Fixed CVE-2019-19844 -- Used verified user email for password reset requests.

Co-Authored-By: Florian Apolloner <florian@apolloner.eu>

3 files changed, 54 insertions, 6 deletions

diff --git a/docs/releases/1.11.27.txt b/docs/releases/1.11.27.txt
index cb4329afdb..6197dee1f6 100644
--- a/docs/releases/1.11.27.txt
+++ b/docs/releases/1.11.27.txt
@@ -2,9 +2,25 @@
 Django 1.11.27 release notes
 ============================
 
-*Expected January 2, 2020*
+*December 18, 2019*
 
-Django 1.11.27 fixes a data loss bug in 1.11.26.
+Django 1.11.27 fixes a security issue and a data loss bug in 1.11.26.
+
+CVE-2019-19844: Potential account hijack via password reset form
+================================================================
+
+By submitting a suitably crafted email address making use of Unicode
+characters, that compared equal to an existing user email when lower-cased for
+comparison, an attacker could be sent a password reset token for the matched
+account.
+
+In order to avoid this vulnerability, password reset requests now compare the
+submitted email using the stricter, recommended algorithm for case-insensitive
+comparison of two identifiers from `Unicode Technical Report 36, section
+2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
+sent to the email address on record rather than the submitted address.
+
+.. __: https://www.unicode.org/reports/tr36/#Recommendations_General
 
 Bugfixes
 ========
diff --git a/docs/releases/2.2.9.txt b/docs/releases/2.2.9.txt
index efd0cb4e1c..25a9374194 100644
--- a/docs/releases/2.2.9.txt
+++ b/docs/releases/2.2.9.txt
@@ -2,9 +2,25 @@
 Django 2.2.9 release notes
 ==========================
 
-*Expected January 2, 2020*
+*December 18, 2019*
 
-Django 2.2.9 fixes a data loss bug in 2.2.8.
+Django 2.2.9 fixes a security issue and a data loss bug in 2.2.8.
+
+CVE-2019-19844: Potential account hijack via password reset form
+================================================================
+
+By submitting a suitably crafted email address making use of Unicode
+characters, that compared equal to an existing user email when lower-cased for
+comparison, an attacker could be sent a password reset token for the matched
+account.
+
+In order to avoid this vulnerability, password reset requests now compare the
+submitted email using the stricter, recommended algorithm for case-insensitive
+comparison of two identifiers from `Unicode Technical Report 36, section
+2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
+sent to the email address on record rather than the submitted address.
+
+.. __: https://www.unicode.org/reports/tr36/#Recommendations_General
 
 Bugfixes
 ========
diff --git a/docs/releases/3.0.1.txt b/docs/releases/3.0.1.txt
index b923661bd2..1c32528304 100644
--- a/docs/releases/3.0.1.txt
+++ b/docs/releases/3.0.1.txt
@@ -2,9 +2,25 @@
 Django 3.0.1 release notes
 ==========================
 
-*Expected January 2, 2020*
+*December 18, 2019*
 
-Django 3.0.1 fixes several bugs in 3.0.
+Django 3.0.1 fixes a security issue and several bugs in 3.0.
+
+CVE-2019-19844: Potential account hijack via password reset form
+================================================================
+
+By submitting a suitably crafted email address making use of Unicode
+characters, that compared equal to an existing user email when lower-cased for
+comparison, an attacker could be sent a password reset token for the matched
+account.
+
+In order to avoid this vulnerability, password reset requests now compare the
+submitted email using the stricter, recommended algorithm for case-insensitive
+comparison of two identifiers from `Unicode Technical Report 36, section
+2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
+sent to the email address on record rather than the submitted address.
+
+.. __: https://www.unicode.org/reports/tr36/#Recommendations_General
 
 Bugfixes
 ========