[1.9.x] Fixed CVE-2016-7401 -- Fixed CSRF protection bypass on a site with Google Analytics.

This is a security fix. Backport of "refs #26158 -- rewrote http.parse_cookie() to better match browsers." 93a135d111c2569d88d65a3f4ad9e6d9ad291452 from master
author: Collin Anderson <cmawebsite@gmail.com> 2016-03-11 21:36:08 -0500
committer: Tim Graham <timograham@gmail.com> 2016-09-26 12:54:36 -0400
commit: d1bc980db1c0fffd6d60677e62f70beadb9fe64a (patch)
tree: b8b80839fe39268bc01f4f39c3930ab5b55aaadf /docs
parent: 07760d07146816bd9aa32786891bb24f467d713d (diff)
3 files changed, 38 insertions, 0 deletions
diff --git a/docs/releases/1.8.15.txt b/docs/releases/1.8.15.txt
new file mode 100644
index 0000000000..e977cffbab
--- /dev/null
+++ b/docs/releases/1.8.15.txt
@@ -0,0 +1,18 @@
+===========================
+Django 1.8.15 release notes
+===========================
+
+*September 26, 2016*
+
+Django 1.8.15 fixes a security issue in 1.8.14.
+
+CSRF protection bypass on a site with Google Analytics
+======================================================
+
+An interaction between Google Analytics and Django's cookie parsing could allow
+an attacker to set arbitrary cookies leading to a bypass of CSRF protection.
+
+The parser for ``request.COOKIES`` is simplified to better match the behavior
+of browsers and to mitigate this attack. ``request.COOKIES`` may now contain
+cookies that are invalid according to :rfc:`6265` but are possible to set via
+``document.cookie``.
diff --git a/docs/releases/1.9.10.txt b/docs/releases/1.9.10.txt
new file mode 100644
index 0000000000..6321cd8d03
--- /dev/null
+++ b/docs/releases/1.9.10.txt
@@ -0,0 +1,18 @@
+===========================
+Django 1.9.10 release notes
+===========================
+
+*September 26, 2016*
+
+Django 1.9.10 fixes a security issue in 1.9.9.
+
+CSRF protection bypass on a site with Google Analytics
+======================================================
+
+An interaction between Google Analytics and Django's cookie parsing could allow
+an attacker to set arbitrary cookies leading to a bypass of CSRF protection.
+
+The parser for ``request.COOKIES`` is simplified to better match the behavior
+of browsers and to mitigate this attack. ``request.COOKIES`` may now contain
+cookies that are invalid according to :rfc:`6265` but are possible to set via
+``document.cookie``.
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index f0d3c3c852..b9cce6a608 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -25,6 +25,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
    :maxdepth: 1
 
+   1.9.10
    1.9.9
    1.9.8
    1.9.7
@@ -41,6 +42,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
    :maxdepth: 1
 
+   1.8.15
    1.8.14
    1.8.13
    1.8.12
author	Collin Anderson <cmawebsite@gmail.com>	2016-03-11 21:36:08 -0500
committer	Tim Graham <timograham@gmail.com>	2016-09-26 12:54:36 -0400
commit	d1bc980db1c0fffd6d60677e62f70beadb9fe64a (patch)
tree	b8b80839fe39268bc01f4f39c3930ab5b55aaadf /docs
parent	07760d07146816bd9aa32786891bb24f467d713d (diff)