diff options
| author | Dan Palmer <dan@danpalmer.me> | 2020-05-20 11:45:31 +0200 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2020-06-03 09:33:20 +0200 |
| commit | 84b2da5552e100ae3294f564f6c862fef8d0e693 (patch) | |
| tree | 0ad27b4317baa84f9e7c318fe0b6b89c021cc72d /docs | |
| parent | 1f2dd37f6fcefdd10ed44cb233b2e62b520afb38 (diff) | |
[3.0.x] Fixed CVE-2020-13254 -- Enforced cache key validation in memcached backends.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/2.2.13.txt | 8 | ||||
| -rw-r--r-- | docs/releases/3.0.7.txt | 8 |
2 files changed, 16 insertions, 0 deletions
diff --git a/docs/releases/2.2.13.txt b/docs/releases/2.2.13.txt index ee381fdcce..3e455e7b4a 100644 --- a/docs/releases/2.2.13.txt +++ b/docs/releases/2.2.13.txt @@ -6,6 +6,14 @@ Django 2.2.13 release notes Django 2.2.13 fixes two security issues and a regression in 2.2.12. +CVE-2020-13254: Potential data leakage via malformed memcached keys +=================================================================== + +In cases where a memcached backend does not perform key validation, passing +malformed cache keys could result in a key collision, and potential data +leakage. In order to avoid this vulnerability, key validation is added to the +memcached cache backends. + CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget`` ================================================================ diff --git a/docs/releases/3.0.7.txt b/docs/releases/3.0.7.txt index 51ac0d7edd..5a608a35e4 100644 --- a/docs/releases/3.0.7.txt +++ b/docs/releases/3.0.7.txt @@ -6,6 +6,14 @@ Django 3.0.7 release notes Django 3.0.7 fixes two security issues and several bugs in 3.0.6. +CVE-2020-13254: Potential data leakage via malformed memcached keys +=================================================================== + +In cases where a memcached backend does not perform key validation, passing +malformed cache keys could result in a key collision, and potential data +leakage. In order to avoid this vulnerability, key validation is added to the +memcached cache backends. + CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget`` ================================================================ |
