c3ffce2407
Django 1.11.27 fixes a security issue and a data loss bug in 1.11.26. CVE-2019-19844: Potential account hijack via password reset form By submitting a suitably crafted email address making use of Unicode characters, that compared equal to an existing user email when lower-cased for comparison, an attacker could be sent a password reset token for the matched account. In order to avoid this vulnerability, password reset requests now compare the submitted email using the stricter, recommended algorithm for case-insensitive comparison of two identifiers from Unicode Technical Report 36, section 2.11.2(B)(2). Upon a match, the email containing the reset token will be sent to the email address on record rather than the submitted address. Bugfixes * Fixed a data loss possibility in SplitArrayField. When using with ArrayField(BooleanField()), all values after the first True value were marked as checked instead of preserving passed values
6 lines
410 B
Text
6 lines
410 B
Text
$NetBSD: distinfo,v 1.91 2019/12/19 13:39:50 adam Exp $
|
|
|
|
SHA1 (Django-1.11.27.tar.gz) = 8f0ad184cbae6e69dbe2a1f4d7ec32d842657001
|
|
RMD160 (Django-1.11.27.tar.gz) = 6a9c879460b3a84bfcc2a6accec012e142f7e94c
|
|
SHA512 (Django-1.11.27.tar.gz) = 02370bc69d715fbd0d0460e801840331670f7348767040035d80d5e881eae90259dfa4b6406af37d827361691aca464bc4d556e525c32a94413528d0593fdf09
|
|
Size (Django-1.11.27.tar.gz) = 7976980 bytes
|