summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorMarti Raudsepp <marti@juffo.org>2016-10-24 15:22:00 -0400
committerTim Graham <timograham@gmail.com>2016-11-01 09:30:57 -0400
commitda7910d4834726eca596af0a830762fa5fb2dfd9 (patch)
treede4ee58ef352c19ee5efe5495ef629e0c1aee5cd /docs
parent9e9c81d3c21074d0761ebe5264bbc35cdf4e50f7 (diff)
Fixed CVE-2016-9013 -- Generated a random database user password when running tests on Oracle.
This is a security fix.
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/settings.txt7
-rw-r--r--docs/releases/1.10.3.txt14
-rw-r--r--docs/releases/1.8.16.txt14
-rw-r--r--docs/releases/1.9.11.txt14
4 files changed, 48 insertions, 1 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index a5d8205ba4..494988cc62 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -794,7 +794,12 @@ Default: ``None``
This is an Oracle-specific setting.
The password to use when connecting to the Oracle database that will be used
-when running tests. If not provided, Django will use a hardcoded default value.
+when running tests. If not provided, Django will generate a random password.
+
+.. versionchanged:: 1.11
+
+ Older versions used a hardcoded default password. This was also changed
+ in 1.10.3, 1.9.11, and 1.8.16 to fix possible security implications.
.. setting:: TEST_TBLSPACE
diff --git a/docs/releases/1.10.3.txt b/docs/releases/1.10.3.txt
index 0d0507d41e..953544d55b 100644
--- a/docs/releases/1.10.3.txt
+++ b/docs/releases/1.10.3.txt
@@ -6,6 +6,20 @@ Django 1.10.3 release notes
Django 1.10.3 fixes two security issues and several bugs in 1.10.2.
+User with hardcoded password created when running tests on Oracle
+=================================================================
+
+When running tests with an Oracle database, Django creates a temporary database
+user. In older versions, if a password isn't manually specified in the database
+settings ``TEST`` dictionary, a hardcoded password is used. This could allow
+an attacker with network access to the database server to connect.
+
+This user is usually dropped after the test suite completes, but not when using
+the ``manage.py test --keepdb`` option or if the user has an active session
+(such as an attacker's connection).
+
+A randomly generated password is now used for each test run.
+
Bugfixes
========
diff --git a/docs/releases/1.8.16.txt b/docs/releases/1.8.16.txt
index b650340330..aa5d9cccea 100644
--- a/docs/releases/1.8.16.txt
+++ b/docs/releases/1.8.16.txt
@@ -5,3 +5,17 @@ Django 1.8.16 release notes
*November 1, 2016*
Django 1.8.16 fixes two security issues in 1.8.15.
+
+User with hardcoded password created when running tests on Oracle
+=================================================================
+
+When running tests with an Oracle database, Django creates a temporary database
+user. In older versions, if a password isn't manually specified in the database
+settings ``TEST`` dictionary, a hardcoded password is used. This could allow
+an attacker with network access to the database server to connect.
+
+This user is usually dropped after the test suite completes, but not when using
+the ``manage.py test --keepdb`` option or if the user has an active session
+(such as an attacker's connection).
+
+A randomly generated password is now used for each test run.
diff --git a/docs/releases/1.9.11.txt b/docs/releases/1.9.11.txt
index 664a52d1a2..3c29187e86 100644
--- a/docs/releases/1.9.11.txt
+++ b/docs/releases/1.9.11.txt
@@ -5,3 +5,17 @@ Django 1.9.11 release notes
*November 1, 2016*
Django 1.9.11 fixes two security issues in 1.9.10.
+
+User with hardcoded password created when running tests on Oracle
+=================================================================
+
+When running tests with an Oracle database, Django creates a temporary database
+user. In older versions, if a password isn't manually specified in the database
+settings ``TEST`` dictionary, a hardcoded password is used. This could allow
+an attacker with network access to the database server to connect.
+
+This user is usually dropped after the test suite completes, but not when using
+the ``manage.py test --keepdb`` option or if the user has an active session
+(such as an attacker's connection).
+
+A randomly generated password is now used for each test run.