Incoming details.
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) External References: https://www.djangoproject.com/weblog/2019/dec/18/security-releases/ References: https://seclists.org/oss-sec/2019/q4/163
All Gentoo versions of django are severely outdated (and vulnerable). I'm not sure if anyone from Python team wants to maintain it. Maybe it'd be better to drop it to maintainer-needed, and/or mask it with long removal time.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d0858ec7469d1327e9fad71108a9a637469851e commit 6d0858ec7469d1327e9fad71108a9a637469851e Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-03-06 14:13:35 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-03-06 14:38:30 +0000 dev-python/django: Remove vulnerable (drop to ~arch) Bug: https://bugs.gentoo.org/692384 Bug: https://bugs.gentoo.org/701744 Bug: https://bugs.gentoo.org/706204 Bug: https://bugs.gentoo.org/707998 Bug: https://bugs.gentoo.org/711522 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/django/Manifest | 4 -- dev-python/django/django-2.1.8.ebuild | 88 --------------------------------- dev-python/django/django-2.1.9.ebuild | 88 --------------------------------- dev-python/django/django-2.2.1.ebuild | 91 ----------------------------------- dev-python/django/django-2.2.2.ebuild | 91 ----------------------------------- 5 files changed, 362 deletions(-)
Added to an existing GLSA Request. Arches and Maintainer(s), Thank you for your work.
This issue was resolved and addressed in GLSA 202004-17 at https://security.gentoo.org/glsa/202004-17 by GLSA coordinator Thomas Deutschmann (whissi).