diff options
| author | Jake Howard <git@theorangeone.net> | 2026-05-12 16:29:56 +0100 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2026-06-03 08:37:26 -0300 |
| commit | d618d7ae4fec727d5b582bd24f803c28d17bf7cd (patch) | |
| tree | 51fdf6600a8756f7c9065bfe8c81b91a696f2117 /docs | |
| parent | df887f50198593a0e5b4638bfddbbd43a30fd276 (diff) | |
Fixed CVE-2026-8404 -- Used Cache-Control directives case-insensitively in UpdateCacheMiddleware.
Thanks Ahmed Badawe for the report, and Jacob Walls for reviews.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/5.2.15.txt | 16 | ||||
| -rw-r--r-- | docs/releases/6.0.6.txt | 16 |
2 files changed, 32 insertions, 0 deletions
diff --git a/docs/releases/5.2.15.txt b/docs/releases/5.2.15.txt index 14796f8581..c068600280 100644 --- a/docs/releases/5.2.15.txt +++ b/docs/releases/5.2.15.txt @@ -35,3 +35,19 @@ Connections configured with :setting:`EMAIL_USE_SSL` are not affected. This issue has severity "low" according to the :ref:`Django security policy <severity-levels>`. + +CVE-2026-8404: Potential exposure of private data via case-sensitive ``Cache-Control`` directives +================================================================================================= + +:class:`~django.middleware.cache.UpdateCacheMiddleware` and +:func:`~django.views.decorators.cache.cache_page` incorrectly cached responses +marked with private ``Cache-Control`` directives when using mixed or uppercase +values (e.g. ``Private``). + +The :func:`~django.views.decorators.cache.cache_control` decorator and +:func:`~django.utils.cache.patch_cache_control` function were not affected, +since they normalize directives to lowercase. This issue only affects responses +where ``Cache-Control`` is set manually. + +This issue has severity "low" according to the :ref:`Django security policy +<severity-levels>`. diff --git a/docs/releases/6.0.6.txt b/docs/releases/6.0.6.txt index 20ae1db93c..afcbbe0eb2 100644 --- a/docs/releases/6.0.6.txt +++ b/docs/releases/6.0.6.txt @@ -37,6 +37,22 @@ Connections configured with :setting:`EMAIL_USE_SSL` are not affected. This issue has severity "low" according to the :ref:`Django security policy <severity-levels>`. +CVE-2026-8404: Potential exposure of private data via case-sensitive ``Cache-Control`` directives +================================================================================================= + +:class:`~django.middleware.cache.UpdateCacheMiddleware` and +:func:`~django.views.decorators.cache.cache_page` incorrectly cached responses +marked with private ``Cache-Control`` directives when using mixed or uppercase +values (e.g. ``Private``). + +The :func:`~django.views.decorators.cache.cache_control` decorator and +:func:`~django.utils.cache.patch_cache_control` function were not affected, +since they normalize directives to lowercase. This issue only affects responses +where ``Cache-Control`` is set manually. + +This issue has severity "low" according to the :ref:`Django security policy +<severity-levels>`. + Bugfixes ======== |
