summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2017-03-14 12:33:15 -0400
committerTim Graham <timograham@gmail.com>2017-04-04 10:00:41 -0400
commit5f1ffb07afc1e59729ce2b283124116d6c0659e4 (patch)
treecb8ea2bd46cec60a181c426a69d0c85bfdfceae0 /docs
parentcb87583c57e2f662c28172a8b3538615ae580c7f (diff)
[1.9.x] Fixed CVE-2017-7234 -- Fixed open redirect vulnerability in views.static.serve().
This is a security fix.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.8.18.txt11
-rw-r--r--docs/releases/1.9.13.txt11
2 files changed, 22 insertions, 0 deletions
diff --git a/docs/releases/1.8.18.txt b/docs/releases/1.8.18.txt
index 92492c7825..7b1e08046c 100644
--- a/docs/releases/1.8.18.txt
+++ b/docs/releases/1.8.18.txt
@@ -5,3 +5,14 @@ Django 1.8.18 release notes
*April 4, 2017*
Django 1.8.18 fixes two security issues in 1.8.17.
+
+CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
+=============================================================================
+
+A maliciously crafted URL to a Django site using the
+:func:`~django.views.static.serve` view could redirect to any other domain. The
+view no longer does any redirects as they don't provide any known, useful
+functionality.
+
+Note, however, that this view has always carried a warning that it is not
+hardened for production use and should be used only as a development aid.
diff --git a/docs/releases/1.9.13.txt b/docs/releases/1.9.13.txt
index 42f22a8f00..f9d203eafe 100644
--- a/docs/releases/1.9.13.txt
+++ b/docs/releases/1.9.13.txt
@@ -7,6 +7,17 @@ Django 1.9.13 release notes
Django 1.9.13 fixes two security issues and a bug in 1.9.12. This is the final
release of the 1.9.x series.
+CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
+=============================================================================
+
+A maliciously crafted URL to a Django site using the
+:func:`~django.views.static.serve` view could redirect to any other domain. The
+view no longer does any redirects as they don't provide any known, useful
+functionality.
+
+Note, however, that this view has always carried a warning that it is not
+hardened for production use and should be used only as a development aid.
+
Bugfixes
========