Domovská stránka Prehľadávať Pomoc
Prihlásiť sa
CityApper
/
django
zrkadlo https://github.com/django/django
2
0
Fork 0
Súbory Issues 0 Wiki
Strom: c17cd151d8
Branche Tagy
django
/
docs
/
releases
/
security.txt

security.txt 20 KB
História Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501 
  1. .. _security-releases:
    2. 

  2. 

  3. ==========================
    4. 

  4. Archive of security issues
    5. 

  5. ==========================
    6. 

  6. 

  7. Django's development team is strongly committed to responsible
    8. 

  8. reporting and disclosure of security-related issues, as outlined in
    9. 

  9. :doc:`Django's security policies </internals/security>`.
    10. 

  10. 

  11. As part of that commitment, we maintain the following historical list
    12. 

  12. of issues which have been fixed and disclosed. For each issue, the
    13. 

  13. list below includes the date, a brief description, the `CVE identifier
    14. 

  14. <http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>`_
    15. 

  15. if applicable, a list of affected versions, a link to the full
    16. 

  16. disclosure and links to the appropriate patch(es).
    17. 

  17. 

  18. Some important caveats apply to this information:
    19. 

  19. 

  20. * Lists of affected versions include only those versions of Django
    21. 

  21.   which had stable, security-supported releases at the time of
    22. 

  22.   disclosure. This means older versions (whose security support had
    23. 

  23.   expired) and versions which were in pre-release (alpha/beta/RC)
    24. 

  24.   states at the time of disclosure may have been affected, but are not
    25. 

  25.   listed.
    26. 

  26. 

  27. * The Django project has on occasion issued security advisories,
    28. 

  28.   pointing out potential security problems which can arise from
    29. 

  29.   improper configuration or from other issues outside of Django
    30. 

  30.   itself. Some of these advisories have received CVEs; when that is
    31. 

  31.   the case, they are listed here, but as they have no accompanying
    32. 

  32.   patches or releases, only the description, disclosure and CVE will
    33. 

  33.   be listed.
    34. 

  34. 

  35. 

  36. Issues prior to Django's security process
    37. 

  37. =========================================
    38. 

  38. 

  39. Some security issues were handled before Django had a formalized
    40. 

  40. security process in use. For these, new releases may not have been
    41. 

  41. issued at the time and CVEs may not have been assigned.
    42. 

  42. 

  43. 

  44. August 16, 2006 - CVE-2007-0404
    45. 

  45. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    46. 

  46. 

  47. `CVE-2007-0404 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0404&cid=3>`_: Filename validation issue in translation framework. `Full description <https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/>`__
    48. 

  48. 

  49. Versions affected
    50. 

  50. -----------------
    51. 

  51. 

  52. * Django 0.90 `(patch) <https://github.com/django/django/commit/518d406e53>`__
    53. 

  53. 

  54. * Django 0.91 `(patch) <https://github.com/django/django/commit/518d406e53>`__
    55. 

  55. 

  56. * Django 0.95 `(patch) <https://github.com/django/django/commit/a132d411c6>`__ (released January 21 2007)
    57. 

  57. 

  58. January 21, 2007 - CVE-2007-0405
    59. 

  59. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    60. 

  60. 

  61. `CVE-2007-0405 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0405&cid=3>`_: Apparent "caching" of authenticated user. `Full description <https://www.djangoproject.com/weblog/2007/jan/21/0951/>`__
    62. 

  62. 

  63. Versions affected
    64. 

  64. -----------------
    65. 

  65. 

  66. * Django 0.95 `(patch) <https://github.com/django/django/commit/e89f0a6558>`__
    67. 

  67. 

  68. Issues under Django's security process
    69. 

  69. ======================================
    70. 

  70. 

  71. All other security issues have been handled under versions of Django's
    72. 

  72. security process. These are listed below.
    73. 

  73. 

  74. October 26, 2007 - CVE-2007-5712
    75. 

  75. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    76. 

  76. 

  77. `CVE-2007-5712 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5712&cid=3>`_: Denial-of-service via arbitrarily-large ``Accept-Language`` header. `Full description <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>`__
    78. 

  78. 

  79. Versions affected
    80. 

  80. -----------------
    81. 

  81. 

  82. * Django 0.91 `(patch) <https://github.com/django/django/commit/8bc36e726c9e8c75c681d3ad232df8e882aaac81>`__
    83. 

