From 24fc9352183c449a8b11d1c7b442e70aa61a8800 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Tue, 1 Mar 2016 12:32:42 -0500 Subject: [PATCH] Added CVE-2016-2512/2513 to security release archive. --- docs/releases/security.txt | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/docs/releases/security.txt b/docs/releases/security.txt index ddb4871a7b..c8d29ef7ba 100644 --- a/docs/releases/security.txt +++ b/docs/releases/security.txt @@ -691,8 +691,8 @@ Versions affected * Django 1.8 `(patch) `__ * Django 1.7 `(patch) `__ -February 1, 2016 -- CVE-2016-2048 ---------------------------------- +February 1, 2016 - CVE-2016-2048 +-------------------------------- `CVE-2016-2048 `_: User with "change" but not "add" permission can create objects for ``ModelAdmin``’s with ``save_as=True``. @@ -702,3 +702,29 @@ Versions affected ~~~~~~~~~~~~~~~~~ * Django 1.9 `(patch) `__ + +March 1, 2016 - CVE-2016-2512 +----------------------------- + +`CVE-2016-2512 `_: +Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth. +`Full description `__ + +Versions affected +~~~~~~~~~~~~~~~~~ + +* Django 1.9 `(patch) `__ +* Django 1.8 `(patch) `__ + +March 1, 2016 - CVE-2016-2513 +----------------------------- + +`CVE-2016-2513 `_: +User enumeration through timing difference on password hasher work factor upgrade. +`Full description `__ + +Versions affected +~~~~~~~~~~~~~~~~~ + +* Django 1.9 `(patch) `__ +* Django 1.8 `(patch) `__