Added release notes for 1.4.13, 1.5.8, 1.6.5.

4 files changed, 137 insertions, 2 deletions

diff --git a/docs/releases/1.4.13.txt b/docs/releases/1.4.13.txt
new file mode 100644
index 0000000000..bcbe460af5
--- /dev/null
+++ b/docs/releases/1.4.13.txt
@@ -0,0 +1,47 @@
+==========================
+Django 1.4.13 release notes
+==========================
+
+*May 13, 2014*
+
+Django 1.4.13 fixes two security issues in 1.4.12.
+
+
+Caches may incorrectly be allowed to store and serve private data
+=================================================================
+In certain situations, Django may allow caches to store private data
+related to a particular session and then serve that data to requests
+with a different session, or no session at all. This can both lead to
+information disclosure, and can be a vector for cache poisoning.
+
+When using Django sessions, Django will set a ``Vary: Cookie`` header to
+ensure caches do not serve cached data to requests from other sessions.
+However, older versions of Internet Explorer (most likely only Internet
+Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server
+2003) are unable to handle the ``Vary`` header in combination with many content
+types. Therefore, Django would remove the header if the request was made by
+Internet Explorer.
+
+To remedy this, the special behaviour for these older Internet Explorer versions
+has been removed, and the ``Vary`` header is no longer stripped from the response.
+In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
+requests with a ``Content-Disposition`` header, have also been removed as they
+were found to have similar issues.
+
+
+Malformed redirect URLs from user input not correctly validated
+===============================================================
+The validation for redirects did not correctly validate some malformed URLs,
+which are accepted by some browsers. This allows a user to be redirected to
+an unsafe URL unexpectedly.
+
+Django relies on user input in some cases (e.g.
+:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
+:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
+The security checks for these redirects (namely
+``django.util.http.is_safe_url()``) did not correctly validate some malformed
+URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers
+with more liberal URL parsing.
+
+To remedy this, the validation in ``is_safe_url()`` has been tightened to be able
+to handle and correctly validate these malformed URLs.
diff --git a/docs/releases/1.5.8.txt b/docs/releases/1.5.8.txt
new file mode 100644
index 0000000000..0fe3c95f62
--- /dev/null
+++ b/docs/releases/1.5.8.txt
@@ -0,0 +1,47 @@
+==========================
+Django 1.5.8 release notes
+==========================
+
+*May 13, 2014*
+
+Django 1.5.8  fixes two security issues in 1.5.8.
+
+
+Caches may incorrectly be allowed to store and serve private data
+=================================================================
+In certain situations, Django may allow caches to store private data
+related to a particular session and then serve that data to requests
+with a different session, or no session at all. This can both lead to
+information disclosure, and can be a vector for cache poisoning.
+
+When using Django sessions, Django will set a ``Vary: Cookie`` header to
+ensure caches do not serve cached data to requests from other sessions.
+However, older versions of Internet Explorer (most likely only Internet
+Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server
+2003) are unable to handle the ``Vary`` header in combination with many content
+types. Therefore, Django would remove the header if the request was made by
+Internet Explorer.
+
+To remedy this, the special behaviour for these older Internet Explorer versions
+has been removed, and the ``Vary`` header is no longer stripped from the response.
+In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
+requests with a ``Content-Disposition`` header, have also been removed as they
+were found to have similar issues.
+
+
+Malformed redirect URLs from user input not correctly validated
+===============================================================
+The validation for redirects did not correctly validate some malformed URLs,
+which are accepted by some browsers. This allows a user to be redirected to
+an unsafe URL unexpectedly.
+
+Django relies on user input in some cases (e.g.
+:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
+:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
+The security checks for these redirects (namely
+``django.util.http.is_safe_url()``) did not correctly validate some malformed
+URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers
+with more liberal URL parsing.
+
+To remedy this, the validation in ``is_safe_url()`` has been tightened to be able
+to handle and correctly validate these malformed URLs.
diff --git a/docs/releases/1.6.5.txt b/docs/releases/1.6.5.txt
index 674e3d2ee9..5e650d1eb3 100644
--- a/docs/releases/1.6.5.txt
+++ b/docs/releases/1.6.5.txt
@@ -2,9 +2,48 @@
 Django 1.6.5 release notes
 ==========================
 
-*Under development*
+*May 14, 2014*
 
-Django 1.6.5 fixes several bugs in 1.6.4.
+Django 1.6.5 fixes two security issues and several several bugs in 1.6.4.
+
+Issue: Caches may incorrectly be allowed to store and serve private data
+========================================================================
+In certain situations, Django may allow caches to store private data
+related to a particular session and then serve that data to requests
+with a different session, or no session at all. This can both lead to
+information disclosure, and can be a vector for cache poisoning.
+
+When using Django sessions, Django will set a ``Vary: Cookie`` header to
+ensure caches do not serve cached data to requests from other sessions.
+However, older versions of Internet Explorer (most likely only Internet
+Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server
+2003) are unable to handle the ``Vary`` header in combination with many content
+types. Therefore, Django would remove the header if the request was made by
+Internet Explorer.
+
+To remedy this, the special behaviour for these older Internet Explorer versions
+has been removed, and the ``Vary`` header is no longer stripped from the response.
+In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
+requests with a ``Content-Disposition`` header, have also been removed as they
+were found to have similar issues.
+
+
+Issue: Malformed redirect URLs from user input not correctly validated
+======================================================================
+The validation for redirects did not correctly validate some malformed URLs,
+which are accepted by some browsers. This allows a user to be redirected to
+an unsafe URL unexpectedly.
+
+Django relies on user input in some cases (e.g.
+:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
+:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
+The security checks for these redirects (namely
+``django.util.http.is_safe_url()``) did not correctly validate some malformed
+URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers
+with more liberal URL parsing.
+
+To remedy this, the validation in ``is_safe_url()`` has been tightened to be able
+to handle and correctly validate these malformed URLs.
 
 Bugfixes
 ========
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index c3b8fa5679..3e5ad7eb6f 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -34,6 +34,7 @@ Final releases
 .. toctree::
    :maxdepth: 1
 
+   1.5.8
    1.5.7
    1.5.6
    1.5.5
@@ -48,6 +49,7 @@ Final releases
 .. toctree::
    :maxdepth: 1
 
+   1.4.13
    1.4.12
    1.4.11
    1.4.10