<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=""> <head> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Django 1.11.10 release notes — Django 1.11.20 documentation</title> <link rel="stylesheet" href="../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <script type="text/javascript" src="../_static/language_data.js"></script> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> <link rel="next" title="Django 1.11.9 release notes" href="1.11.9.html" /> <link rel="prev" title="Django 1.11.11 release notes" href="1.11.11.html" /> <script type="text/javascript" src="../templatebuiltins.js"></script> <script type="text/javascript"> (function($) { if (!django_template_builtins) { // templatebuiltins.js missing, do nothing. return; } $(document).ready(function() { // Hyperlink Django template tags and filters var base = "../ref/templates/builtins.html"; if (base == "#") { // Special case for builtins.html itself base = ""; } // Tags are keywords, class '.k' $("div.highlight\\-html\\+django span.k").each(function(i, elem) { var tagname = $(elem).text(); if ($.inArray(tagname, django_template_builtins.ttags) != -1) { var fragment = tagname.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>"); } }); // Filters are functions, class '.nf' $("div.highlight\\-html\\+django span.nf").each(function(i, elem) { var filtername = $(elem).text(); if ($.inArray(filtername, django_template_builtins.tfilters) != -1) { var fragment = filtername.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>"); } }); }); })(jQuery); </script> </head><body> <div class="document"> <div id="custom-doc" class="yui-t6"> <div id="hd"> <h1><a href="../index.html">Django 1.11.20 documentation</a></h1> <div id="global-nav"> <a title="Home page" href="../index.html">Home</a> | <a title="Table of contents" href="../contents.html">Table of contents</a> | <a title="Global index" href="../genindex.html">Index</a> | <a title="Module index" href="../py-modindex.html">Modules</a> </div> <div class="nav"> « <a href="1.11.11.html" title="Django 1.11.11 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.11.9.html" title="Django 1.11.9 release notes">next</a> »</div> </div> <div id="bd"> <div id="yui-main"> <div class="yui-b"> <div class="yui-g" id="releases-1.11.10"> <div class="section" id="s-django-1-11-10-release-notes"> <span id="django-1-11-10-release-notes"></span><h1>Django 1.11.10 release notes<a class="headerlink" href="#django-1-11-10-release-notes" title="Permalink to this headline">¶</a></h1> <p><em>February 1, 2018</em></p> <p>Django 1.11.10 fixes a security issue and several bugs in 1.11.9.</p> <div class="section" id="s-cve-2018-6188-information-leakage-in-authenticationform"> <span id="cve-2018-6188-information-leakage-in-authenticationform"></span><h2>CVE-2018-6188: Information leakage in <code class="docutils literal notranslate"><span class="pre">AuthenticationForm</span></code><a class="headerlink" href="#cve-2018-6188-information-leakage-in-authenticationform" title="Permalink to this headline">¶</a></h2> <p>A regression in Django 1.11.8 made <a class="reference internal" href="../topics/auth/default.html#django.contrib.auth.forms.AuthenticationForm" title="django.contrib.auth.forms.AuthenticationForm"><code class="xref py py-class docutils literal notranslate"><span class="pre">AuthenticationForm</span></code></a> run its <code class="docutils literal notranslate"><span class="pre">confirm_login_allowed()</span></code> method even if an incorrect password is entered. This can leak information about a user, depending on what messages <code class="docutils literal notranslate"><span class="pre">confirm_login_allowed()</span></code> raises. If <code class="docutils literal notranslate"><span class="pre">confirm_login_allowed()</span></code> isn’t overridden, an attacker enter an arbitrary username and see if that user has been set to <code class="docutils literal notranslate"><span class="pre">is_active=False</span></code>. If <code class="docutils literal notranslate"><span class="pre">confirm_login_allowed()</span></code> is overridden, more sensitive details could be leaked.</p> <p>This issue is fixed with the caveat that <code class="docutils literal notranslate"><span class="pre">AuthenticationForm</span></code> can no longer raise the “This account is inactive.” error if the authentication backend rejects inactive users (the default authentication backend, <code class="docutils literal notranslate"><span class="pre">ModelBackend</span></code>, has done that since Django 1.10). This issue will be revisited for Django 2.1 as a fix to address the caveat will likely be too invasive for inclusion in older versions.</p> </div> <div class="section" id="s-bugfixes"> <span id="bugfixes"></span><h2>Bugfixes<a class="headerlink" href="#bugfixes" title="Permalink to this headline">¶</a></h2> <ul class="simple"> <li>Fixed incorrect foreign key nullification if a model has two foreign keys to the same model and a target model is deleted (<a class="reference external" href="https://code.djangoproject.com/ticket/29016">#29016</a>).</li> <li>Fixed a regression where <code class="docutils literal notranslate"><span class="pre">contrib.auth.authenticate()</span></code> crashes if an authentication backend doesn’t accept <code class="docutils literal notranslate"><span class="pre">request</span></code> and a later one does (<a class="reference external" href="https://code.djangoproject.com/ticket/29071">#29071</a>).</li> <li>Fixed crash when entering an invalid uuid in <code class="docutils literal notranslate"><span class="pre">ModelAdmin.raw_id_fields</span></code> (<a class="reference external" href="https://code.djangoproject.com/ticket/29094">#29094</a>).</li> </ul> </div> </div> </div> </div> </div> <div class="yui-b" id="sidebar"> <div class="sphinxsidebar" role="navigation" aria-label="main navigation"> <div class="sphinxsidebarwrapper"> <h3><a href="../contents.html">Table of Contents</a></h3> <ul> <li><a class="reference internal" href="#">Django 1.11.10 release notes</a><ul> <li><a class="reference internal" href="#cve-2018-6188-information-leakage-in-authenticationform">CVE-2018-6188: Information leakage in <code class="docutils literal notranslate"><span class="pre">AuthenticationForm</span></code></a></li> <li><a class="reference internal" href="#bugfixes">Bugfixes</a></li> </ul> </li> </ul> <h4>Previous topic</h4> <p class="topless"><a href="1.11.11.html" title="previous chapter">Django 1.11.11 release notes</a></p> <h4>Next topic</h4> <p class="topless"><a href="1.11.9.html" title="next chapter">Django 1.11.9 release notes</a></p> <div role="note" aria-label="source link"> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../_sources/releases/1.11.10.txt" rel="nofollow">Show Source</a></li> </ul> </div> <div id="searchbox" style="display: none" role="search"> <h3>Quick search</h3> <div class="searchformwrapper"> <form class="search" action="../search.html" method="get"> <input type="text" name="q" /> <input type="submit" value="Go" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> </div> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <h3>Last update:</h3> <p class="topless">Feb 11, 2019</p> </div> </div> <div id="ft"> <div class="nav"> « <a href="1.11.11.html" title="Django 1.11.11 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.11.9.html" title="Django 1.11.9 release notes">next</a> »</div> </div> </div> <div class="clearer"></div> </div> </body> </html>