summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorDan Palmer <dan@danpalmer.me>2020-05-20 11:45:31 +0200
committerCarlton Gibson <carlton.gibson@noumenal.es>2020-06-03 09:24:26 +0200
commit2c82414914ae6476be5a166be9ff49c24d0d9069 (patch)
tree996ddece0ea23ba50f254cdd36731a312330d344 /docs
parent2dd4d110c159d0c81dff42eaead2c378a0998735 (diff)
Fixed CVE-2020-13254 -- Enforced cache key validation in memcached backends.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/2.2.13.txt8
-rw-r--r--docs/releases/3.0.7.txt8
2 files changed, 16 insertions, 0 deletions
diff --git a/docs/releases/2.2.13.txt b/docs/releases/2.2.13.txt
index ee381fdcce..3e455e7b4a 100644
--- a/docs/releases/2.2.13.txt
+++ b/docs/releases/2.2.13.txt
@@ -6,6 +6,14 @@ Django 2.2.13 release notes
Django 2.2.13 fixes two security issues and a regression in 2.2.12.
+CVE-2020-13254: Potential data leakage via malformed memcached keys
+===================================================================
+
+In cases where a memcached backend does not perform key validation, passing
+malformed cache keys could result in a key collision, and potential data
+leakage. In order to avoid this vulnerability, key validation is added to the
+memcached cache backends.
+
CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget``
================================================================
diff --git a/docs/releases/3.0.7.txt b/docs/releases/3.0.7.txt
index 51ac0d7edd..5a608a35e4 100644
--- a/docs/releases/3.0.7.txt
+++ b/docs/releases/3.0.7.txt
@@ -6,6 +6,14 @@ Django 3.0.7 release notes
Django 3.0.7 fixes two security issues and several bugs in 3.0.6.
+CVE-2020-13254: Potential data leakage via malformed memcached keys
+===================================================================
+
+In cases where a memcached backend does not perform key validation, passing
+malformed cache keys could result in a key collision, and potential data
+leakage. In order to avoid this vulnerability, key validation is added to the
+memcached cache backends.
+
CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget``
================================================================