `Full description <https://www.djangoproject.com/weblog/2009/oct/09/security/>`__
  134
+
  135
+Versions affected
  136
+-----------------
  137
+
  138
+* Django 1.0 `(patch) <https://github.com/django/django/commit/594a28a904>`__
  139
+
  140
+* Django 1.1 `(patch) <https://github.com/django/django/commit/e3e992e18b>`__
  141
+
  142
+September 8, 2010 - CVE-2010-3082
  143
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  144
+
  145
+`CVE-2010-3082 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3082&cid=3>`_: XSS via trusting unsafe cookie value. `Full description <https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`__
  146
+
  147
+Versions affected
  148
+-----------------
  149
+
  150
+* Django 1.2 `(patch) <https://github.com/django/django/commit/7f84657b6b>`__
  151
+
  152
+
  153
+December 22, 2010 - CVE-2010-4534
  154
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  155
+
  156
+`CVE-2010-4534 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4534&cid=3>`_: Information leakage in administrative interface. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
  157
+
  158
+Versions affected
  159
+-----------------
  160
+
  161
+* Django 1.1 `(patch) <https://github.com/django/django/commit/17084839fd>`__
  162
+
  163
+* Django 1.2 `(patch) <https://github.com/django/django/commit/85207a245b>`__
  164
+
  165
+December 22, 2010 - CVE-2010-4535
  166
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  167
+
  168
+`CVE-2010-4535 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4535&cid=2>`_: Denial-of-service in password-reset mechanism. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
  169
+
  170
+Versions affected
  171
+-----------------
  172
+
  173
+* Django 1.1 `(patch) <https://github.com/django/django/commit/7f8dd9cbac>`__
  174
+
  175
+* Django 1.2 `(patch) <https://github.com/django/django/commit/d5d8942a16>`__
  176
+
  177
+
  178
+February 8, 2011 - CVE-2011-0696
  179
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  180
+
  181
+`CVE-2011-0696 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0696&cid=2>`_: CSRF via forged HTTP headers. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
  182
+
  183
+Versions affected
  184
+-----------------
  185
+
  186
+* Django 1.1 `(patch) <https://github.com/django/django/commit/408c5c873c>`__
  187
+
  188
+* Django 1.2 `(patch) <https://github.com/django/django/commit/818e70344e>`__
  189
+
  190
+
  191
+February 8, 2011 - CVE-2011-0697
  192
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  193
+
  194
+`CVE-2011-0697 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0697&cid=2>`_: XSS via unsanitized names of uploaded files. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
  195
+
  196
+Versions affected
  197
+-----------------
  198
+
  199
+* Django 1.1 `(patch) <https://github.com/django/django/commit/1966786d2d>`__
  200
+
  201
+* Django 1.2 `(patch) <https://github.com/django/django/commit/1f814a9547>`__
  202
+
  203
+February 8, 2011 - CVE-2011-0698
  204
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  205
+
  206
+`CVE-2011-0698 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0698&cid=2>`_: Directory-traversal on Windows via incorrect path-separator handling. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
  207
+
  208
+Versions affected
  209
+-----------------
  210
+
  211
+* Django 1.1 `(patch) <https://github.com/django/django/commit/570a32a047>`__
  212
+
  213
+* Django 1.2 `(patch) <https://github.com/django/django/commit/194566480b>`__
  214
+
  215
+
  216
+September 9, 2011 - CVE-2011-4136
  217
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  218
+
  219
+`CVE-2011-4136 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4136&cid=2>`_: Session manipulation when using memory-cache-backed session. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
  220
+
  221
+Versions affected
  222
+-----------------
  223
+
  224
+* Django 1.2 `(patch) <https://github.com/django/django/commit/ac7c3a110f>`__
  225
+
  226
+* Django 1.3 `(patch) <https://github.com/django/django/commit/fbe2eead2f>`__
  227
+
  228
+September 9, 2011 - CVE-2011-4137
  229
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  230
+
  231
+`CVE-2011-4137 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4137&cid=2>`_: Denial-of-service via via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
  232
+
  233
+Versions affected
  234
+-----------------
  235
+
  236
+* Django 1.2 `(patch) <https://github.com/django/django/commit/7268f8af86>`__
  237
+
  238
+* Django 1.3 `(patch) <https://github.com/django/django/commit/1a76dbefdf>`__
  239
+
  240
+September 9, 2011 - CVE-2011-4138
  241
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  242
+
  243
+`CVE-2011-4138 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4138&cid=2>`_: Information leakage/arbitrary request issuance via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
  244
+
  245
+Versions affected
  246
+-----------------
  247
+
  248
+* Django 1.2: `(patch) <https://github.com/django/django/commit/7268f8af86>`__
  249
+
  250
+* Django 1.3: `(patch) <https://github.com/django/django/commit/1a76dbefdf>`__
  251
+
  252
+September 9, 2011 - CVE-2011-4139
  253
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  254
+
  255
+`CVE-2011-4139 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4139&cid=2>`_: ``Host`` header cache poisoning. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
  256
+
  257
+Versions affected
  258
+-----------------
  259
+
  260
+* Django 1.2 `(patch) <https://github.com/django/django/commit/c613af4d64>`__
  261
+
  262
+* Django 1.3 `(patch) <https://github.com/django/django/commit/2f7fadc38e>`__
  263
+
  264
+September 9, 2011 - CVE-2011-4140
  265
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  266
+
  267
+`CVE-2011-4140 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4140&cid=2>`_: Potential CSRF via ``Host`` header.  `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
  268
+
  269
+Versions affected
  270
+-----------------
  271
+
  272
+This notification was an advisory only, so no patches were issued.
