Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 706204 (CVE-2019-19844) - dev-python/django: crafted email address allows account takeover (CVE-2019-19844)
Summary: dev-python/django: crafted email address allows account takeover (CVE-2019-19...
Alias: CVE-2019-19844
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa+ cve]
Depends on:
Reported: 2020-01-23 21:47 UTC by GLSAMaker/CVETool Bot
Modified: 2020-04-30 23:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-01-23 21:47:25 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-01-23 21:48:28 UTC
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

External References:

Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-01-25 20:28:14 UTC
All Gentoo versions of django are severely outdated (and vulnerable).  I'm not sure if anyone from Python team wants to maintain it.  Maybe it'd be better to drop it to maintainer-needed, and/or mask it with long removal time.
Comment 3 Larry the Git Cow gentoo-dev 2020-03-06 14:38:36 UTC
The bug has been referenced in the following commit(s):

commit 6d0858ec7469d1327e9fad71108a9a637469851e
Author:     Michał Górny <>
AuthorDate: 2020-03-06 14:13:35 +0000
Commit:     Michał Górny <>
CommitDate: 2020-03-06 14:38:30 +0000

    dev-python/django: Remove vulnerable (drop to ~arch)
    Signed-off-by: Michał Górny <>

 dev-python/django/Manifest            |  4 --
 dev-python/django/django-2.1.8.ebuild | 88 ---------------------------------
 dev-python/django/django-2.1.9.ebuild | 88 ---------------------------------
 dev-python/django/django-2.2.1.ebuild | 91 -----------------------------------
 dev-python/django/django-2.2.2.ebuild | 91 -----------------------------------
 5 files changed, 362 deletions(-)
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2020-04-08 04:45:42 UTC
Added to an existing GLSA Request.
Arches and Maintainer(s), Thank you for your work.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2020-04-30 23:32:33 UTC
This issue was resolved and addressed in
 GLSA 202004-17 at
by GLSA coordinator Thomas Deutschmann (whissi).