summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/5.2.15.txt13
-rw-r--r--docs/releases/6.0.6.txt13
2 files changed, 26 insertions, 0 deletions
diff --git a/docs/releases/5.2.15.txt b/docs/releases/5.2.15.txt
index 3659714a08..14796f8581 100644
--- a/docs/releases/5.2.15.txt
+++ b/docs/releases/5.2.15.txt
@@ -22,3 +22,16 @@ cookies immediately.
This issue has severity "low" according to the :ref:`Django security policy
<severity-levels>`.
+
+CVE-2026-7666: Potential unencrypted email transmission via ``STARTTLS`` in the SMTP backend
+============================================================================================
+
+When using :setting:`EMAIL_USE_TLS`, a failed ``STARTTLS`` handshake could
+leave a partially-initialized connection that would subsequently be reused for
+sending email without encryption. This can occur with ``fail_silently=True``,
+as used by :func:`~django.core.mail.send_mail` and
+:class:`~django.middleware.common.BrokenLinkEmailsMiddleware`, among others.
+Connections configured with :setting:`EMAIL_USE_SSL` are not affected.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<severity-levels>`.
diff --git a/docs/releases/6.0.6.txt b/docs/releases/6.0.6.txt
index dcd63121fc..20ae1db93c 100644
--- a/docs/releases/6.0.6.txt
+++ b/docs/releases/6.0.6.txt
@@ -24,6 +24,19 @@ cookies immediately.
This issue has severity "low" according to the :ref:`Django security policy
<severity-levels>`.
+CVE-2026-7666: Potential unencrypted email transmission via ``STARTTLS`` in the SMTP backend
+============================================================================================
+
+When using :setting:`EMAIL_USE_TLS`, a failed ``STARTTLS`` handshake could
+leave a partially-initialized connection that would subsequently be reused for
+sending email without encryption. This can occur with ``fail_silently=True``,
+as used by :func:`~django.core.mail.send_mail` and
+:class:`~django.middleware.common.BrokenLinkEmailsMiddleware`, among others.
+Connections configured with :setting:`EMAIL_USE_SSL` are not affected.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<severity-levels>`.
+
Bugfixes
========