From df887f50198593a0e5b4638bfddbbd43a30fd276 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 30 Apr 2026 13:59:08 +0100 Subject: Fixed CVE-2026-7666 -- Delayed setting SMTP connection until fully configured. Thanks Kasper Dupont for the report, and Jacob Walls and Natalia Bidart for reviews. --- docs/releases/5.2.15.txt | 13 +++++++++++++ docs/releases/6.0.6.txt | 13 +++++++++++++ 2 files changed, 26 insertions(+) (limited to 'docs') diff --git a/docs/releases/5.2.15.txt b/docs/releases/5.2.15.txt index 3659714a08..14796f8581 100644 --- a/docs/releases/5.2.15.txt +++ b/docs/releases/5.2.15.txt @@ -22,3 +22,16 @@ cookies immediately. This issue has severity "low" according to the :ref:`Django security policy `. + +CVE-2026-7666: Potential unencrypted email transmission via ``STARTTLS`` in the SMTP backend +============================================================================================ + +When using :setting:`EMAIL_USE_TLS`, a failed ``STARTTLS`` handshake could +leave a partially-initialized connection that would subsequently be reused for +sending email without encryption. This can occur with ``fail_silently=True``, +as used by :func:`~django.core.mail.send_mail` and +:class:`~django.middleware.common.BrokenLinkEmailsMiddleware`, among others. +Connections configured with :setting:`EMAIL_USE_SSL` are not affected. + +This issue has severity "low" according to the :ref:`Django security policy +`. diff --git a/docs/releases/6.0.6.txt b/docs/releases/6.0.6.txt index dcd63121fc..20ae1db93c 100644 --- a/docs/releases/6.0.6.txt +++ b/docs/releases/6.0.6.txt @@ -24,6 +24,19 @@ cookies immediately. This issue has severity "low" according to the :ref:`Django security policy `. +CVE-2026-7666: Potential unencrypted email transmission via ``STARTTLS`` in the SMTP backend +============================================================================================ + +When using :setting:`EMAIL_USE_TLS`, a failed ``STARTTLS`` handshake could +leave a partially-initialized connection that would subsequently be reused for +sending email without encryption. This can occur with ``fail_silently=True``, +as used by :func:`~django.core.mail.send_mail` and +:class:`~django.middleware.common.BrokenLinkEmailsMiddleware`, among others. +Connections configured with :setting:`EMAIL_USE_SSL` are not affected. + +This issue has severity "low" according to the :ref:`Django security policy +`. + Bugfixes ======== -- cgit v1.3