  273
+
  274
+* Django 1.2
  275
+
  276
+* Django 1.3
  277
+
  278
+
  279
+July 30, 2012 - CVE-2012-3442
  280
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  281
+
  282
+`CVE-2012-3442 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3442&cid=2>`_: XSS via failure to validate redirect scheme. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
  283
+
  284
+Versions affected
  285
+-----------------
  286
+
  287
+* Django 1.3: `(patch) <https://github.com/django/django/commit/4dea4883e6c50d75f215a6b9bcbd95273f57c72d>`__
  288
+
  289
+* Django 1.4: `(patch) <https://github.com/django/django/commit/e34685034b60be1112160e76091e5aee60149fa1>`__
  290
+
  291
+
  292
+July 30, 2012 - CVE-2012-3443
  293
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  294
+
  295
+`CVE-2012-3443 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3443&cid=2>`_: Denial-of-service via compressed image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
  296
+
  297
+Versions affected
  298
+-----------------
  299
+
  300
+* Django 1.3: `(patch) <https://github.com/django/django/commit/b2eb4787a0fff9c9993b78be5c698e85108f3446>`__
  301
+
  302
+* Django 1.4: `(patch) <https://github.com/django/django/commit/c14f325c4eef628bc7bfd8873c3a72aeb0219141>`__
  303
+
  304
+
  305
+July 30, 2012 - CVE-2012-3444
  306
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  307
+
  308
+`CVE-2012-3444 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3444&cid=2>`_: Denial-of-service via large image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
  309
+
  310
+Versions affected
  311
+-----------------
  312
+
  313
+* Django 1.3 `(patch) <https://github.com/django/django/commit/9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155>`__
  314
+
  315
+* Django 1.4 `(patch) <https://github.com/django/django/commit/da33d67181b53fe6cc737ac1220153814a1509f6>`__
  316
+
  317
+
  318
+October 17, 2012 - CVE-2012-4520
  319
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  320
+
  321
+`CVE-2012-4520 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4520&cid=2>`_: ``Host`` header poisoning. `Full description <https://www.djangoproject.com/weblog/2012/oct/17/security/>`__
  322
+
  323
+Versions affected
  324
+-----------------
  325
+
  326
+* Django 1.3 `(patch) <https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071>`__
  327
+
  328
+* Django 1.4 `(patch) <https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3>`__
  329
+
  330
+
  331
+December 10, 2012 - No CVE 1
  332
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  333
+
  334
+Additional hardening of ``Host`` header handling. `Full description <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__
  335
+
  336
+Versions affected
  337
+-----------------
  338
+
  339
+* Django 1.3 `(patch) <https://github.com/django/django/commit/2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b>`__
  340
+
  341
+* Django 1.4 `(patch) <https://github.com/django/django/commit/319627c184e71ae267d6b7f000e293168c7b6e09>`__
  342
+
  343
+
  344
+December 10, 2012 - No CVE 2
  345
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  346
+
  347
+Additional hardening of redirect validation. `Full description <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__
  348
+
  349
+Versions affected
  350
+-----------------
  351
+
  352
+    * Django 1.3: `(patch) <https://github.com/django/django/commit/1515eb46daa0897ba5ad5f0a2db8969255f1b343>`__
  353
+
  354
+    * Django 1.4: `(patch) <https://github.com/django/django/commit/b2ae0a63aeec741f1e51bac9a95a27fd635f9652>`__
  355
+
  356
+February 19, 2013 - No CVE
  357
+~~~~~~~~~~~~~~~~~~~~~~~~~~
  358
+
  359
+Additional hardening of ``Host`` header handling. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
  360
+
  361
+Versions affected
  362
+-----------------
  363
+
  364
+* Django 1.3 `(patch) <https://github.com/django/django/commit/27cd872e6e36a81d0bb6f5b8765a1705fecfc253>`__
  365
+
  366
+* Django 1.4 `(patch) <https://github.com/django/django/commit/9936fdb11d0bbf0bd242f259bfb97bbf849d16f8>`__
  367
+
  368
+February 19, 2013 - CVE-2013-1664/1665
  369
