blob: 25a9374194170f9364b656560c74cbca168c92d6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
==========================
Django 2.2.9 release notes
==========================
*December 18, 2019*
Django 2.2.9 fixes a security issue and a data loss bug in 2.2.8.
CVE-2019-19844: Potential account hijack via password reset form
================================================================
By submitting a suitably crafted email address making use of Unicode
characters, that compared equal to an existing user email when lower-cased for
comparison, an attacker could be sent a password reset token for the matched
account.
In order to avoid this vulnerability, password reset requests now compare the
submitted email using the stricter, recommended algorithm for case-insensitive
comparison of two identifiers from `Unicode Technical Report 36, section
2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
sent to the email address on record rather than the submitted address.
.. __: https://www.unicode.org/reports/tr36/#Recommendations_General
Bugfixes
========
* Fixed a data loss possibility in
:class:`~django.contrib.postgres.forms.SplitArrayField`. When using with
``ArrayField(BooleanField())``, all values after the first ``True`` value
were marked as checked instead of preserving passed values (:ticket:`31073`).
|
