summaryrefslogtreecommitdiff
path: root/docs/releases
diff options
context:
space:
mode:
authorMarti Raudsepp <marti@juffo.org>2016-10-24 15:22:00 -0400
committerTim Graham <timograham@gmail.com>2016-11-01 09:30:57 -0400
commitda7910d4834726eca596af0a830762fa5fb2dfd9 (patch)
treede4ee58ef352c19ee5efe5495ef629e0c1aee5cd /docs/releases
parent9e9c81d3c21074d0761ebe5264bbc35cdf4e50f7 (diff)
Fixed CVE-2016-9013 -- Generated a random database user password when running tests on Oracle.
This is a security fix.
Diffstat (limited to 'docs/releases')
-rw-r--r--docs/releases/1.10.3.txt14
-rw-r--r--docs/releases/1.8.16.txt14
-rw-r--r--docs/releases/1.9.11.txt14
3 files changed, 42 insertions, 0 deletions
diff --git a/docs/releases/1.10.3.txt b/docs/releases/1.10.3.txt
index 0d0507d41e..953544d55b 100644
--- a/docs/releases/1.10.3.txt
+++ b/docs/releases/1.10.3.txt
@@ -6,6 +6,20 @@ Django 1.10.3 release notes
Django 1.10.3 fixes two security issues and several bugs in 1.10.2.
+User with hardcoded password created when running tests on Oracle
+=================================================================
+
+When running tests with an Oracle database, Django creates a temporary database
+user. In older versions, if a password isn't manually specified in the database
+settings ``TEST`` dictionary, a hardcoded password is used. This could allow
+an attacker with network access to the database server to connect.
+
+This user is usually dropped after the test suite completes, but not when using
+the ``manage.py test --keepdb`` option or if the user has an active session
+(such as an attacker's connection).
+
+A randomly generated password is now used for each test run.
+
Bugfixes
========
diff --git a/docs/releases/1.8.16.txt b/docs/releases/1.8.16.txt
index b650340330..aa5d9cccea 100644
--- a/docs/releases/1.8.16.txt
+++ b/docs/releases/1.8.16.txt
@@ -5,3 +5,17 @@ Django 1.8.16 release notes
*November 1, 2016*
Django 1.8.16 fixes two security issues in 1.8.15.
+
+User with hardcoded password created when running tests on Oracle
+=================================================================
+
+When running tests with an Oracle database, Django creates a temporary database
+user. In older versions, if a password isn't manually specified in the database
+settings ``TEST`` dictionary, a hardcoded password is used. This could allow
+an attacker with network access to the database server to connect.
+
+This user is usually dropped after the test suite completes, but not when using
+the ``manage.py test --keepdb`` option or if the user has an active session
+(such as an attacker's connection).
+
+A randomly generated password is now used for each test run.
diff --git a/docs/releases/1.9.11.txt b/docs/releases/1.9.11.txt
index 664a52d1a2..3c29187e86 100644
--- a/docs/releases/1.9.11.txt
+++ b/docs/releases/1.9.11.txt
@@ -5,3 +5,17 @@ Django 1.9.11 release notes
*November 1, 2016*
Django 1.9.11 fixes two security issues in 1.9.10.
+
+User with hardcoded password created when running tests on Oracle
+=================================================================
+
+When running tests with an Oracle database, Django creates a temporary database
+user. In older versions, if a password isn't manually specified in the database
+settings ``TEST`` dictionary, a hardcoded password is used. This could allow
+an attacker with network access to the database server to connect.
+
+This user is usually dropped after the test suite completes, but not when using
+the ``manage.py test --keepdb`` option or if the user has an active session
+(such as an attacker's connection).
+
+A randomly generated password is now used for each test run.