diff options
| author | Tim Graham <timograham@gmail.com> | 2017-08-09 21:12:37 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2017-09-05 10:58:38 -0400 |
| commit | 46e2b9e059e617afe6fe56da9f132568a7e6b198 (patch) | |
| tree | 7856e671b8a8ef84c11bce51f973fd58ece3a663 /docs | |
| parent | 73b6d027472fbbf823da4a084cdb9fb12e30dc60 (diff) | |
Fixed CVE-2017-12794 -- Fixed XSS possibility in traceback section of technical 500 debug page.
This is a security fix.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.10.8.txt | 9 | ||||
| -rw-r--r-- | docs/releases/1.11.5.txt | 9 |
2 files changed, 18 insertions, 0 deletions
diff --git a/docs/releases/1.10.8.txt b/docs/releases/1.10.8.txt index 160e555fef..3785e6535a 100644 --- a/docs/releases/1.10.8.txt +++ b/docs/releases/1.10.8.txt @@ -5,3 +5,12 @@ Django 1.10.8 release notes *September 5, 2017* Django 1.10.8 fixes a security issue in 1.10.7. + +CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page +============================================================================= + +In older versions, HTML autoescaping was disabled in a portion of the template +for the technical 500 debug page. Given the right circumstances, this allowed +a cross-site scripting attack. This vulnerability shouldn't affect most +production sites since you shouldn't run with ``DEBUG = True`` (which makes +this page accessible) in your production settings. diff --git a/docs/releases/1.11.5.txt b/docs/releases/1.11.5.txt index c0af25fb43..dda3489b93 100644 --- a/docs/releases/1.11.5.txt +++ b/docs/releases/1.11.5.txt @@ -6,6 +6,15 @@ Django 1.11.5 release notes Django 1.11.5 fixes a security issue and several bugs in 1.11.4. +CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page +============================================================================= + +In older versions, HTML autoescaping was disabled in a portion of the template +for the technical 500 debug page. Given the right circumstances, this allowed +a cross-site scripting attack. This vulnerability shouldn't affect most +production sites since you shouldn't run with ``DEBUG = True`` (which makes +this page accessible) in your production settings. + Bugfixes ======== |
