diff options
| author | Jake Howard <git@theorangeone.net> | 2026-04-30 13:59:08 +0100 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2026-06-03 08:37:26 -0300 |
| commit | df887f50198593a0e5b4638bfddbbd43a30fd276 (patch) | |
| tree | fa6c8e4980ed176ab9cea3b6b7a6077b5f2186dc /docs | |
| parent | 70d36515b9cc71700105a14b275583070d48b689 (diff) | |
Fixed CVE-2026-7666 -- Delayed setting SMTP connection until fully configured.
Thanks Kasper Dupont for the report, and Jacob Walls and Natalia Bidart
for reviews.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/5.2.15.txt | 13 | ||||
| -rw-r--r-- | docs/releases/6.0.6.txt | 13 |
2 files changed, 26 insertions, 0 deletions
diff --git a/docs/releases/5.2.15.txt b/docs/releases/5.2.15.txt index 3659714a08..14796f8581 100644 --- a/docs/releases/5.2.15.txt +++ b/docs/releases/5.2.15.txt @@ -22,3 +22,16 @@ cookies immediately. This issue has severity "low" according to the :ref:`Django security policy <severity-levels>`. + +CVE-2026-7666: Potential unencrypted email transmission via ``STARTTLS`` in the SMTP backend +============================================================================================ + +When using :setting:`EMAIL_USE_TLS`, a failed ``STARTTLS`` handshake could +leave a partially-initialized connection that would subsequently be reused for +sending email without encryption. This can occur with ``fail_silently=True``, +as used by :func:`~django.core.mail.send_mail` and +:class:`~django.middleware.common.BrokenLinkEmailsMiddleware`, among others. +Connections configured with :setting:`EMAIL_USE_SSL` are not affected. + +This issue has severity "low" according to the :ref:`Django security policy +<severity-levels>`. diff --git a/docs/releases/6.0.6.txt b/docs/releases/6.0.6.txt index dcd63121fc..20ae1db93c 100644 --- a/docs/releases/6.0.6.txt +++ b/docs/releases/6.0.6.txt @@ -24,6 +24,19 @@ cookies immediately. This issue has severity "low" according to the :ref:`Django security policy <severity-levels>`. +CVE-2026-7666: Potential unencrypted email transmission via ``STARTTLS`` in the SMTP backend +============================================================================================ + +When using :setting:`EMAIL_USE_TLS`, a failed ``STARTTLS`` handshake could +leave a partially-initialized connection that would subsequently be reused for +sending email without encryption. This can occur with ``fail_silently=True``, +as used by :func:`~django.core.mail.send_mail` and +:class:`~django.middleware.common.BrokenLinkEmailsMiddleware`, among others. +Connections configured with :setting:`EMAIL_USE_SSL` are not affected. + +This issue has severity "low" according to the :ref:`Django security policy +<severity-levels>`. + Bugfixes ======== |
