diff options
| author | Marti Raudsepp <marti@juffo.org> | 2016-10-24 15:22:00 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-10-25 14:31:42 -0400 |
| commit | 4844d86c7728c1a5a3bbce4ad336a8d32304072b (patch) | |
| tree | 19f1389db21cb1272887a6767636c2833f6ec2e4 /docs/releases | |
| parent | 2ed85c18730fc8f1f527ba3dcbe0191f9a1b7564 (diff) | |
[1.9.x] Fixed CVE-2016-9013 -- Generated a random database user password when running tests on Oracle.
This is a security fix.
Diffstat (limited to 'docs/releases')
| -rw-r--r-- | docs/releases/1.8.16.txt | 14 | ||||
| -rw-r--r-- | docs/releases/1.9.11.txt | 14 |
2 files changed, 28 insertions, 0 deletions
diff --git a/docs/releases/1.8.16.txt b/docs/releases/1.8.16.txt index b650340330..aa5d9cccea 100644 --- a/docs/releases/1.8.16.txt +++ b/docs/releases/1.8.16.txt @@ -5,3 +5,17 @@ Django 1.8.16 release notes *November 1, 2016* Django 1.8.16 fixes two security issues in 1.8.15. + +User with hardcoded password created when running tests on Oracle +================================================================= + +When running tests with an Oracle database, Django creates a temporary database +user. In older versions, if a password isn't manually specified in the database +settings ``TEST`` dictionary, a hardcoded password is used. This could allow +an attacker with network access to the database server to connect. + +This user is usually dropped after the test suite completes, but not when using +the ``manage.py test --keepdb`` option or if the user has an active session +(such as an attacker's connection). + +A randomly generated password is now used for each test run. diff --git a/docs/releases/1.9.11.txt b/docs/releases/1.9.11.txt index 664a52d1a2..3c29187e86 100644 --- a/docs/releases/1.9.11.txt +++ b/docs/releases/1.9.11.txt @@ -5,3 +5,17 @@ Django 1.9.11 release notes *November 1, 2016* Django 1.9.11 fixes two security issues in 1.9.10. + +User with hardcoded password created when running tests on Oracle +================================================================= + +When running tests with an Oracle database, Django creates a temporary database +user. In older versions, if a password isn't manually specified in the database +settings ``TEST`` dictionary, a hardcoded password is used. This could allow +an attacker with network access to the database server to connect. + +This user is usually dropped after the test suite completes, but not when using +the ``manage.py test --keepdb`` option or if the user has an active session +(such as an attacker's connection). + +A randomly generated password is now used for each test run. |