The password hasher in contrib/auth/hashers.py
in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
rhn.redhat.com/errata/RHSA-2016-0502.html
rhn.redhat.com/errata/RHSA-2016-0504.html
rhn.redhat.com/errata/RHSA-2016-0505.html
rhn.redhat.com/errata/RHSA-2016-0506.html
www.debian.org/security/2016/dsa-3544
www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
www.ubuntu.com/usn/USN-2915-1
www.ubuntu.com/usn/USN-2915-2
www.ubuntu.com/usn/USN-2915-3
github.com/django/django
github.com/django/django/commit/67b46ba7016da2d259c1ecc7d666d11f5e1cfaab
nvd.nist.gov/vuln/detail/CVE-2016-2513
web.archive.org/web/20160322001143/www.securitytracker.com/id/1035152
web.archive.org/web/20200228001222/www.securityfocus.com/bid/83878
www.djangoproject.com/weblog/2016/mar/01/security-releases