Django: CVE-2019-19844: Potential account hijack via password reset form

[Mariusz Felisiak <felisiak.mariusz () gmail com>]

https://www.djangoproject.com/weblog/2019/dec/18/security-releases/

In accordance with `our security release policy 
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the 
Django team is issuing `Django 3.0.1 
<https://docs.djangoproject.com/en/dev/releases/3.0.1/>`_, `Django 2.2.9 
<https://docs.djangoproject.com/en/dev/releases/2.2.9/>`_ and `Django 
1.11.27 <https://docs.djangoproject.com/en/dev/releases/1.11.27/>`_. 
These release addresses the security issue detailed below. We encourage 
all users of Django to upgrade as soon as possible.

CVE-2019-19844: Potential account hijack via password reset form
================================================================

By submitting a suitably crafted email address making use of Unicode
characters, that compared equal to an existing user email when 
lower-cased for
comparison, an attacker could be sent a password reset token for the matched
account.

In order to avoid this vulnerability, password reset requests now 
compare the
submitted email using the stricter, recommended algorithm for 
case-insensitive
comparison of two identifiers from `Unicode Technical Report 36, section
2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
sent to the email address on record rather than the submitted address.

.. __: https://www.unicode.org/reports/tr36/#Recommendations_General

Affected supported versions
===========================

* Django master branch
* Django 3.0
* Django 2.2
* Django 2.1

Resolution
==========

Patches to resolve the issue have been applied to Django's master branch and
the 3.0, 2.2, and 1.11 release branches. The patches may be obtained 
from the following changesets:

* On the `master branch 
<https://github.com/django/django/commit/5b1fbcef7a8bec991ebe7b2a18b5d5a95d72cb70>`__
* On the `3.0 release branch 
<https://github.com/django/django/commit/302a4ff1e8b1c798aab97673909c7a3dfda42c26>`__
* On the `2.2 release branch 
<https://github.com/django/django/commit/4d334bea06cac63dc1272abcec545b85136cca0e>`__
* On the `1.11 release branch 
<https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2>`__

The following releases have been issued:

* Django 3.0.1 (`download Django 3.0.1 
<https://www.djangoproject.com/m/releases/3.0/Django-3.0.1.tar.gz>`_ | 
`3.0.1 checksums 
<https://www.djangoproject.com/m/pgp/Django-3.0.1.checksum.txt>`_)
* Django 2.2.9 (`download Django 2.2.9 
<https://www.djangoproject.com/m/releases/2.2/Django-2.2.9.tar.gz>`_ | 
`2.2.9 checksums 
<https://www.djangoproject.com/m/pgp/Django-2.2.9.checksum.txt>`_)
* Django 1.11.27 (`download Django 1.11.27 
<https://www.djangoproject.com/m/releases/1.11/Django-1.11.27.tar.gz>`_ 
| `1.11.27 checksums 
<https://www.djangoproject.com/m/pgp/Django-1.11.27.checksum.txt>`_)

The PGP key ID used for these releases is Mariusz Felisiak: 
2EF56372BA48CD1B.

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via
private email to ``security () djangoproject com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies <https://www.djangoproject.com/security/>`_ for further
information.

This issue was known publicly, therefore we fixed the issue as soon as 
possible without the usual `prenotification process 
<https://docs.djangoproject.com/en/dev/internals/security/#how-django-discloses-security-issues>`_.