diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/5.2.15.txt | 13 | ||||
| -rw-r--r-- | docs/releases/6.0.6.txt | 13 |
2 files changed, 26 insertions, 0 deletions
diff --git a/docs/releases/5.2.15.txt b/docs/releases/5.2.15.txt index 3659714a08..14796f8581 100644 --- a/docs/releases/5.2.15.txt +++ b/docs/releases/5.2.15.txt @@ -22,3 +22,16 @@ cookies immediately. This issue has severity "low" according to the :ref:`Django security policy <severity-levels>`. + +CVE-2026-7666: Potential unencrypted email transmission via ``STARTTLS`` in the SMTP backend +============================================================================================ + +When using :setting:`EMAIL_USE_TLS`, a failed ``STARTTLS`` handshake could +leave a partially-initialized connection that would subsequently be reused for +sending email without encryption. This can occur with ``fail_silently=True``, +as used by :func:`~django.core.mail.send_mail` and +:class:`~django.middleware.common.BrokenLinkEmailsMiddleware`, among others. +Connections configured with :setting:`EMAIL_USE_SSL` are not affected. + +This issue has severity "low" according to the :ref:`Django security policy +<severity-levels>`. diff --git a/docs/releases/6.0.6.txt b/docs/releases/6.0.6.txt index dcd63121fc..20ae1db93c 100644 --- a/docs/releases/6.0.6.txt +++ b/docs/releases/6.0.6.txt @@ -24,6 +24,19 @@ cookies immediately. This issue has severity "low" according to the :ref:`Django security policy <severity-levels>`. +CVE-2026-7666: Potential unencrypted email transmission via ``STARTTLS`` in the SMTP backend +============================================================================================ + +When using :setting:`EMAIL_USE_TLS`, a failed ``STARTTLS`` handshake could +leave a partially-initialized connection that would subsequently be reused for +sending email without encryption. This can occur with ``fail_silently=True``, +as used by :func:`~django.core.mail.send_mail` and +:class:`~django.middleware.common.BrokenLinkEmailsMiddleware`, among others. +Connections configured with :setting:`EMAIL_USE_SSL` are not affected. + +This issue has severity "low" according to the :ref:`Django security policy +<severity-levels>`. + Bugfixes ======== |
