diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/5.2.14.txt | 10 | ||||
| -rw-r--r-- | docs/releases/6.0.5.txt | 10 |
2 files changed, 20 insertions, 0 deletions
diff --git a/docs/releases/5.2.14.txt b/docs/releases/5.2.14.txt index cefa9a1f5b..1fe882ebea 100644 --- a/docs/releases/5.2.14.txt +++ b/docs/releases/5.2.14.txt @@ -30,3 +30,13 @@ a cached public page. This issue has severity "low" according to the :ref:`Django security policy <security-disclosure>`. + +CVE-2026-6907: Potential exposure of private data due to incorrect handling of ``Vary: *`` in ``UpdateCacheMiddleware`` +======================================================================================================================= + +Previously, :class:`~django.middleware.cache.UpdateCacheMiddleware` would +erroneously cache requests where the ``Vary`` header contained an asterisk +(``'*'``). This could lead to private data being stored and served. + +This issue has severity "low" according to the :ref:`Django security policy +<security-disclosure>`. diff --git a/docs/releases/6.0.5.txt b/docs/releases/6.0.5.txt index 8e7aca7158..08bce66e6a 100644 --- a/docs/releases/6.0.5.txt +++ b/docs/releases/6.0.5.txt @@ -32,6 +32,16 @@ a cached public page. This issue has severity "low" according to the :ref:`Django security policy <security-disclosure>`. +CVE-2026-6907: Potential exposure of private data due to incorrect handling of ``Vary: *`` in ``UpdateCacheMiddleware`` +======================================================================================================================= + +Previously, :class:`~django.middleware.cache.UpdateCacheMiddleware` would +erroneously cache requests where the ``Vary`` header contained an asterisk +(``'*'``). This could lead to private data being stored and served. + +This issue has severity "low" according to the :ref:`Django security policy +<security-disclosure>`. + Bugfixes ======== |
