kopia lustrzana https://github.com/wagtail/wagtail
Release note for 2.8.2
rodzic
e6accccfff
commit
f26d8ee72a
|
@ -78,6 +78,12 @@ Changelog
|
|||
* Fix: Fixed incorrect language code for Japanese in language setting dropdown (Tomonori Tanabe)
|
||||
|
||||
|
||||
2.8.2 (04.05.2020)
|
||||
~~~~~~~~~~~~~~~~~~
|
||||
|
||||
* Fix: CVE-2020-11037 - avoid potential timing attack on password-protected private pages (Thibaud Colas)
|
||||
|
||||
|
||||
2.8.1 (14.04.2020)
|
||||
~~~~~~~~~~~~~~~~~~
|
||||
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
===========================
|
||||
Wagtail 2.8.2 release notes
|
||||
===========================
|
||||
|
||||
CVE-2020-11037: Potential timing attack on password-protected private pages
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
This release addresses a potential timing attack on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. (This is `understood to be feasible on a local network, but not on the public internet <https://groups.google.com/d/msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ>`_.)
|
||||
|
||||
Many thanks to Thibaud Colas for reporting this issue.
|
Ładowanie…
Reference in New Issue