  83. 

  84. * Django 0.95 `(patch) <https://github.com/django/django/commit/412ed22502e11c50dbfee854627594f0e7e2c234>`__
    85. 

  85. 

  86. * Django 0.96 `(patch) <https://github.com/django/django/commit/7dd2dd08a79e388732ce00e2b5514f15bd6d0f6f>`__
    87. 

  87. 

  88. 

  89. May 14, 2008 - CVE-2008-2302
    90. 

  90. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    91. 

  91. 

  92. `CVE-2008-2302 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2302&cid=3>`_: XSS via admin login redirect. `Full description <https://www.djangoproject.com/weblog/2008/may/14/security/>`__
    93. 

  93. 

  94. Versions affected
    95. 

  95. -----------------
    96. 

  96. 

  97. * Django 0.91 `(patch) <https://github.com/django/django/commit/50ce7fb57d>`__
    98. 

  98. 

  99. * Django 0.95 `(patch) <https://github.com/django/django/commit/50ce7fb57d>`__
    100. 

  100. 

  101. * Django 0.96 `(patch) <https://github.com/django/django/commit/7791e5c050>`__
    102. 

  102. 

  103. 

  104. September 2, 2008 - CVE-2008-3909
    105. 

  105. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    106. 

  106. 

  107. `CVE-2008-3909 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3909&cid=3>`_: CSRF via preservation of POST data during admin login. `Full description <https://www.djangoproject.com/weblog/2008/sep/02/security/>`__
    108. 

  108. 

  109. Versions affected
    110. 

  110. -----------------
    111. 

  111. 

  112. * Django 0.91 `(patch) <https://github.com/django/django/commit/44debfeaa4473bd28872c735dd3d9afde6886752>`__
    113. 

  113. 

  114. * Django 0.95 `(patch) <https://github.com/django/django/commit/aee48854a164382c655acb9f18b3c06c3d238e81>`__
    115. 

  115. 

  116. * Django 0.96 `(patch) <https://github.com/django/django/commit/7e0972bded362bc4b851c109df2c8a6548481a8e>`__
    117. 

  117. 

  118. July 28, 2009 - CVE-2009-2659
    119. 

  119. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    120. 

  120. 

  121. `CVE-2009-2659 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2659&cid=3>`_: Directory-traversal in development server media handler. `Full description <https://www.djangoproject.com/weblog/2009/jul/28/security/>`__
    122. 

  122. 

  123. Versions affected
    124. 

  124. -----------------
    125. 

  125. 

  126. * Django 0.96 `(patch) <https://github.com/django/django/commit/da85d76fd6>`__
    127. 

  127. 

  128. * Django 1.0 `(patch) <https://github.com/django/django/commit/df7f917b7f>`__
    129. 

  129. 

  130. October 9, 2009 - CVE-2009-3965
    131. 

  131. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    132. 

  132. 

  133. `CVE-2009-3965 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3695&cid=3>`_: Denial-of-service via pathological regular expression performance. `Full description <https://www.djangoproject.com/weblog/2009/oct/09/security/>`__
    134. 

  134. 

  135. Versions affected
    136. 

  136. -----------------
    137. 

  137. 

  138. * Django 1.0 `(patch) <https://github.com/django/django/commit/594a28a904>`__
    139. 

  139. 

  140. * Django 1.1 `(patch) <https://github.com/django/django/commit/e3e992e18b>`__
    141. 

  141. 

  142. September 8, 2010 - CVE-2010-3082
    143. 

  143. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    144. 

  144. 

  145. `CVE-2010-3082 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3082&cid=3>`_: XSS via trusting unsafe cookie value. `Full description <https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`__
    146. 

  146. 

  147. Versions affected
    148. 

  148. -----------------
    149. 

  149. 

  150. * Django 1.2 `(patch) <https://github.com/django/django/commit/7f84657b6b>`__
    151. 

  151. 

  152. 

  153. December 22, 2010 - CVE-2010-4534
    154. 

  154. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    155. 

  155. 

  156. `CVE-2010-4534 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4534&cid=3>`_: Information leakage in administrative interface. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
    157. 

  157. 

  158. Versions affected
    159. 

  159. -----------------
    160. 

  160. 

  161. * Django 1.1 `(patch) <https://github.com/django/django/commit/17084839fd>`__
    162. 

  162. 

