diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/logging.txt | 12 | ||||
| -rw-r--r-- | docs/releases/4.2.16.txt | 11 | ||||
| -rw-r--r-- | docs/releases/5.0.9.txt | 11 | ||||
| -rw-r--r-- | docs/topics/auth/default.txt | 4 |
4 files changed, 37 insertions, 1 deletions
diff --git a/docs/ref/logging.txt b/docs/ref/logging.txt index fa07422cd5..672b9eae22 100644 --- a/docs/ref/logging.txt +++ b/docs/ref/logging.txt @@ -214,6 +214,18 @@ Django development server. This logger generates an ``INFO`` message upon detecting a modification in a source code file and may produce ``WARNING`` messages during filesystem inspection and event subscription processes. +.. _django-contrib-auth-logger: + +``django.contrib.auth`` +~~~~~~~~~~~~~~~~~~~~~~~ + +.. versionadded:: 4.2.16 + +Log messages related to :doc:`contrib/auth`, particularly ``ERROR`` messages +are generated when a :class:`~django.contrib.auth.forms.PasswordResetForm` is +successfully submitted but the password reset email cannot be delivered due to +a mail sending exception. + .. _django-contrib-gis-logger: ``django.contrib.gis`` diff --git a/docs/releases/4.2.16.txt b/docs/releases/4.2.16.txt index 2a84186867..963036345c 100644 --- a/docs/releases/4.2.16.txt +++ b/docs/releases/4.2.16.txt @@ -13,3 +13,14 @@ CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. + +CVE-2024-45231: Potential user email enumeration via response status on password reset +====================================================================================== + +Due to unhandled email sending failures, the +:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote +attackers to enumerate user emails by issuing password reset requests and +observing the outcomes. + +To mitigate this risk, exceptions occurring during password reset email sending +are now handled and logged using the :ref:`django-contrib-auth-logger` logger. diff --git a/docs/releases/5.0.9.txt b/docs/releases/5.0.9.txt index 50e94ea3f2..52595ae4ff 100644 --- a/docs/releases/5.0.9.txt +++ b/docs/releases/5.0.9.txt @@ -13,3 +13,14 @@ CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. + +CVE-2024-45231: Potential user email enumeration via response status on password reset +====================================================================================== + +Due to unhandled email sending failures, the +:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote +attackers to enumerate user emails by issuing password reset requests and +observing the outcomes. + +To mitigate this risk, exceptions occurring during password reset email sending +are now handled and logged using the :ref:`django-contrib-auth-logger` logger. diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt index 045710b420..2bcae679f4 100644 --- a/docs/topics/auth/default.txt +++ b/docs/topics/auth/default.txt @@ -1685,7 +1685,9 @@ provides several built-in forms located in :mod:`django.contrib.auth.forms`: .. method:: send_mail(subject_template_name, email_template_name, context, from_email, to_email, html_email_template_name=None) Uses the arguments to send an ``EmailMultiAlternatives``. - Can be overridden to customize how the email is sent to the user. + Can be overridden to customize how the email is sent to the user. If + you choose to override this method, be mindful of handling potential + exceptions raised due to email sending failures. :param subject_template_name: the template for the subject. :param email_template_name: the template for the email body. |