From 07e59caa02831c4569bbebb9eb773bdd9cb4b206 Mon Sep 17 00:00:00 2001 From: Dan Palmer Date: Wed, 20 May 2020 11:45:31 +0200 Subject: [2.2.x] Fixed CVE-2020-13254 -- Enforced cache key validation in memcached backends. --- docs/releases/2.2.13.txt | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'docs') diff --git a/docs/releases/2.2.13.txt b/docs/releases/2.2.13.txt index ee381fdcce..3e455e7b4a 100644 --- a/docs/releases/2.2.13.txt +++ b/docs/releases/2.2.13.txt @@ -6,6 +6,14 @@ Django 2.2.13 release notes Django 2.2.13 fixes two security issues and a regression in 2.2.12. +CVE-2020-13254: Potential data leakage via malformed memcached keys +=================================================================== + +In cases where a memcached backend does not perform key validation, passing +malformed cache keys could result in a key collision, and potential data +leakage. In order to avoid this vulnerability, key validation is added to the +memcached cache backends. + CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget`` ================================================================ -- cgit v1.3