diff --git a/docs/releases/security.txt b/docs/releases/security.txt index 28b4f37afc..5d2793bb02 100644 --- a/docs/releases/security.txt +++ b/docs/releases/security.txt @@ -693,8 +693,8 @@ Versions affected * Django 1.8 `(patch) `__ * Django 1.7 `(patch) `__ -February 1, 2016 -- CVE-2016-2048 ---------------------------------- +February 1, 2016 - CVE-2016-2048 +-------------------------------- `CVE-2016-2048 `_: User with "change" but not "add" permission can create objects for ``ModelAdmin``’s with ``save_as=True``. @@ -704,3 +704,29 @@ Versions affected ~~~~~~~~~~~~~~~~~ * Django 1.9 `(patch) `__ + +March 1, 2016 - CVE-2016-2512 +----------------------------- + +`CVE-2016-2512 `_: +Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth. +`Full description `__ + +Versions affected +~~~~~~~~~~~~~~~~~ + +* Django 1.9 `(patch) `__ +* Django 1.8 `(patch) `__ + +March 1, 2016 - CVE-2016-2513 +----------------------------- + +`CVE-2016-2513 `_: +User enumeration through timing difference on password hasher work factor upgrade. +`Full description `__ + +Versions affected +~~~~~~~~~~~~~~~~~ + +* Django 1.9 `(patch) `__ +* Django 1.8 `(patch) `__