  163. * Django 1.2 `(patch) <https://github.com/django/django/commit/85207a245b>`__
    164. 

  164. 

  165. December 22, 2010 - CVE-2010-4535
    166. 

  166. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    167. 

  167. 

  168. `CVE-2010-4535 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4535&cid=2>`_: Denial-of-service in password-reset mechanism. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
    169. 

  169. 

  170. Versions affected
    171. 

  171. -----------------
    172. 

  172. 

  173. * Django 1.1 `(patch) <https://github.com/django/django/commit/7f8dd9cbac>`__
    174. 

  174. 

  175. * Django 1.2 `(patch) <https://github.com/django/django/commit/d5d8942a16>`__
    176. 

  176. 

  177. 

  178. February 8, 2011 - CVE-2011-0696
    179. 

  179. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    180. 

  180. 

  181. `CVE-2011-0696 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0696&cid=2>`_: CSRF via forged HTTP headers. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
    182. 

  182. 

  183. Versions affected
    184. 

  184. -----------------
    185. 

  185. 

  186. * Django 1.1 `(patch) <https://github.com/django/django/commit/408c5c873c>`__
    187. 

  187. 

  188. * Django 1.2 `(patch) <https://github.com/django/django/commit/818e70344e>`__
    189. 

  189. 

  190. 

  191. February 8, 2011 - CVE-2011-0697
    192. 

  192. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    193. 

  193. 

  194. `CVE-2011-0697 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0697&cid=2>`_: XSS via unsanitized names of uploaded files. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
    195. 

  195. 

  196. Versions affected
    197. 

  197. -----------------
    198. 

  198. 

  199. * Django 1.1 `(patch) <https://github.com/django/django/commit/1966786d2d>`__
    200. 

  200. 

  201. * Django 1.2 `(patch) <https://github.com/django/django/commit/1f814a9547>`__
    202. 

  202. 

  203. February 8, 2011 - CVE-2011-0698
    204. 

  204. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    205. 

  205. 

  206. `CVE-2011-0698 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0698&cid=2>`_: Directory-traversal on Windows via incorrect path-separator handling. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
    207. 

  207. 

  208. Versions affected
    209. 

  209. -----------------
    210. 

  210. 

  211. * Django 1.1 `(patch) <https://github.com/django/django/commit/570a32a047>`__
    212. 

  212. 

  213. * Django 1.2 `(patch) <https://github.com/django/django/commit/194566480b>`__
    214. 

  214. 

  215. 

  216. September 9, 2011 - CVE-2011-4136
    217. 

  217. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    218. 

  218. 

  219. `CVE-2011-4136 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4136&cid=2>`_: Session manipulation when using memory-cache-backed session. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
    220. 

  220. 

  221. Versions affected
    222. 

  222. -----------------
    223. 

  223. 

  224. * Django 1.2 `(patch) <https://github.com/django/django/commit/ac7c3a110f>`__
    225. 

  225. 

  226. * Django 1.3 `(patch) <https://github.com/django/django/commit/fbe2eead2f>`__
    227. 

  227. 

  228. September 9, 2011 - CVE-2011-4137
    229. 

  229. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    230. 

  230. 

  231. `CVE-2011-4137 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4137&cid=2>`_: Denial-of-service via via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
    232. 

  232. 

  233. Versions affected
    234. 

  234. -----------------
    235. 

  235. 

  236. * Django 1.2 `(patch) <https://github.com/django/django/commit/7268f8af86>`__
    237. 

  237. 

  238. * Django 1.3 `(patch) <https://github.com/django/django/commit/1a76dbefdf>`__
    239. 

  239. 

  240. September 9, 2011 - CVE-2011-4138
    241. 

  241. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    242. 

  242. 

  243. `CVE-2011-4138 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4138&cid=2>`_: Information leakage/arbitrary request issuance via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
    244. 

  244. 

  245. Versions affected
    246. 

  246. -----------------
    247. 

  247. 

  248. * Django 1.2: `(patch) <https://github.com/django/django/commit/7268f8af86>`__
    249. 

  249. 

  250. * Django 1.3: `(patch) <https://github.com/django/django/commit/1a76dbefdf>`__
    251. 

  251. 

  252. September 9, 2011 - CVE-2011-4139
    253. 

  253. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    254. 

  254. 

  255. `CVE-2011-4139 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4139&cid=2>`_: ``Host`` header cache poisoning. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
    256. 

