summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/5.2.15.txt16
-rw-r--r--docs/releases/6.0.6.txt16
2 files changed, 32 insertions, 0 deletions
diff --git a/docs/releases/5.2.15.txt b/docs/releases/5.2.15.txt
index 14796f8581..c068600280 100644
--- a/docs/releases/5.2.15.txt
+++ b/docs/releases/5.2.15.txt
@@ -35,3 +35,19 @@ Connections configured with :setting:`EMAIL_USE_SSL` are not affected.
This issue has severity "low" according to the :ref:`Django security policy
<severity-levels>`.
+
+CVE-2026-8404: Potential exposure of private data via case-sensitive ``Cache-Control`` directives
+=================================================================================================
+
+:class:`~django.middleware.cache.UpdateCacheMiddleware` and
+:func:`~django.views.decorators.cache.cache_page` incorrectly cached responses
+marked with private ``Cache-Control`` directives when using mixed or uppercase
+values (e.g. ``Private``).
+
+The :func:`~django.views.decorators.cache.cache_control` decorator and
+:func:`~django.utils.cache.patch_cache_control` function were not affected,
+since they normalize directives to lowercase. This issue only affects responses
+where ``Cache-Control`` is set manually.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<severity-levels>`.
diff --git a/docs/releases/6.0.6.txt b/docs/releases/6.0.6.txt
index 20ae1db93c..afcbbe0eb2 100644
--- a/docs/releases/6.0.6.txt
+++ b/docs/releases/6.0.6.txt
@@ -37,6 +37,22 @@ Connections configured with :setting:`EMAIL_USE_SSL` are not affected.
This issue has severity "low" according to the :ref:`Django security policy
<severity-levels>`.
+CVE-2026-8404: Potential exposure of private data via case-sensitive ``Cache-Control`` directives
+=================================================================================================
+
+:class:`~django.middleware.cache.UpdateCacheMiddleware` and
+:func:`~django.views.decorators.cache.cache_page` incorrectly cached responses
+marked with private ``Cache-Control`` directives when using mixed or uppercase
+values (e.g. ``Private``).
+
+The :func:`~django.views.decorators.cache.cache_control` decorator and
+:func:`~django.utils.cache.patch_cache_control` function were not affected,
+since they normalize directives to lowercase. This issue only affects responses
+where ``Cache-Control`` is set manually.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<severity-levels>`.
+
Bugfixes
========