diff options
Diffstat (limited to 'docs/releases/4.2.28.txt')
| -rw-r--r-- | docs/releases/4.2.28.txt | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/docs/releases/4.2.28.txt b/docs/releases/4.2.28.txt index 8c6d4a2a1d..9f6d5cb152 100644 --- a/docs/releases/4.2.28.txt +++ b/docs/releases/4.2.28.txt @@ -7,3 +7,13 @@ Django 4.2.28 release notes Django 4.2.28 fixes three security issues with severity "high", two security issues with severity "moderate", and one security issue with severity "low" in 4.2.27. + +CVE-2025-13473: Username enumeration through timing difference in mod_wsgi authentication handler +================================================================================================= + +The ``django.contrib.auth.handlers.modwsgi.check_password()`` function for +:doc:`authentication via mod_wsgi</howto/deployment/wsgi/apache-auth>` +allowed remote attackers to enumerate users via a timing attack. + +This issue has severity "low" according to the :ref:`Django security policy +<security-disclosure>`. |