  256. 

  257. Versions affected
    258. 

  258. -----------------
    259. 

  259. 

  260. * Django 1.2 `(patch) <https://github.com/django/django/commit/c613af4d64>`__
    261. 

  261. 

  262. * Django 1.3 `(patch) <https://github.com/django/django/commit/2f7fadc38e>`__
    263. 

  263. 

  264. September 9, 2011 - CVE-2011-4140
    265. 

  265. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    266. 

  266. 

  267. `CVE-2011-4140 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4140&cid=2>`_: Potential CSRF via ``Host`` header.  `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
    268. 

  268. 

  269. Versions affected
    270. 

  270. -----------------
    271. 

  271. 

  272. This notification was an advisory only, so no patches were issued.
    273. 

  273. 

  274. * Django 1.2
    275. 

  275. 

  276. * Django 1.3
    277. 

  277. 

  278. 

  279. July 30, 2012 - CVE-2012-3442
    280. 

  280. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    281. 

  281. 

  282. `CVE-2012-3442 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3442&cid=2>`_: XSS via failure to validate redirect scheme. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
    283. 

  283. 

  284. Versions affected
    285. 

  285. -----------------
    286. 

  286. 

  287. * Django 1.3: `(patch) <https://github.com/django/django/commit/4dea4883e6c50d75f215a6b9bcbd95273f57c72d>`__
    288. 

  288. 

  289. * Django 1.4: `(patch) <https://github.com/django/django/commit/e34685034b60be1112160e76091e5aee60149fa1>`__
    290. 

  290. 

  291. 

  292. July 30, 2012 - CVE-2012-3443
    293. 

  293. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    294. 

  294. 

  295. `CVE-2012-3443 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3443&cid=2>`_: Denial-of-service via compressed image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
    296. 

  296. 

  297. Versions affected
    298. 

  298. -----------------
    299. 

  299. 

  300. * Django 1.3: `(patch) <https://github.com/django/django/commit/b2eb4787a0fff9c9993b78be5c698e85108f3446>`__
    301. 

  301. 

  302. * Django 1.4: `(patch) <https://github.com/django/django/commit/c14f325c4eef628bc7bfd8873c3a72aeb0219141>`__
    303. 

  303. 

  304. 

  305. July 30, 2012 - CVE-2012-3444
    306. 

  306. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    307. 

  307. 

  308. `CVE-2012-3444 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3444&cid=2>`_: Denial-of-service via large image files. `Full description <https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/>`__
    309. 

  309. 

  310. Versions affected
    311. 

  311. -----------------
    312. 

  312. 

  313. * Django 1.3 `(patch) <https://github.com/django/django/commit/9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155>`__
    314. 

  314. 

  315. * Django 1.4 `(patch) <https://github.com/django/django/commit/da33d67181b53fe6cc737ac1220153814a1509f6>`__
    316. 

  316. 

  317. 

  318. October 17, 2012 - CVE-2012-4520
    319. 

  319. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    320. 

  320. 

  321. `CVE-2012-4520 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4520&cid=2>`_: ``Host`` header poisoning. `Full description <https://www.djangoproject.com/weblog/2012/oct/17/security/>`__
    322. 

  322. 

  323. Versions affected
    324. 

  324. -----------------
    325. 

  325. 

  326. * Django 1.3 `(patch) <https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071>`__
    327. 

  327. 

  328. * Django 1.4 `(patch) <https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3>`__
    329. 

  329. 

  330. 

  331. December 10, 2012 - No CVE 1
    332. 

  332. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    333. 

  333. 

  334. Additional hardening of ``Host`` header handling. `Full description <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__
    335. 

  335. 

  336. Versions affected
    337. 

  337. -----------------
    338. 

  338. 

  339. * Django 1.3 `(patch) <https://github.com/django/django/commit/2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b>`__
    340. 

  340. 

  341. * Django 1.4 `(patch) <https://github.com/django/django/commit/319627c184e71ae267d6b7f000e293168c7b6e09>`__
    342. 

  342. 

  343. 

  344. December 10, 2012 - No CVE 2
    345. 

  345. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    346. 

  346. 

  347. Additional hardening of redirect validation. `Full description <https://www.djangoproject.com/weblog/2012/dec/10/security/>`__
    348. 

  348. 

  349. Versions affected
    350. 

  350. -----------------
    351. 

