[1.11.x] Fixed CVE-2018-6188 -- Fixed information leakage in AuthenticationForm.

Reverted 359370a8b8ca0efe99b1d4630b291ec060b69225 (refs #28645).

This is a security fix.

1 files changed, 21 insertions, 2 deletions

diff --git a/docs/releases/1.11.10.txt b/docs/releases/1.11.10.txt
index cfa8fc2070..96f07920a3 100644
--- a/docs/releases/1.11.10.txt
+++ b/docs/releases/1.11.10.txt
@@ -2,9 +2,28 @@
 Django 1.11.10 release notes
 ============================
 
-*Expected February 1, 2018*
+*February 1, 2018*
 
-Django 1.11.10 fixes several bugs in 1.11.9.
+Django 1.11.10 fixes a security issue and several bugs in 1.11.9.
+
+CVE-2018-6188: Information leakage in ``AuthenticationForm``
+============================================================
+
+A regression in Django 1.11.8 made
+:class:`~django.contrib.auth.forms.AuthenticationForm` run its
+``confirm_login_allowed()`` method even if an incorrect password is entered.
+This can leak information about a user, depending on what messages
+``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't
+overridden, an attacker enter an arbitrary username and see if that user has
+been set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,
+more sensitive details could be leaked.
+
+This issue is fixed with the caveat that ``AuthenticationForm`` can no longer
+raise the "This account is inactive." error if the authentication backend
+rejects inactive users (the default authentication backend, ``ModelBackend``,
+has done that since Django 1.10). This issue will be revisited for Django 2.1
+as a fix to address the caveat will likely be too invasive for inclusion in
+older versions.
 
 Bugfixes
 ========