diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/5.2.15.txt | 16 | ||||
| -rw-r--r-- | docs/releases/6.0.6.txt | 16 |
2 files changed, 32 insertions, 0 deletions
diff --git a/docs/releases/5.2.15.txt b/docs/releases/5.2.15.txt index 14796f8581..c068600280 100644 --- a/docs/releases/5.2.15.txt +++ b/docs/releases/5.2.15.txt @@ -35,3 +35,19 @@ Connections configured with :setting:`EMAIL_USE_SSL` are not affected. This issue has severity "low" according to the :ref:`Django security policy <severity-levels>`. + +CVE-2026-8404: Potential exposure of private data via case-sensitive ``Cache-Control`` directives +================================================================================================= + +:class:`~django.middleware.cache.UpdateCacheMiddleware` and +:func:`~django.views.decorators.cache.cache_page` incorrectly cached responses +marked with private ``Cache-Control`` directives when using mixed or uppercase +values (e.g. ``Private``). + +The :func:`~django.views.decorators.cache.cache_control` decorator and +:func:`~django.utils.cache.patch_cache_control` function were not affected, +since they normalize directives to lowercase. This issue only affects responses +where ``Cache-Control`` is set manually. + +This issue has severity "low" according to the :ref:`Django security policy +<severity-levels>`. diff --git a/docs/releases/6.0.6.txt b/docs/releases/6.0.6.txt index 20ae1db93c..afcbbe0eb2 100644 --- a/docs/releases/6.0.6.txt +++ b/docs/releases/6.0.6.txt @@ -37,6 +37,22 @@ Connections configured with :setting:`EMAIL_USE_SSL` are not affected. This issue has severity "low" according to the :ref:`Django security policy <severity-levels>`. +CVE-2026-8404: Potential exposure of private data via case-sensitive ``Cache-Control`` directives +================================================================================================= + +:class:`~django.middleware.cache.UpdateCacheMiddleware` and +:func:`~django.views.decorators.cache.cache_page` incorrectly cached responses +marked with private ``Cache-Control`` directives when using mixed or uppercase +values (e.g. ``Private``). + +The :func:`~django.views.decorators.cache.cache_control` decorator and +:func:`~django.utils.cache.patch_cache_control` function were not affected, +since they normalize directives to lowercase. This issue only affects responses +where ``Cache-Control`` is set manually. + +This issue has severity "low" according to the :ref:`Django security policy +<severity-levels>`. + Bugfixes ======== |