  351. 

  352.     * Django 1.3: `(patch) <https://github.com/django/django/commit/1515eb46daa0897ba5ad5f0a2db8969255f1b343>`__
    353. 

  353. 

  354.     * Django 1.4: `(patch) <https://github.com/django/django/commit/b2ae0a63aeec741f1e51bac9a95a27fd635f9652>`__
    355. 

  355. 

  356. February 19, 2013 - No CVE
    357. 

  357. ~~~~~~~~~~~~~~~~~~~~~~~~~~
    358. 

  358. 

  359. Additional hardening of ``Host`` header handling. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
    360. 

  360. 

  361. Versions affected
    362. 

  362. -----------------
    363. 

  363. 

  364. * Django 1.3 `(patch) <https://github.com/django/django/commit/27cd872e6e36a81d0bb6f5b8765a1705fecfc253>`__
    365. 

  365. 

  366. * Django 1.4 `(patch) <https://github.com/django/django/commit/9936fdb11d0bbf0bd242f259bfb97bbf849d16f8>`__
    367. 

  367. 

  368. February 19, 2013 - CVE-2013-1664/1665
    369. 

  369. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    370. 

  370. 

  371. `CVE-2013-1664 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1664&cid=2>`_ and `CVE-2013-1665 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1665&cid=2>`_: Entity-based attacks against Python XML libraries. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
    372. 

  372. 

  373. Versions affected
    374. 

  374. -----------------
    375. 

  375. 

  376. * Django 1.3 `(patch) <https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112>`__
    377. 

  377. 

  378. * Django 1.4 `(patch) <https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40>`__
    379. 

  379. 

  380. February 19, 2013 - CVE-2013-0305
    381. 

  381. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    382. 

  382. 

  383. `CVE-2013-0305 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0305&cid=2>`_: Information leakage via admin history log.  `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
    384. 

  384. 

  385. Versions affected
    386. 

  386. -----------------
    387. 

  387. 

  388. * Django 1.3 `(patch) <https://github.com/django/django/commit/d3a45e10c8ac8268899999129daa27652ec0da35>`__
    389. 

  389. 

  390. * Django 1.4 `(patch) <https://github.com/django/django/commit/0e7861aec73702f7933ce2a93056f7983939f0d6>`__
    391. 

  391. 

  392. 

  393. February 19, 2013 - CVE-2013-0306
    394. 

  394. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    395. 

  395. 

  396. `CVE-2013-0306 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0306&cid=2>`_: Denial-of-service via formset ``max_num`` bypass. `Full description <https://www.djangoproject.com/weblog/2013/feb/19/security/>`__
    397. 

  397. 

  398. Versions affected
    399. 

  399. -----------------
    400. 

  400. 

  401. * Django 1.3 `(patch) <https://github.com/django/django/commit/d7094bbce8cb838f3b40f504f198c098ff1cf727>`__
    402. 

  402. 

  403. * Django 1.4 `(patch) <https://github.com/django/django/commit/0cc350a896f70ace18280410eb616a9197d862b0>`__
    404. 

  404. 

  405. August 13, 2013 - Awaiting CVE 1
    406. 

  406. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    407. 

  407. 

  408. (CVE not yet issued): XSS via admin trusting ``URLField`` values. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
    409. 

  409. 

  410. Versions affected
    411. 

  411. -----------------
    412. 

  412. 

  413. * Django 1.5 `(patch) <https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78>`__
    414. 

  414. 

  415. August 13, 2013 - Awaiting CVE 2
    416. 

  416. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    417. 

  417. 

  418. (CVE not yet issued): Possible XSS via unvalidated URL redirect schemes. `Full description <https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/>`__
    419. 

  419. 

  420. Versions affected
    421. 

  421. -----------------
    422. 

  422. 

  423. * Django 1.4 `(patch) <https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a>`__
    424. 

  424. 

  425. * Django 1.5 `(patch) <https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f>`__
    426. 

  426. 

  427. September 10, 2013 - CVE-2013-4315
    428. 

  428. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    429. 

  429. 

  430. `CVE-2013-4315 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4315&cid=2>`_ Directory-traversal via ``ssi`` template tag. `Full description <https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/>`__
    431. 

  431. 

  432. Versions affected
    433. 

  433. -----------------
    434. 

  434. 

