Viewing github.com/django/django-stable-4.1.x/docs/releases/2.0.2.txt

Django 2.0.2 fixes a security issue and several bugs in 2.0.1.

CVE-2018-6188: Information leakage in ``AuthenticationForm``

============================================================

:class:`~django.contrib.auth.forms.AuthenticationForm` run its

``confirm_login_allowed()`` method even if an incorrect password is entered.

This can leak information about a user, depending on what messages

``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't

overridden, an attacker enter an arbitrary username and see if that user has

been set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,

more sensitive details could be leaked.

This issue is fixed with the caveat that ``AuthenticationForm`` can no longer

raise the "This account is inactive." error if the authentication backend

rejects inactive users (the default authentication backend, ``ModelBackend``,

has done that since Django 1.10). This issue will be revisited for Django 2.1

as a fix to address the caveat will likely be too invasive for inclusion in

* Fixed hidden content at the bottom of the "The install worked successfully!"

  page for some languages (:ticket:`28885`).

* Fixed incorrect foreign key nullification if a model has two foreign keys to

  the same model and a target model is deleted (:ticket:`29016`).

* Fixed regression in the use of ``QuerySet.values_list(..., flat=True)``

  followed by ``annotate()`` (:ticket:`29067`).

* Fixed a regression where a queryset that annotates with geometry objects

* Fixed a regression where ``contrib.auth.authenticate()`` crashes if an

  authentication backend doesn't accept ``request`` and a later one does

* Fixed a regression where ``makemigrations`` crashes if a migrations directory

  doesn't have an ``__init__.py`` file (:ticket:`29091`).

* Fixed crash when entering an invalid uuid in ``ModelAdmin.raw_id_fields``