mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-08-03 02:23:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fixed CVE-2020-13254 -- Enforced cache key validation in memcached backends.

Browse source
This commit is contained in:
Dan Palmer 2020-05-20 11:45:31 +02:00 committed by Carlton Gibson
parent 2dd4d110c1
commit 2c82414914
6 changed files with 66 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

8
docs/releases/2.2.13.txt
View file

@ -6,6 +6,14 @@ Django 2.2.13 release notes
Django 2.2.13 fixes two security issues and a regression in 2.2.12.
CVE-2020-13254: Potential data leakage via malformed memcached keys
===================================================================
In cases where a memcached backend does not perform key validation, passing
malformed cache keys could result in a key collision, and potential data
leakage. In order to avoid this vulnerability, key validation is added to the
memcached cache backends.
CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget``
================================================================

8
docs/releases/3.0.7.txt
View file

@ -6,6 +6,14 @@ Django 3.0.7 release notes
Django 3.0.7 fixes two security issues and several bugs in 3.0.6.
CVE-2020-13254: Potential data leakage via malformed memcached keys
===================================================================
In cases where a memcached backend does not perform key validation, passing
malformed cache keys could result in a key collision, and potential data
leakage. In order to avoid this vulnerability, key validation is added to the
memcached cache backends.
CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget``
================================================================