blob: 9f6d5cb152f16cf5e30dfff19f88cb32c3ebdd8e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
===========================
Django 4.2.28 release notes
===========================
*February 3, 2026*
Django 4.2.28 fixes three security issues with severity "high", two security
issues with severity "moderate", and one security issue with severity "low" in
4.2.27.
CVE-2025-13473: Username enumeration through timing difference in mod_wsgi authentication handler
=================================================================================================
The ``django.contrib.auth.handlers.modwsgi.check_password()`` function for
:doc:`authentication via mod_wsgi</howto/deployment/wsgi/apache-auth>`
allowed remote attackers to enumerate users via a timing attack.
This issue has severity "low" according to the :ref:`Django security policy
<security-disclosure>`.
|
