[1.9.x] Fixed CVE-2016-9013 -- Generated a random database user password when running tests on Oracle.

This is a security fix.

3 files changed, 34 insertions, 1 deletions

diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index a139f21eba..63aca2e978 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -814,7 +814,12 @@ Default: ``None``
 This is an Oracle-specific setting.
 
 The password to use when connecting to the Oracle database that will be used
-when running tests. If not provided, Django will use a hardcoded default value.
+when running tests. If not provided, Django will generate a random password.
+
+.. versionchanged:: 1.9.11
+
+    Older versions used a hardcoded default password. This was also changed
+    in 1.8.16 to fix possible security implications.
 
 .. setting:: TEST_TBLSPACE
 
diff --git a/docs/releases/1.8.16.txt b/docs/releases/1.8.16.txt
index b650340330..aa5d9cccea 100644
--- a/docs/releases/1.8.16.txt
+++ b/docs/releases/1.8.16.txt
@@ -5,3 +5,17 @@ Django 1.8.16 release notes
 *November 1, 2016*
 
 Django 1.8.16 fixes two security issues in 1.8.15.
+
+User with hardcoded password created when running tests on Oracle
+=================================================================
+
+When running tests with an Oracle database, Django creates a temporary database
+user. In older versions, if a password isn't manually specified in the database
+settings ``TEST`` dictionary, a hardcoded password is used. This could allow
+an attacker with network access to the database server to connect.
+
+This user is usually dropped after the test suite completes, but not when using
+the ``manage.py test --keepdb`` option or if the user has an active session
+(such as an attacker's connection).
+
+A randomly generated password is now used for each test run.
diff --git a/docs/releases/1.9.11.txt b/docs/releases/1.9.11.txt
index 664a52d1a2..3c29187e86 100644
--- a/docs/releases/1.9.11.txt
+++ b/docs/releases/1.9.11.txt
@@ -5,3 +5,17 @@ Django 1.9.11 release notes
 *November 1, 2016*
 
 Django 1.9.11 fixes two security issues in 1.9.10.
+
+User with hardcoded password created when running tests on Oracle
+=================================================================
+
+When running tests with an Oracle database, Django creates a temporary database
+user. In older versions, if a password isn't manually specified in the database
+settings ``TEST`` dictionary, a hardcoded password is used. This could allow
+an attacker with network access to the database server to connect.
+
+This user is usually dropped after the test suite completes, but not when using
+the ``manage.py test --keepdb`` option or if the user has an active session
+(such as an attacker's connection).
+
+A randomly generated password is now used for each test run.