summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2016-09-26 12:57:18 -0400
committerTim Graham <timograham@gmail.com>2016-09-26 13:55:21 -0400
commitc6a3109e2035b3a2f1ea361dde7098b3164f18b1 (patch)
treebd93388abbebe7329734d59d04460c62180dd9a1 /docs
parent6d6d1b10017d4f0ade761fb07c78c146e3008d65 (diff)
Added release notes for 1.9.10 and 1.8.15 releases.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.8.15.txt18
-rw-r--r--docs/releases/1.9.10.txt18
-rw-r--r--docs/releases/index.txt2
3 files changed, 38 insertions, 0 deletions
diff --git a/docs/releases/1.8.15.txt b/docs/releases/1.8.15.txt
new file mode 100644
index 0000000000..e977cffbab
--- /dev/null
+++ b/docs/releases/1.8.15.txt
@@ -0,0 +1,18 @@
+===========================
+Django 1.8.15 release notes
+===========================
+
+*September 26, 2016*
+
+Django 1.8.15 fixes a security issue in 1.8.14.
+
+CSRF protection bypass on a site with Google Analytics
+======================================================
+
+An interaction between Google Analytics and Django's cookie parsing could allow
+an attacker to set arbitrary cookies leading to a bypass of CSRF protection.
+
+The parser for ``request.COOKIES`` is simplified to better match the behavior
+of browsers and to mitigate this attack. ``request.COOKIES`` may now contain
+cookies that are invalid according to :rfc:`6265` but are possible to set via
+``document.cookie``.
diff --git a/docs/releases/1.9.10.txt b/docs/releases/1.9.10.txt
new file mode 100644
index 0000000000..6321cd8d03
--- /dev/null
+++ b/docs/releases/1.9.10.txt
@@ -0,0 +1,18 @@
+===========================
+Django 1.9.10 release notes
+===========================
+
+*September 26, 2016*
+
+Django 1.9.10 fixes a security issue in 1.9.9.
+
+CSRF protection bypass on a site with Google Analytics
+======================================================
+
+An interaction between Google Analytics and Django's cookie parsing could allow
+an attacker to set arbitrary cookies leading to a bypass of CSRF protection.
+
+The parser for ``request.COOKIES`` is simplified to better match the behavior
+of browsers and to mitigate this attack. ``request.COOKIES`` may now contain
+cookies that are invalid according to :rfc:`6265` but are possible to set via
+``document.cookie``.
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index 4a9f3783af..a02b68d7de 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -42,6 +42,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 1.9.10
1.9.9
1.9.8
1.9.7
@@ -58,6 +59,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 1.8.15
1.8.14
1.8.13
1.8.12