diff options
| author | Tim Graham <timograham@gmail.com> | 2017-03-14 12:33:15 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2017-04-04 10:46:50 -0400 |
| commit | 001ff508081a893d0cf81df1214dbd234606c360 (patch) | |
| tree | ff51e7e2550d2885f8bd35df87283de35fcef473 /docs | |
| parent | 839159b67e3866f552e223dbd097923d789952fb (diff) | |
[1.11.x] Fixed CVE-2017-7234 -- Fixed open redirect vulnerability in views.static.serve().
This is a security fix.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.10.7.txt | 11 | ||||
| -rw-r--r-- | docs/releases/1.8.18.txt | 11 | ||||
| -rw-r--r-- | docs/releases/1.9.13.txt | 11 |
3 files changed, 33 insertions, 0 deletions
diff --git a/docs/releases/1.10.7.txt b/docs/releases/1.10.7.txt index 630610e0af..0c79347cc3 100644 --- a/docs/releases/1.10.7.txt +++ b/docs/releases/1.10.7.txt @@ -6,6 +6,17 @@ Django 1.10.7 release notes Django 1.10.7 fixes two security issues and a bug in 1.10.6. +CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()`` +============================================================================= + +A maliciously crafted URL to a Django site using the +:func:`~django.views.static.serve` view could redirect to any other domain. The +view no longer does any redirects as they don't provide any known, useful +functionality. + +Note, however, that this view has always carried a warning that it is not +hardened for production use and should be used only as a development aid. + Bugfixes ======== diff --git a/docs/releases/1.8.18.txt b/docs/releases/1.8.18.txt index 92492c7825..7b1e08046c 100644 --- a/docs/releases/1.8.18.txt +++ b/docs/releases/1.8.18.txt @@ -5,3 +5,14 @@ Django 1.8.18 release notes *April 4, 2017* Django 1.8.18 fixes two security issues in 1.8.17. + +CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()`` +============================================================================= + +A maliciously crafted URL to a Django site using the +:func:`~django.views.static.serve` view could redirect to any other domain. The +view no longer does any redirects as they don't provide any known, useful +functionality. + +Note, however, that this view has always carried a warning that it is not +hardened for production use and should be used only as a development aid. diff --git a/docs/releases/1.9.13.txt b/docs/releases/1.9.13.txt index 42f22a8f00..f9d203eafe 100644 --- a/docs/releases/1.9.13.txt +++ b/docs/releases/1.9.13.txt @@ -7,6 +7,17 @@ Django 1.9.13 release notes Django 1.9.13 fixes two security issues and a bug in 1.9.12. This is the final release of the 1.9.x series. +CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()`` +============================================================================= + +A maliciously crafted URL to a Django site using the +:func:`~django.views.static.serve` view could redirect to any other domain. The +view no longer does any redirects as they don't provide any known, useful +functionality. + +Note, however, that this view has always carried a warning that it is not +hardened for production use and should be used only as a development aid. + Bugfixes ======== |