Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                Django releases important security updates
                             19 December 2019


        AusCERT Security Bulletin Summary

Product:           Django
Publisher:         Django
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-19844  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Django security releases issued: 3.0.1, 2.2.9, and 1.11.27

Posted by Carlton Gibson, Mariusz Felisiak, James Bennett on December 18, 2019

In accordance with our security release policy, the Django team is issuing
Django 3.0.1, Django 2.2.9 and Django 1.11.27. These releases address the
security issue detailed below. We encourage all users of Django to upgrade as
soon as possible.

These releases are also issued outside of our normal bugfix/release schedule,
and did not have the usual one-week prenotification period. By the time the
Django security team was made aware of this security issue, its mechanics were
already public knowledge, and it was judged best to issue new releases of
Django immediately.

CVE-2019-19844: Potential account hijack via password reset form

Django's password-reset form uses a case-insensitive query to retrieve accounts
matching the email address requesting the password reset. Because this
typically involves explicit or implicit case transformations, an attacker who
knows the email address associated with a user account can craft an email
address which is distinct from the address associated with that account, but
which -- due to the behavior of Unicode case transformations -- ceases to be
distinct after case transformation, or which will otherwise compare equal given
database case-transformation or collation behavior. In such a situation, the
attacker can receive a valid password-reset token for the user account.

To resolve this, two changes were made in Django:

 1. After retrieving a list of potentially-matching accounts from the database,
    Django's password reset functionality now also checks the email address for
    equivalence in Python, using the recommended identifier-comparison process
    from Unicode Technical Report 36, section 2.11.2(B)(2).
 2. When generating password-reset emails, Django now sends to the email
    address retrieved from the database, rather than the email address
    submitted in the password-reset request form.

This issue was brought to the attention of the Django security team by Simon
Charette, who became aware of it after reading a public disclosure of a similar
issue which affected GitHub.

Affected supported versions

  * Django master branch
  * Django 3.0
  * Django 2.2
  * Django 1.11


Patches to resolve the issue have been applied to Django's master branch and
the 3.0, 2.2, and 1.11 release branches. The patches may be obtained from the
following changesets:

  * On the master branch
  * On the 3.0 release branch
  * On the 2.2 release branch
  * On the 1.11 release branch

The following releases have been issued:

  * Django 3.0.1 (download Django 3.0.1 | 3.0.1 checksums)
  * Django 2.2.9 (download Django 2.2.9 | 2.2.9 checksums)
  * Django 1.11.27 (download Django 1.11.27 | 1.11.27 checksums)

The PGP key ID used for these releases is Mariusz Felisiak: 2EF56372BA48CD1B.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email
to security@djangoproject.com, and not via Django's Trac instance or the
django-developers list. Please see our security policies for further

As noted above, because the underlying cause of this issue was already publicly
known, these releases were issued without the usual prenotification process.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967