summaryrefslogtreecommitdiff
path: root/docs/releases
diff options
context:
space:
mode:
Diffstat (limited to 'docs/releases')
-rw-r--r--docs/releases/1.10.3.txt14
-rw-r--r--docs/releases/1.8.16.txt14
-rw-r--r--docs/releases/1.9.11.txt14
3 files changed, 42 insertions, 0 deletions
diff --git a/docs/releases/1.10.3.txt b/docs/releases/1.10.3.txt
index 0d0507d41e..953544d55b 100644
--- a/docs/releases/1.10.3.txt
+++ b/docs/releases/1.10.3.txt
@@ -6,6 +6,20 @@ Django 1.10.3 release notes
Django 1.10.3 fixes two security issues and several bugs in 1.10.2.
+User with hardcoded password created when running tests on Oracle
+=================================================================
+
+When running tests with an Oracle database, Django creates a temporary database
+user. In older versions, if a password isn't manually specified in the database
+settings ``TEST`` dictionary, a hardcoded password is used. This could allow
+an attacker with network access to the database server to connect.
+
+This user is usually dropped after the test suite completes, but not when using
+the ``manage.py test --keepdb`` option or if the user has an active session
+(such as an attacker's connection).
+
+A randomly generated password is now used for each test run.
+
Bugfixes
========
diff --git a/docs/releases/1.8.16.txt b/docs/releases/1.8.16.txt
index b650340330..aa5d9cccea 100644
--- a/docs/releases/1.8.16.txt
+++ b/docs/releases/1.8.16.txt
@@ -5,3 +5,17 @@ Django 1.8.16 release notes
*November 1, 2016*
Django 1.8.16 fixes two security issues in 1.8.15.
+
+User with hardcoded password created when running tests on Oracle
+=================================================================
+
+When running tests with an Oracle database, Django creates a temporary database
+user. In older versions, if a password isn't manually specified in the database
+settings ``TEST`` dictionary, a hardcoded password is used. This could allow
+an attacker with network access to the database server to connect.
+
+This user is usually dropped after the test suite completes, but not when using
+the ``manage.py test --keepdb`` option or if the user has an active session
+(such as an attacker's connection).
+
+A randomly generated password is now used for each test run.
diff --git a/docs/releases/1.9.11.txt b/docs/releases/1.9.11.txt
index 664a52d1a2..3c29187e86 100644
--- a/docs/releases/1.9.11.txt
+++ b/docs/releases/1.9.11.txt
@@ -5,3 +5,17 @@ Django 1.9.11 release notes
*November 1, 2016*
Django 1.9.11 fixes two security issues in 1.9.10.
+
+User with hardcoded password created when running tests on Oracle
+=================================================================
+
+When running tests with an Oracle database, Django creates a temporary database
+user. In older versions, if a password isn't manually specified in the database
+settings ``TEST`` dictionary, a hardcoded password is used. This could allow
+an attacker with network access to the database server to connect.
+
+This user is usually dropped after the test suite completes, but not when using
+the ``manage.py test --keepdb`` option or if the user has an active session
+(such as an attacker's connection).
+
+A randomly generated password is now used for each test run.