[1.9.x] Fixed CVE-2016-9013 -- Generated a random database user password when running tests on Oracle.

This is a security fix.
author: Marti Raudsepp <marti@juffo.org> 2016-10-24 15:22:00 -0400
committer: Tim Graham <timograham@gmail.com> 2016-10-25 14:31:42 -0400
commit: 4844d86c7728c1a5a3bbce4ad336a8d32304072b (patch)
tree: 19f1389db21cb1272887a6767636c2833f6ec2e4 /docs/releases/1.8.16.txt
parent: 2ed85c18730fc8f1f527ba3dcbe0191f9a1b7564 (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/docs/releases/1.8.16.txt b/docs/releases/1.8.16.txt
index b650340330..aa5d9cccea 100644
--- a/docs/releases/1.8.16.txt
+++ b/docs/releases/1.8.16.txt
@@ -5,3 +5,17 @@ Django 1.8.16 release notes
 *November 1, 2016*
 
 Django 1.8.16 fixes two security issues in 1.8.15.
+
+User with hardcoded password created when running tests on Oracle
+=================================================================
+
+When running tests with an Oracle database, Django creates a temporary database
+user. In older versions, if a password isn't manually specified in the database
+settings ``TEST`` dictionary, a hardcoded password is used. This could allow
+an attacker with network access to the database server to connect.
+
+This user is usually dropped after the test suite completes, but not when using
+the ``manage.py test --keepdb`` option or if the user has an active session
+(such as an attacker's connection).
+
+A randomly generated password is now used for each test run.
author	Marti Raudsepp <marti@juffo.org>	2016-10-24 15:22:00 -0400
committer	Tim Graham <timograham@gmail.com>	2016-10-25 14:31:42 -0400
commit	4844d86c7728c1a5a3bbce4ad336a8d32304072b (patch)
tree	19f1389db21cb1272887a6767636c2833f6ec2e4 /docs/releases/1.8.16.txt
parent	2ed85c18730fc8f1f527ba3dcbe0191f9a1b7564 (diff)