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  370
+
  371
+`CVE-2013-1664 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1664&cid=2>`_ and `CVE-2013-1665 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1665&cid=2>`_: Entity-based attacks against Python XML libraries. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
  372
+
  373
+Versions affected
  374
+-----------------
  375
+
  376
+* Django 1.3 `(patch) <https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112>`__
  377
+
  378
+* Django 1.4 `(patch) <https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40>`__
  379
+
  380
+February 19, 2013 - CVE-2013-0305
  381
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  382
+
  383
+`CVE-2013-0305 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0305&cid=2>`_: Information leakage via admin history log.  `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
  384
+
  385
+Versions affected
  386
+-----------------
  387
+
  388
+* Django 1.3 `(patch) <https://github.com/django/django/commit/d3a45e10c8ac8268899999129daa27652ec0da35>`__
  389
+
  390
+* Django 1.4 `(patch) <https://github.com/django/django/commit/0e7861aec73702f7933ce2a93056f7983939f0d6>`__
  391
+
  392
+
  393
+February 19, 2013 - CVE-2013-0306
  394
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  395
+
  396
+`CVE-2013-0306 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0306&cid=2>`_: Denial-of-service via formset ``max_num`` bypass. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
  397
+
  398
+Versions affected
  399
+-----------------
  400
+
  401
+* Django 1.3 `(patch) <https://github.com/django/django/commit/d7094bbce8cb838f3b40f504f198c098ff1cf727>`__
  402
+
  403
+* Django 1.4 `(patch) <https://github.com/django/django/commit/0cc350a896f70ace18280410eb616a9197d862b0>`__
  404
+
  405
+August 13, 2013 - Awaiting CVE 1
  406
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  407
+
  408
+(CVE not yet issued): XSS via admin trusting ``URLField`` values. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
  409
+
  410
+Versions affected
  411
+-----------------
  412
+
  413
+* Django 1.5 `(patch) <https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78>`__
  414
+
  415
+August 13, 2013 - Awaiting CVE 2
  416
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  417
+
  418
+(CVE not yet issued): Possible XSS via unvalidated URL redirect schemes. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
  419
+
  420
+Versions affected
  421
+-----------------
  422
+
  423
+* Django 1.4 `(patch) <https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a>`__
  424
+
  425
+* Django 1.5 `(patch) <https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f>`__
  426
+
  427
+September 10, 2013 - CVE-2013-4315
  428
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  429
+
  430
+`CVE-2013-4315 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4315&cid=2>`_ Directory-traversal via ``ssi`` template tag. `Full description <https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/>`__
  431
+
  432
+Versions affected
  433
+-----------------
  434
+
  435
+* Django 1.4 `(patch) <https://github.com/django/django/commit/87d2750b39f6f2d54b7047225521a44dcd37e896>`__
  436
+
  437
+* Django 1.5 `(patch) <https://github.com/django/django/commit/988b61c550d798f9a66d17ee0511fb7a9a7f33ca>`__
  438
+
  439
+
  440
+September 14, 2013 - CVE-2013-1443
  441
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  442
+
  443
+CVE-2013-1443: Denial-of-service via large passwords. `Full description <https://www.djangoproject.com/weblog/2013/sep/15/security/>`__
  444
+
  445
+Versions affected
  446
+-----------------
  447
+
  448
+* Django 1.4 `(patch <https://github.com/django/django/commit/3f3d887a6844ec2db743fee64c9e53e04d39a368>`__ and `Python compatibility fix) <https://github.com/django/django/commit/6903d1690a92aa040adfb0c8eb37cf62e4206714>`__
  449
+
  450
+* Django 1.5 `(patch) <https://github.com/django/django/commit/22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc>`__

0 notes on commit 886e876

Please sign in to comment.
Something went wrong with that request. Please try again.