Security update to OrderingFilter2.3.12

author: Tom Christie 2014-01-15 14:27:41 +0000
committer: Tom Christie 2014-01-15 14:27:41 +0000
commit: 71c03b9db97edbde228777981de0ac7b664302de (patch)
tree: 502aa92a9fd4d111a87b7c76c1141123dff82ba1 /docs/topics/release-notes.md
parent: e9fda70b4ac86badbd5297f857126121472b7ec6 (diff)
download: django-rest-framework-71c03b9db97edbde228777981de0ac7b664302de.tar.bz2
1 files changed, 7 insertions, 0 deletions
diff --git a/docs/topics/release-notes.md b/docs/topics/release-notes.md
index cd87c7b2..14503148 100644
--- a/docs/topics/release-notes.md
+++ b/docs/topics/release-notes.md
@@ -40,6 +40,13 @@ You can determine your currently installed version using `pip freeze`:
 
 ## 2.3.x series
 
+### 2.3.12
+
+**Date**: 15th January 2014
+
+* **Security fix**: `OrderingField` now only allows ordering on readable serializer fields, or on fields explicitly specified using `ordering_fields`. This prevents users being able to order by fields that are not visible in the API, and exploiting the ordering of sensitive data such as password hashes.
+* Bugfix: `write_only = True` fields now display in the browsable API.
+
 ### 2.3.11
 
 **Date**: 14th January 2014
author	Tom Christie	2014-01-15 14:27:41 +0000
committer	Tom Christie	2014-01-15 14:27:41 +0000
commit	71c03b9db97edbde228777981de0ac7b664302de (patch)
tree	502aa92a9fd4d111a87b7c76c1141123dff82ba1 /docs/topics/release-notes.md
parent	e9fda70b4ac86badbd5297f857126121472b7ec6 (diff)
download	django-rest-framework-71c03b9db97edbde228777981de0ac7b664302de.tar.bz2