Debian Security Advisory
DSA-4598-1 python-django -- security update
- Date Reported:
- 07 Jan 2020
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 946937.
In Mitre's CVE dictionary: CVE-2019-19844.
- More information:
Simon Charette reported that the password reset functionality in Django, a high-level Python web development framework, uses a Unicode case-insensitive query to retrieve accounts matching the email address requesting the password reset. An attacker can take advantage of this flaw to potentially retrieve password reset tokens and hijack accounts.
For details please refer to https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
For the oldstable distribution (stretch), this problem has been fixed in version 1:1.10.7-2+deb9u7.
For the stable distribution (buster), this problem has been fixed in version 1:1.11.27-1~deb10u1.
We recommend that you upgrade your python-django packages.
For the detailed security status of python-django please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-django