============================ Django 1.11.27 release notes ============================ *December 18, 2019* Django 1.11.27 fixes a security issue and a data loss bug in 1.11.26. CVE-2019-19844: Potential account hijack via password reset form ================================================================ By submitting a suitably crafted email address making use of Unicode characters, that compared equal to an existing user email when lower-cased for comparison, an attacker could be sent a password reset token for the matched account. In order to avoid this vulnerability, password reset requests now compare the submitted email using the stricter, recommended algorithm for case-insensitive comparison of two identifiers from `Unicode Technical Report 36, section 2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be sent to the email address on record rather than the submitted address. .. __: https://www.unicode.org/reports/tr36/#Recommendations_General Bugfixes ======== * Fixed a data loss possibility in :class:`~django.contrib.postgres.forms.SplitArrayField`. When using with ``ArrayField(BooleanField())``, all values after the first ``True`` value were marked as checked instead of preserving passed values (:ticket:`31073`).