Fixed CVE-2018-16984 -- Fixed password hash disclosure to admin "view only" users.

Thanks Claude Paroz & Tim Graham for collaborating on the patch.
author: Carlton Gibson <carlton.gibson@noumenal.es> 2018-09-13 15:08:41 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2018-10-01 10:05:01 +0200
commit: bf39978a53f117ca02e9a0c78b76664a41a54745 (patch)
tree: 975d3beb98aebfc5b84d2de14c4f6382a73aaf68 /docs/releases/2.1.2.txt
parent: a4932be483368d17d907d8d5492c4701a6631d87 (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/docs/releases/2.1.2.txt b/docs/releases/2.1.2.txt
index 55cc4bfca9..c0bcaf6b56 100644
--- a/docs/releases/2.1.2.txt
+++ b/docs/releases/2.1.2.txt
@@ -4,8 +4,17 @@ Django 2.1.2 release notes
 
 *Expected October 1, 2018*
 
-Django 2.1.2 fixes several bugs in 2.1.1. Also, the latest string translations
-from Transifex are incorporated.
+Django 2.1.2 fixes a security issue and several bugs in 2.1.1. Also, the latest
+string translations from Transifex are incorporated.
+
+CVE-2018-16984: Password hash disclosure to "view only" admin users
+===================================================================
+
+If an admin user has the change permission to the user model, only part of the
+password hash is displayed in the change form. Admin users with the view (but
+not change) permission to the user model were displayed the entire hash. While
+it's typically infeasible to reverse a strong password hash, if your site uses
+weaker password hashing algorithms such as MD5 or SHA1, it could be a problem.
 
 Bugfixes
 ========
author	Carlton Gibson <carlton.gibson@noumenal.es>	2018-09-13 15:08:41 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2018-10-01 10:05:01 +0200
commit	bf39978a53f117ca02e9a0c78b76664a41a54745 (patch)
tree	975d3beb98aebfc5b84d2de14c4f6382a73aaf68 /docs/releases/2.1.2.txt
parent	a4932be483368d17d907d8d5492c4701a6631d87 (diff)