  435. * Django 1.4 `(patch) <https://github.com/django/django/commit/87d2750b39f6f2d54b7047225521a44dcd37e896>`__
    436. 

  436. 

  437. * Django 1.5 `(patch) <https://github.com/django/django/commit/988b61c550d798f9a66d17ee0511fb7a9a7f33ca>`__
    438. 

  438. 

  439. 

  440. September 14, 2013 - CVE-2013-1443
    441. 

  441. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    442. 

  442. 

  443. CVE-2013-1443: Denial-of-service via large passwords. `Full description <https://www.djangoproject.com/weblog/2013/sep/15/security/>`__
    444. 

  444. 

  445. Versions affected
    446. 

  446. -----------------
    447. 

  447. 

  448. * Django 1.4 `(patch <https://github.com/django/django/commit/3f3d887a6844ec2db743fee64c9e53e04d39a368>`__ and `Python compatibility fix) <https://github.com/django/django/commit/6903d1690a92aa040adfb0c8eb37cf62e4206714>`__
    449. 

  449. 

  450. * Django 1.5 `(patch) <https://github.com/django/django/commit/22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc>`__
    451. 

  451. 

  452. 

  453. April 21, 2014 - CVE-2014-2014-0472
    454. 

  454. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    455. 

  455. 

  456. `CVE-2014-0472 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0472&cid=2>`_: Unexpected code execution using ``reverse()``. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`_
    457. 

  457. 

  458. Versions affected
    459. 

  459. -----------------
    460. 

  460. 

  461. * Django 1.4 `(patch) <https://github.com/django/django/commit/c1a8c420fe4b27fb2caf5e46d23b5712fc0ac535>`__
    462. 

  462. 

  463. * Django 1.5 `(patch) <https://github.com/django/django/commit/2a5bcb69f42b84464b24b5c835dca6467b6aa7f1>`__
    464. 

  464. 

  465. * Django 1.6 `(patch) <https://github.com/django/django/commit/4352a50871e239ebcdf64eee6f0b88e714015c1b>`__
    466. 

  466. 

  467. * Django 1.7 `(patch) <https://github.com/django/django/commit/546740544d7f69254a67b06a3fc7fa0c43512958>`__
    468. 

  468. 

  469. 

  470. April 21, 2014 - CVE-2014-2014-0473
    471. 

  471. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    472. 

  472. 

  473. `CVE-2014-0473 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0473&cid=2>`_: Caching of anonymous pages could reveal CSRF token. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`_
    474. 

  474. 

  475. Versions affected
    476. 

  476. -----------------
    477. 

  477. 

  478. * Django 1.4 `(patch) <https://github.com/django/django/commit/1170f285ddd6a94a65f911a27788ba49ca08c0b0>`__
    479. 

  479. 

  480. * Django 1.5 `(patch) <https://github.com/django/django/commit/6872f42757d7ef6a97e0b6ec5db4d2615d8a2bd8>`__
    481. 

  481. 

  482. * Django 1.6 `(patch) <https://github.com/django/django/commit/d63e20942f3024f24cb8cd85a49461ba8a9b6736>`__
    483. 

  483. 

  484. * Django 1.7 `(patch) <https://github.com/django/django/commit/380545bf85cbf17fc698d136815b7691f8d023ca>`__
    485. 

  485. 

  486. 

  487. April 21, 2014 - CVE-2014-2014-0474
    488. 

  488. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    489. 

  489. 

  490. `CVE-2014-0474 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0474&cid=2>`_: MySQL typecasting causes unexpected query results. `Full description <https://www.djangoproject.com/weblog/2014/apr/21/security/>`_
    491. 

  491. 

  492. Versions affected
    493. 

  493. -----------------
    494. 

  494. 

  495. * Django 1.4 `(patch) <https://github.com/django/django/commit/aa80f498de6d687e613860933ac58433ab71ea4b>`__
    496. 

  496. 

  497. * Django 1.5 `(patch) <https://github.com/django/django/commit/985434fb1d6bf2335bf96c6ebf91c3674f1f399f>`__
    498. 

  498. 

  499. * Django 1.6 `(patch) <https://github.com/django/django/commit/5f0829a27e85d89ad8c433f5c6a7a7d17c9e9292>`__
    500. 

  500. 

  501. * Django 1.7 `(patch) <https://github.com/django/django/commit/34526c2f56b863c2103655a0893ac801667e86ea>`__
    502.