Errata overview
Errata ID 631
Date 2020-01-15
Source package python-django
Fixed in version 1:1.10.7-2+deb9u7
This update addresses the following issue:
* Django allows account takeover: A suitably crafted email address (that is
  equal to an existing user's email address after case transformation of
  Unicode characters) would allow an attacker to be sent a password reset
  token for the matched user account. One mitigation in the new releases is
  to send password reset tokens only to the registered user email address.
Additional notes
CVE ID CVE-2019-19844
UCS Bug number #50694