diff options
| author | Carlton Gibson <carlton.gibson@noumenal.es> | 2018-09-13 15:08:41 +0200 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2018-10-01 10:15:50 +0200 |
| commit | c4bd5b597e0aa2432e4c867b86650f18af117851 (patch) | |
| tree | 616a47c2359a58c82d0f849f5ec1916203630689 /docs | |
| parent | f86100ab18c7940dc104b5c1a654780ede56df50 (diff) | |
Fixed CVE-2018-16984 -- Fixed password hash disclosure to admin "view only" users.
Thanks Claude Paroz & Tim Graham for collaborating on the patch.
# Conflicts:
# tests/auth_tests/test_views.py
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/2.1.2.txt | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/docs/releases/2.1.2.txt b/docs/releases/2.1.2.txt index 55cc4bfca9..c0bcaf6b56 100644 --- a/docs/releases/2.1.2.txt +++ b/docs/releases/2.1.2.txt @@ -4,8 +4,17 @@ Django 2.1.2 release notes *Expected October 1, 2018* -Django 2.1.2 fixes several bugs in 2.1.1. Also, the latest string translations -from Transifex are incorporated. +Django 2.1.2 fixes a security issue and several bugs in 2.1.1. Also, the latest +string translations from Transifex are incorporated. + +CVE-2018-16984: Password hash disclosure to "view only" admin users +=================================================================== + +If an admin user has the change permission to the user model, only part of the +password hash is displayed in the change form. Admin users with the view (but +not change) permission to the user model were displayed the entire hash. While +it's typically infeasible to reverse a strong password hash, if your site uses +weaker password hashing algorithms such as MD5 or SHA1, it could be a problem. Bugfixes ======== |
