diff options
Diffstat (limited to 'docs/releases')
| -rw-r--r-- | docs/releases/4.2.16.txt | 11 | ||||
| -rw-r--r-- | docs/releases/5.0.9.txt | 11 | ||||
| -rw-r--r-- | docs/releases/5.1.1.txt | 11 |
3 files changed, 33 insertions, 0 deletions
diff --git a/docs/releases/4.2.16.txt b/docs/releases/4.2.16.txt index 2a84186867..963036345c 100644 --- a/docs/releases/4.2.16.txt +++ b/docs/releases/4.2.16.txt @@ -13,3 +13,14 @@ CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. + +CVE-2024-45231: Potential user email enumeration via response status on password reset +====================================================================================== + +Due to unhandled email sending failures, the +:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote +attackers to enumerate user emails by issuing password reset requests and +observing the outcomes. + +To mitigate this risk, exceptions occurring during password reset email sending +are now handled and logged using the :ref:`django-contrib-auth-logger` logger. diff --git a/docs/releases/5.0.9.txt b/docs/releases/5.0.9.txt index 50e94ea3f2..52595ae4ff 100644 --- a/docs/releases/5.0.9.txt +++ b/docs/releases/5.0.9.txt @@ -13,3 +13,14 @@ CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. + +CVE-2024-45231: Potential user email enumeration via response status on password reset +====================================================================================== + +Due to unhandled email sending failures, the +:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote +attackers to enumerate user emails by issuing password reset requests and +observing the outcomes. + +To mitigate this risk, exceptions occurring during password reset email sending +are now handled and logged using the :ref:`django-contrib-auth-logger` logger. diff --git a/docs/releases/5.1.1.txt b/docs/releases/5.1.1.txt index dd24929100..8c0468d727 100644 --- a/docs/releases/5.1.1.txt +++ b/docs/releases/5.1.1.txt @@ -14,6 +14,17 @@ CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html denial-of-service attack via very large inputs with a specific sequence of characters. +CVE-2024-45231: Potential user email enumeration via response status on password reset +====================================================================================== + +Due to unhandled email sending failures, the +:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote +attackers to enumerate user emails by issuing password reset requests and +observing the outcomes. + +To mitigate this risk, exceptions occurring during password reset email sending +are now handled and logged using the :ref:`django-contrib-auth-logger` logger. + Bugfixes ======== |