CVE-2019-19844

Advisory

[This advisory has been limited. Please create a free account to view the full advisory.]

Affected package

Affected versions

[This affected versions has been limited. Please create a free account to view the full affected versions.]

Fixed versions

[This fixed versions has been limited. Please create a free account to view the full fixed versions.]

Vulnerability changelog

*******************

Security notice
---------------

- See `CVE-2019-19844
<https://www.djangoproject.com/weblog/2019/dec/18/security-releases/>`_.


Note worthy changes
-------------------

- New providers: Exist.io., YNAB, Amazon Cognito.

- You can now store OAuth credentials directly in your
``settings.SOCIALACCOUNT_PROVIDERS`` settings instead of storing them in the
database using a ``SocialApp`` record.


Backwards incompatible changes
------------------------------

- Dropped Python 2 and Django 1 compatibility.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844
• https://groups.google.com/forum/#!topic/django-announce/3oaB2rVH3a0
• https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
• https://docs.djangoproject.com/en/dev/releases/security/
• https://usn.ubuntu.com/4224-1/
• https://www.debian.org/security/2020/dsa-4598
• https://seclists.org/bugtraq/2020/Jan/9
• http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html
• https://security.netapp.com/advisory/ntap-20200110-0003/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/
• https://security.gentoo.org/glsa/202004-17