From e6accccfff769be15f577c45b31737a8a097bb06 Mon Sep 17 00:00:00 2001 From: Matt Westcott Date: Mon, 4 May 2020 10:28:39 +0100 Subject: [PATCH] Release note for 2.7.3 --- CHANGELOG.txt | 6 ++++++ docs/releases/2.7.3.rst | 10 ++++++++++ docs/releases/index.rst | 1 + 3 files changed, 17 insertions(+) create mode 100644 docs/releases/2.7.3.rst diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 62b63fe2e7..f1a20af5da 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -122,6 +122,12 @@ Changelog * Fix: Make sure all modal chooser search results correspond to the latest search by canceling previous requests (Esper Kuijs) +2.7.3 (04.05.2020) +~~~~~~~~~~~~~~~~~~ + + * Fix: CVE-2020-11037 - avoid potential timing attack on password-protected private pages (Thibaud Colas) + + 2.7.2 (14.04.2020) ~~~~~~~~~~~~~~~~~~ diff --git a/docs/releases/2.7.3.rst b/docs/releases/2.7.3.rst new file mode 100644 index 0000000000..4f09be4772 --- /dev/null +++ b/docs/releases/2.7.3.rst @@ -0,0 +1,10 @@ +=========================== +Wagtail 2.7.3 release notes +=========================== + +CVE-2020-11037: Potential timing attack on password-protected private pages +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This release addresses a potential timing attack on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. (This is `understood to be feasible on a local network, but not on the public internet `_.) + +Many thanks to Thibaud Colas for reporting this issue. diff --git a/docs/releases/index.rst b/docs/releases/index.rst index 680d2ccb15..d655a3abfc 100644 --- a/docs/releases/index.rst +++ b/docs/releases/index.rst @@ -9,6 +9,7 @@ Release notes 2.9 2.8.1 2.8 + 2.7.3 2.7.2 2.7.1 2.7