mirror of
https://github.com/django/django.git
synced 2024-11-29 14:46:18 +01:00
da7910d483
This is a security fix.
22 lines
849 B
Plaintext
22 lines
849 B
Plaintext
===========================
|
|
Django 1.8.16 release notes
|
|
===========================
|
|
|
|
*November 1, 2016*
|
|
|
|
Django 1.8.16 fixes two security issues in 1.8.15.
|
|
|
|
User with hardcoded password created when running tests on Oracle
|
|
=================================================================
|
|
|
|
When running tests with an Oracle database, Django creates a temporary database
|
|
user. In older versions, if a password isn't manually specified in the database
|
|
settings ``TEST`` dictionary, a hardcoded password is used. This could allow
|
|
an attacker with network access to the database server to connect.
|
|
|
|
This user is usually dropped after the test suite completes, but not when using
|
|
the ``manage.py test --keepdb`` option or if the user has an active session
|
|
(such as an attacker's connection).
|
|
|
|
A randomly generated password is now used for each test run.
|