diff options
| author | Tim Graham <timograham@gmail.com> | 2016-09-26 12:57:18 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-09-26 12:57:18 -0400 |
| commit | 5731342dbc0e2e0395d53ba9ad54dc5ba49a8560 (patch) | |
| tree | 34633e05e5163eb8491c70983c4a991b94a691e3 /docs | |
| parent | 76155b85e2ce6bc3076ee9942355f1802cf3253d (diff) | |
[1.10.x] Added release notes for 1.9.10 and 1.8.15 releases.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.8.15.txt | 18 | ||||
| -rw-r--r-- | docs/releases/1.9.10.txt | 18 | ||||
| -rw-r--r-- | docs/releases/index.txt | 2 |
3 files changed, 38 insertions, 0 deletions
diff --git a/docs/releases/1.8.15.txt b/docs/releases/1.8.15.txt new file mode 100644 index 0000000000..e977cffbab --- /dev/null +++ b/docs/releases/1.8.15.txt @@ -0,0 +1,18 @@ +=========================== +Django 1.8.15 release notes +=========================== + +*September 26, 2016* + +Django 1.8.15 fixes a security issue in 1.8.14. + +CSRF protection bypass on a site with Google Analytics +====================================================== + +An interaction between Google Analytics and Django's cookie parsing could allow +an attacker to set arbitrary cookies leading to a bypass of CSRF protection. + +The parser for ``request.COOKIES`` is simplified to better match the behavior +of browsers and to mitigate this attack. ``request.COOKIES`` may now contain +cookies that are invalid according to :rfc:`6265` but are possible to set via +``document.cookie``. diff --git a/docs/releases/1.9.10.txt b/docs/releases/1.9.10.txt new file mode 100644 index 0000000000..6321cd8d03 --- /dev/null +++ b/docs/releases/1.9.10.txt @@ -0,0 +1,18 @@ +=========================== +Django 1.9.10 release notes +=========================== + +*September 26, 2016* + +Django 1.9.10 fixes a security issue in 1.9.9. + +CSRF protection bypass on a site with Google Analytics +====================================================== + +An interaction between Google Analytics and Django's cookie parsing could allow +an attacker to set arbitrary cookies leading to a bypass of CSRF protection. + +The parser for ``request.COOKIES`` is simplified to better match the behavior +of browsers and to mitigate this attack. ``request.COOKIES`` may now contain +cookies that are invalid according to :rfc:`6265` but are possible to set via +``document.cookie``. diff --git a/docs/releases/index.txt b/docs/releases/index.txt index b7e553d6c8..51875f813d 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -34,6 +34,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.9.10 1.9.9 1.9.8 1.9.7 @@ -50,6 +51,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.8.15 1.8.14 1.8.13 1.8.12 |
