On Monday, Django 2.1.2 was released, which has addressed a security issue regarding password hash disclosure. Along with that, this version fixes several other bugs in 2.1.1 and also comes with the latest string translations from Transifex.
Users password hash visible to “view only” admin users
In Django 2.1.1, the admin users who had permissions to change the user model could see a part of the password hash in the change form. Also, admin users with “view only” permission to the user model were allowed to see the entire hash.
This could prove to be a big problem if the password is weak or your site uses weaker password hashing algorithms such as MD5 or SHA1. This vulnerability has been named CVE-2018-16984 since 13th September, 2018.
This issue has been solved in this new security release.
- A bug is fixed where lookup using F() on a non-existing model field didn’t raised FieldError.
- The migrations loader now ignores the files starting with a tilde or underscore.
- Migrations correctly detects changes made to Meta.default_related_name.
- Support for cx_Oracle 7 is added.
- Quoting of unique index names is now fixed.
- Sliced queries with multiple columns with the same name will not result in crash on Oracle 12.1 anymore.
- A crash is fixed when a user with the view only (but not change) permission made a POST request to an admin user change form.
To read the release notes of Django, head over to its official website.