Django security releases issued: 3.0.1, 2.2.9, and 1.11.27

In accordance with our security release policy, the Django team is issuing Django 3.0.1, Django 2.2.9 and Django 1.11.27. These releases address the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

These releases are also issued outside of our normal bugfix/release schedule, and did not have the usual one-week prenotification period. By the time the Django security team was made aware of this security issue, its mechanics were already public knowledge, and it was judged best to issue new releases of Django immediately.

CVE-2019-19844: Potential account hijack via password reset form Django's password-reset form uses a case-insensitive query to retrieve accounts matching the email address requesting the password reset. Because this typically involves explicit or implicit case transformations, an attacker who knows the email address associated with a user account can craft an email address which is distinct from the address associated with that account, but which -- due to the behavior of Unicode case transformations -- ceases to be distinct after case transformation, or which will otherwise compare equal given database case-transformation or collation behavior. In such a situation, the attacker can receive a valid password-reset token for the user account. To resolve this, two changes were made in Django: After retrieving a list of potentially-matching accounts from the database, Django's password reset functionality now also checks the email address for equivalence in Python, using the recommended identifier-comparison process from Unicode Technical Report 36, section 2.11.2(B)(2). When generating password-reset emails, Django now sends to the email address retrieved from the database, rather than the email address submitted in the password-reset request form. This issue was brought to the attention of the Django security team by Simon Charette, who became aware of it after reading a public disclosure of a similar issue which affected GitHub.

Affected supported versions Django master branch

Django 3.0

Django 2.2

Django 1.11