diff options
Diffstat (limited to 'docs/releases')
| -rw-r--r-- | docs/releases/1.11.27.txt | 20 | ||||
| -rw-r--r-- | docs/releases/2.2.9.txt | 20 | ||||
| -rw-r--r-- | docs/releases/3.0.1.txt | 20 |
3 files changed, 54 insertions, 6 deletions
diff --git a/docs/releases/1.11.27.txt b/docs/releases/1.11.27.txt index cb4329afdb..6197dee1f6 100644 --- a/docs/releases/1.11.27.txt +++ b/docs/releases/1.11.27.txt @@ -2,9 +2,25 @@ Django 1.11.27 release notes ============================ -*Expected January 2, 2020* +*December 18, 2019* -Django 1.11.27 fixes a data loss bug in 1.11.26. +Django 1.11.27 fixes a security issue and a data loss bug in 1.11.26. + +CVE-2019-19844: Potential account hijack via password reset form +================================================================ + +By submitting a suitably crafted email address making use of Unicode +characters, that compared equal to an existing user email when lower-cased for +comparison, an attacker could be sent a password reset token for the matched +account. + +In order to avoid this vulnerability, password reset requests now compare the +submitted email using the stricter, recommended algorithm for case-insensitive +comparison of two identifiers from `Unicode Technical Report 36, section +2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be +sent to the email address on record rather than the submitted address. + +.. __: https://www.unicode.org/reports/tr36/#Recommendations_General Bugfixes ======== diff --git a/docs/releases/2.2.9.txt b/docs/releases/2.2.9.txt index efd0cb4e1c..25a9374194 100644 --- a/docs/releases/2.2.9.txt +++ b/docs/releases/2.2.9.txt @@ -2,9 +2,25 @@ Django 2.2.9 release notes ========================== -*Expected January 2, 2020* +*December 18, 2019* -Django 2.2.9 fixes a data loss bug in 2.2.8. +Django 2.2.9 fixes a security issue and a data loss bug in 2.2.8. + +CVE-2019-19844: Potential account hijack via password reset form +================================================================ + +By submitting a suitably crafted email address making use of Unicode +characters, that compared equal to an existing user email when lower-cased for +comparison, an attacker could be sent a password reset token for the matched +account. + +In order to avoid this vulnerability, password reset requests now compare the +submitted email using the stricter, recommended algorithm for case-insensitive +comparison of two identifiers from `Unicode Technical Report 36, section +2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be +sent to the email address on record rather than the submitted address. + +.. __: https://www.unicode.org/reports/tr36/#Recommendations_General Bugfixes ======== diff --git a/docs/releases/3.0.1.txt b/docs/releases/3.0.1.txt index b923661bd2..1c32528304 100644 --- a/docs/releases/3.0.1.txt +++ b/docs/releases/3.0.1.txt @@ -2,9 +2,25 @@ Django 3.0.1 release notes ========================== -*Expected January 2, 2020* +*December 18, 2019* -Django 3.0.1 fixes several bugs in 3.0. +Django 3.0.1 fixes a security issue and several bugs in 3.0. + +CVE-2019-19844: Potential account hijack via password reset form +================================================================ + +By submitting a suitably crafted email address making use of Unicode +characters, that compared equal to an existing user email when lower-cased for +comparison, an attacker could be sent a password reset token for the matched +account. + +In order to avoid this vulnerability, password reset requests now compare the +submitted email using the stricter, recommended algorithm for case-insensitive +comparison of two identifiers from `Unicode Technical Report 36, section +2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be +sent to the email address on record rather than the submitted address. + +.. __: https://www.unicode.org/reports/tr36/#Recommendations_General Bugfixes ======== |