summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorCarlton Gibson <carlton.gibson@noumenal.es>2018-09-13 15:08:41 +0200
committerCarlton Gibson <carlton.gibson@noumenal.es>2018-10-01 10:15:50 +0200
commitc4bd5b597e0aa2432e4c867b86650f18af117851 (patch)
tree616a47c2359a58c82d0f849f5ec1916203630689 /docs
parentf86100ab18c7940dc104b5c1a654780ede56df50 (diff)
Fixed CVE-2018-16984 -- Fixed password hash disclosure to admin "view only" users.
Thanks Claude Paroz & Tim Graham for collaborating on the patch. # Conflicts: # tests/auth_tests/test_views.py
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/2.1.2.txt13
1 files changed, 11 insertions, 2 deletions
diff --git a/docs/releases/2.1.2.txt b/docs/releases/2.1.2.txt
index 55cc4bfca9..c0bcaf6b56 100644
--- a/docs/releases/2.1.2.txt
+++ b/docs/releases/2.1.2.txt
@@ -4,8 +4,17 @@ Django 2.1.2 release notes
*Expected October 1, 2018*
-Django 2.1.2 fixes several bugs in 2.1.1. Also, the latest string translations
-from Transifex are incorporated.
+Django 2.1.2 fixes a security issue and several bugs in 2.1.1. Also, the latest
+string translations from Transifex are incorporated.
+
+CVE-2018-16984: Password hash disclosure to "view only" admin users
+===================================================================
+
+If an admin user has the change permission to the user model, only part of the
+password hash is displayed in the change form. Admin users with the view (but
+not change) permission to the user model were displayed the entire hash. While
+it's typically infeasible to reverse a strong password hash, if your site uses
+weaker password hashing algorithms such as MD5 or SHA1, it could be a problem.
Bugfixes
========