2024-11-11 08:29:31 by Thomas Klausner | Files touched by this commit (862) |
Log message:
py-*: remove unused tool dependency
py-setuptools includes the py-wheel functionality nowadays
|
2024-03-04 16:47:29 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django3: updated to 3.2.25
Django 3.2.25 fixes a security issue with severity “moderate” and a \
regression in 3.2.24.
CVE-2024-27351: Potential regular expression denial-of-service in \
django.utils.text.Truncator.words()
django.utils.text.Truncator.words() method (with html=True) and \
truncatewords_html template filter were subject to a potential regular \
expression denial-of-service attack using a suitably crafted string (follow up \
to CVE-2019-14232 and CVE-2023-43665).
Bugfixes
Fixed a regression in Django 3.2.24 where intcomma template filter could return \
a leading comma for string representation of floats.
|
2024-02-09 11:34:29 by Adam Ciarcinski | Files touched by this commit (4) |
Log message:
Replace databases/py-mysqldb with databases/py-mysqlclient
|
2024-02-08 23:46:48 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message:
py-django3: updated to 3.2.24
Django 3.2.24 fixes a security issue with severity “moderate” in 3.2.23.
CVE-2024-24680: Potential denial-of-service in intcomma template filter
The intcomma template filter was subject to a potential denial-of-service attack \
when used with very long strings.
|
2023-11-01 21:17:00 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django3: updated to 3.2.23
Django 3.2.23
CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows
|
2023-10-04 22:13:51 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django3: updated to 3.2.22
Django 3.2.22 fixes a security issue with severity “moderate” in 3.2.21.
CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator
Following the fix for CVE-2019-14232, the regular expressions used in the \
implementation of django.utils.text.Truncator’s chars() and words() methods \
(with html=True) were revised and improved. However, these regular expressions \
still exhibited linear backtracking complexity, so when given a very long, \
potentially malformed HTML input, the evaluation would still be slow, leading to \
a potential denial of service vulnerability.
The chars() and words() methods are used to implement the truncatechars_html and \
truncatewords_html template filters, which were thus also vulnerable.
The input processed by Truncator, when operating in HTML mode, has been limited \
to the first five million characters in order to avoid potential performance and \
memory issues.
|
2023-09-13 11:58:30 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django3: updated to 3.2.21
Django 3.2.21 fixes a security issue with severity “moderate” in 3.2.20.
CVE-2023-41164: Potential denial of service vulnerability in \
django.utils.encoding.uri_to_iri()
|
2023-08-04 07:22:05 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django3: updated to 3.2.20
Django 3.2.20 fixes a security issue with severity “moderate” in 3.2.19.
CVE-2023-36053: Potential regular expression denial of service vulnerability in \
EmailValidator/URLValidator¶
EmailValidator and URLValidator were subject to potential regular expression \
denial of service attack via a very large number of domain name labels of emails \
and URLs.
|
2023-05-10 11:01:46 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-django3: updated to 3.2.19
Django 3.2.19
CVE-2023-31047: Potential bypass of validation when uploading multiple files \
using one form field
|
2023-02-14 10:50:16 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
py-django: update to 3.2.18.
===========================
Django 3.2.18 release notes
===========================
*February 14, 2023*
Django 3.2.18 fixes a security issue with severity "moderate" in 3.2.17.
CVE-2023-24580: Potential denial-of-service vulnerability in file uploads
=========================================================================
Passing certain inputs to multipart forms could result in too many open files
or memory exhaustion, and provided a potential vector for a denial-of-service
attack.
The number of files parts parsed is now limited via the new
:setting:`DATA_UPLOAD_MAX_NUMBER_FILES` setting.
===========================
Django 3.2.17 release notes
===========================
*February 1, 2023*
Django 3.2.17 fixes a security issue with severity "moderate" in 3.2.16.
CVE-2023-23969: Potential denial-of-service via ``Accept-Language`` headers
===========================================================================
The parsed values of ``Accept-Language`` headers are cached in order to avoid
repetitive parsing. This leads to a potential denial-of-service vector via
excessive memory usage if large header values are sent.
In order to avoid this vulnerability, the ``Accept-Language`` header is now
parsed up to a maximum length.
|