diff options
| author | James Bennett <james@b-list.org> | 2013-09-18 23:13:04 -0500 |
|---|---|---|
| committer | James Bennett <james@b-list.org> | 2013-09-18 23:13:04 -0500 |
| commit | a2e25e8a830b1d8b3daa9afb1c2ad4f954bb7d3c (patch) | |
| tree | d8c484c7916da33ed18e520ab9bc7695f125b990 | |
| parent | 98514849dce07acfaa224a90a784bba9d97249e5 (diff) | |
Fix #21121: Add archive of security issues.
| -rw-r--r-- | docs/internals/security.txt | 6 | ||||
| -rw-r--r-- | docs/releases/index.txt | 10 | ||||
| -rw-r--r-- | docs/releases/security.txt | 527 |
3 files changed, 543 insertions, 0 deletions
diff --git a/docs/internals/security.txt b/docs/internals/security.txt index 327a6a5f60..7451dbdca4 100644 --- a/docs/internals/security.txt +++ b/docs/internals/security.txt @@ -1,3 +1,5 @@ +.. _internals-security: + ========================== Django's security policies ========================== @@ -126,6 +128,10 @@ may privately contact and discuss those issues with the appropriate maintainers, and coordinate our own disclosure and resolution with theirs. +The Django team also maintains an :ref:`archive of security issues +disclosed in Django <security-releases>`. + + .. _security-notifications: Who receives advance notification diff --git a/docs/releases/index.txt b/docs/releases/index.txt index 5574ee964f..33dc780cac 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -112,6 +112,16 @@ Pre-1.0 releases 0.96 0.95 +Security releases +================= + +Whenever a security issue is disclosed via :ref:`Django's security +policies <internals-security>`, appropriate release notes are now +added to all affected release series. + +Additionally, :ref:`an archive of disclosed security issues +<security-releases>` is maintained. + Development releases ==================== diff --git a/docs/releases/security.txt b/docs/releases/security.txt new file mode 100644 index 0000000000..022e240866 --- /dev/null +++ b/docs/releases/security.txt @@ -0,0 +1,527 @@ +.. _security-releases: + +========================== +Archive of security issues +========================== + +Django's development team is strongly committed to responsible +reporting and disclosure of security-related issues, as outlined in +:ref:`Django's security policies <internals-security>`. + +As part of that commitment, we maintain the following historical list +of issues which have been fixed and disclosed. For each issue, the +list below includes the date, a brief description, the `CVE identifier +<http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>`_ +if applicable, a list of affected versions, a link to the full +disclosure and links to the appropriate patch(es). + +Some important caveats apply to this information: + +* Lists of affected versions include only those versions of Django + which had stable, security-supported releases at the time of + disclosure. This means older versions (whose security support had + expired) and versions which were in pre-release (alpha/beta/RC) + states at the time of disclosure may have been affected, but are not + listed. + +* The Django project has on occasion issued security advisories, + pointing out potential security problems which can arise from + improper configuration or from other issues outside of Django + itself. Some of these advisories have received CVEs; when that is + the case, they are listed here, but as they have no accompanying + patches or releases, only the description, disclosure and CVE will + be listed. + + +Issues prior to Django's security process +========================================= + +Some security issues were handled before Django had a formalized +security process in use. For these, new releases may not have been +issued at the time and CVEs may not have been assigned. + + +August 16, 2006 +--------------- + +* **Issues:** + + * Filename validation issue in translation framework: `CVE-2007-0404 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0404&cid=3>`_ + +* **Versions affected:** + + * Django 0.90 + + * Django 0.91 + +* `Full description <https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/>`_ + +* Patch: `unified 0.90/0.91 <https://github.com/django/django/commit/518d406e53>`_ + + +January 21, 2007 +---------------- + +* **Issues:** + + * Patch CVE-2007-0404 for Django 0.95 + + * Apparent "caching" of authenticated user: `CVE-2007-0405 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0405&cid=3>`_ + +* **Versions affected:** + + * Django 0.95 + +* `Full description <https://www.djangoproject.com/weblog/2007/jan/21/0951/>`_ + +* **Patches:** + + * `2006-08-26 issue <https://github.com/django/django/commit/a132d411c6>`_ + + * `User caching issue <https://github.com/django/django/commit/e89f0a6558>`_ + + + +Issues under Django's security process +====================================== + +All other security issues have been handled under versions of Django's +security process. These are listed below. + + +October 26, 2007 +---------------- + +* **Issues:** + + * Denial-of-service via arbitrarily-large ``Accept-Language`` header: `CVE-2007-5712 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5712&cid=3>`_ + +* **Versions affected:** + + * Django 0.91 + + * Django 0.95 + + * Django 0.96 + +* `Full description <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>`_ + +* **Patches:** + + * `0.91 <https://github.com/django/django/commit/8bc36e726c9e8c75c681d3ad232df8e882aaac81>`_ + + * `0.95 <https://github.com/django/django/commit/412ed22502e11c50dbfee854627594f0e7e2c234>`_ + + * `0.96 <https://github.com/django/django/commit/7dd2dd08a79e388732ce00e2b5514f15bd6d0f6f>`_ + + +May 14, 2008 +------------ + +* **Issues:** + + * XSS via admin login redirect: `CVE-2008-2302 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2302&cid=3>`_ + +* **Versions affected:** + + * Django 0.91 + + * Django 0.95 + + * Django 0.96 + +* `Full description <https://www.djangoproject.com/weblog/2008/may/14/security/>`_ + +* **Patches:** + + * `0.91 <https://github.com/django/django/commit/50ce7fb57d>`_ + + * `0.95 <https://github.com/django/django/commit/50ce7fb57d>`_ + + * `0.96 <https://github.com/django/django/commit/7791e5c050>`_ + + +September 2, 2008 +================= + +* **Issues:** + + * CSRF via preservation of POST data during admin login: `CVE-2008-3909 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3909&cid=3>`_ + +* Versions affected + + * Django 0.91 + + * Django 0.95 + + * Django 0.96 + +* `Full description <https://www.djangoproject.com/weblog/2008/sep/02/security/>`_ + +* **Patches:** + + * `0.91 <https://github.com/django/django/commit/44debfeaa4473bd28872c735dd3d9afde6886752>`_ + + * `0.95 <https://github.com/django/django/commit/aee48854a164382c655acb9f18b3c06c3d238e81>`_ + + * `0.96 <https://github.com/django/django/commit/7e0972bded362bc4b851c109df2c8a6548481a8e>`_ + + +July 28, 2009 +============= + +* **Issues:** + + * Directory-traversal in development server media handler: `CVE-2009-2659 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2659&cid=3>`_ + +* **Versions affected:** + + * Django 0.96 + + * Django 1.0 + +* `Full description <https://www.djangoproject.com/weblog/2009/jul/28/security/>`_ + +* **Patches:** + + * `0.96 <https://github.com/django/django/commit/da85d76fd6>`_ + + * `1.0 <https://github.com/django/django/commit/df7f917b7f>`_ + + +October 9, 2009 +=============== + +* **Issues:** + + * Denial-of-service via pathological regular expression performance: `CVE-2009-3965 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3695&cid=3>`_ + +* **Versions affected:** + + * Django 1.0 + + * Django 1.1 + +* `Full description <https://www.djangoproject.com/weblog/2009/oct/09/security/>`_ + +* **Patches:** + + * `1.0 <https://github.com/django/django/commit/594a28a904>`_ + + * `1.1 <https://github.com/django/django/commit/e3e992e18b>`_ + + +September 8, 2010 +================= + +* **Issues:** + + * XSS via trusting unsafe cookie value: `CVE-2010-3082 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3082&cid=3>`_ + +* **Versions affected:** + + * Django 1.2 + +* `Full description <https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`_ + +* **Patches:** + + * `1.2 <https://github.com/django/django/commit/7f84657b6b>`_ + + +December 22, 2010 +================= + +* **Issues:** + + * Information leakage in administrative interface: `CVE-2010-4534 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4534&cid=3>`_ + + * Denial-of-service in password-reset mechanism: `CVE-2010-4535 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4535&cid=2>`_ + +* **Versions affected:** + + * Django 1.1 + + * Django 1.2 + +* `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`_ + +* **Patches:** + + * `1.1 CVE-2010-4534 <https://github.com/django/django/commit/17084839fd>`_ + + * `1.1 CVE-2010-4535 <https://github.com/django/django/commit/7f8dd9cbac>`_ + + * `1.2 CVE-2010-4534 <https://github.com/django/django/commit/85207a245b>`_ + + * `1.2 CVE-2010-4535 <https://github.com/django/django/commit/d5d8942a16>`_ + + +February 8, 2011 +================ + +* **Issues:** + + * CSRF via forged HTTP headers: `CVE-2011-0696 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0696&cid=2>`_ + + * XSS via unsanitized names of uploaded files: `CVE-2011-0697 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0697&cid=2>`_ + + * Directory-traversal on Windows via incorrect path-separator handling: `CVE-2011-0698 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0698&cid=2>`_ + +* **Versions affected:** + + * Django 1.1 + + * Django 1.2 + +* `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`_ + +* **Patches:** + + * `1.1 CVE-2010-0696 <https://github.com/django/django/commit/408c5c873c>`_ + + * `1.1 CVE-2010-0697 <https://github.com/django/django/commit/1966786d2d>`_ + + * `1.1 CVE-2010-0698 <https://github.com/django/django/commit/570a32a047>`_ + + * `1.2 CVE-2010-0696 <https://github.com/django/django/commit/818e70344e>`_ + + * `1.2 CVE-2010-0697 <https://github.com/django/django/commit/1f814a9547>`_ + + * `1.2 CVE-2010-0698 <https://github.com/django/django/commit/194566480b>`_ + + +September 9, 2011 +================= + +* **Issues:** + + * Session manipulation when using memory-cache-backed session: `CVE-2011-4136 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4136&cid=2>`_ + + * Denial-of-service via via ``URLField.verify_exists``: `CVE-2011-4137 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4137&cid=2>`_ + + * Information leakage/arbitrary request issuance via ``URLField.verify_exists``: `CVE-2011-4138 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4138&cid=2>`_ + + * ``Host`` header cache poisoning: `CVE-2011-4139 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4139&cid=2>`_ + +* Advisories: + + * Potential CSRF via ``Host`` header: `CVE-2011-4140 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4140&cid=2>`_ + +* **Versions affected:** + + * Django 1.2 + + * Django 1.3 + +* `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`_ + +* **Patches:** + + * `1.2 CVE-2011-4136 <https://github.com/django/django/commit/ac7c3a110f>`_ + + * `1.2 CVE-2011-4137 and CVE-2011-4138 <https://github.com/django/django/commit/7268f8af86>`_ + + * `1.2 CVE-2011-4139 <https://github.com/django/django/commit/c613af4d64>`_ + + * `1.3 CVE-2011-4136 <https://github.com/django/django/commit/fbe2eead2f>`_ + + * `1.3 CVE-2011-4137 and CVE-2011-4138 <https://github.com/django/django/commit/1a76dbefdf>`_ + + * `1.3 CVE-2011-4139 <https://github.com/django/django/commit/2f7fadc38e>`_ + + +July 30, 2012 +============= + +* **Issues:** + + * XSS via failure to validate redirect scheme: `CVE-2012-3442 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3442&cid=2>`_ + + * Denial-of-service via compressed image files: `CVE-2012-3443 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3443&cid=2>`_ + + * Denial-of-service via large image viles: `CVE-2012-3444 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3444&cid=2>`_ + +* **Versions affected:** + + * Django 1.3 + + * Django 1.4 + +* `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`_ + +* **Patches:** + + * `1.3 CVE-2012-3442 <https://github.com/django/django/commit/4dea4883e6c50d75f215a6b9bcbd95273f57c72d>`_ + + * `1.3 CVE-2012-3443 <https://github.com/django/django/commit/b2eb4787a0fff9c9993b78be5c698e85108f3446>`_ + + * `1.3 CVE-2012-3444 <https://github.com/django/django/commit/9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155>`_ + + * `1.4 CVE-2012-3442 <https://github.com/django/django/commit/e34685034b60be1112160e76091e5aee60149fa1>`_ + + * `1.4 CVE-2012-3443 <https://github.com/django/django/commit/c14f325c4eef628bc7bfd8873c3a72aeb0219141>`_ + + * `1.4 CVE-2012-3444 <https://github.com/django/django/commit/da33d67181b53fe6cc737ac1220153814a1509f6>`_ + + +October 17, 2012 +================ + +* **Issues:** + + * ``Host`` header poisoning: `CVE-2012-4520 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4520&cid=2`_ + +* **Versions affected:** + + * Django 1.3 + + * Django 1.4 + +* `Full description <https://www.djangoproject.com/weblog/2012/oct/17/security/>`_ + +* **Patches:** + + * `1.3 <https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071>`_ + + * `1.4 <https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3>`_ + + +December 10, 2012 +================= + +* **Issues:** + + * Additional hardening of ``Host`` header handling (no CVE issued) + + * Additional hardening of redirect validation (no CVE issued) + +* **Versions affected:** + + * Django 1.3 + + * Django 1.4 + +* `Full description <https://www.djangoproject.com/weblog/2012/dec/10/security/>`_ + +* **Patches:** + + * `1.3 Host hardening <https://github.com/django/django/commit/2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b>`_ + + * `1.3 redirect hardening <https://github.com/django/django/commit/1515eb46daa0897ba5ad5f0a2db8969255f1b343>`_ + + * `1.4 Host hardening <https://github.com/django/django/commit/319627c184e71ae267d6b7f000e293168c7b6e09>`_ + + * `1.4 redirect hardning <https://github.com/django/django/commit/b2ae0a63aeec741f1e51bac9a95a27fd635f9652>`_ + + +February 19, 2013 +================= + +* **Issues:** + + * Additional hardening of ``Host`` header handling (no CVE issued) + + * Entity-based attacks against Python XML libraries: `CVE-2013-1664 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1664&cid=2>`_ and `CVE-2013-1665 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1665&cid=2>`_ + + * Information leakage via admin history log: `CVE-2013-0305 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0305&cid=2>`_ + + * Denial-of-service via formset ``max_num`` bypass `CVE-2013-0306 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0306&cid=2>`_ + +* **Versions affected:** + + * Django 1.3 + + * Django 1.4 + +* Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`_ + +* **Patches:** + + * `1.3 Host hardening <https://github.com/django/django/commit/27cd872e6e36a81d0bb6f5b8765a1705fecfc253>`_ + + * `1.3 XML attacks <https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112>`_ + + * `1.3 CVE-2013-0305 <https://github.com/django/django/commit/d3a45e10c8ac8268899999129daa27652ec0da35>`_ + + * `1.3 CVE-2013-0306 <https://github.com/django/django/commit/d7094bbce8cb838f3b40f504f198c098ff1cf727>`_ + + * `1.4 Host hardening <https://github.com/django/django/commit/9936fdb11d0bbf0bd242f259bfb97bbf849d16f8>`_ + + * `1.4 XML attacks <https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40>`_ + + * `1.4 CVE-2013-0305 <https://github.com/django/django/commit/0e7861aec73702f7933ce2a93056f7983939f0d6>`_ + + * `1.4 CVE-2013-0306 <https://github.com/django/django/commit/0cc350a896f70ace18280410eb616a9197d862b0>`_ + + +August 13, 2013 +=============== + +* **Issues:** + + * XSS via admin trusting ``URLField`` values (CVE not yet issued) + + * Possible XSS via unvalidated URL redirect schemes (CVE not yet issued) + +* **Versions affected:** + + * Django 1.4 (redirect scheme issue only) + + * Django 1.5 + +* Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`_ + +* **Patches:** + + * `1.4 redirect validation <https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a>`_ + + * `1.5 URLField trusting <https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78>`_ + + * `1.5 redirect validation <https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f>`_ + + +September 10, 2013 +================== + +* **Issues:** + + * Directory-traversal via ``ssi`` template tag: `CVE-2013-4315 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4315&cid=2>`_ + +* **Versions affected:** + + * Django 1.4 + + * Django 1.5 + +* `Full description <https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/>`_ + +* **Patches:** + + * `1.4 CVE-2013-4315 <https://github.com/django/django/commit/87d2750b39f6f2d54b7047225521a44dcd37e896>`_ + + * `1.5 CVE-2013-4315 <https://github.com/django/django/commit/988b61c550d798f9a66d17ee0511fb7a9a7f33ca>`_ + + +September 14, 2013 +================== + +* **Issues:** + + * Denial-of-service via large passwords: CVE-2013-1443 + +* **Versions affected:** + + * Django 1.4 + + * Django 1.5 + +* `Full description <https://www.djangoproject.com/weblog/2013/sep/15/security/>`_ + +* **Patches:** + + * `1.4 CVE-2013-1443 <https://github.com/django/django/commit/3f3d887a6844ec2db743fee64c9e53e04d39a368>`_ and `Python compatibility fix <https://github.com/django/django/commit/6903d1690a92aa040adfb0c8eb37cf62e4206714>`_ + + * `1.5 CVE-2013-1443 <https://github.com/django/django/commit/22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc>`_ + +
\ No newline at end of file |
