2022-04-20 14:28:57 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message:
py-django2: updated to 2.2.28
Django 2.2.28 fixes two security issues with severity “high” in 2.2.27.
CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and \
extra()
QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL \
injection in column aliases, using a suitably crafted dictionary, with \
dictionary expansion, as the **kwargs passed to these methods.
CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL
QuerySet.explain() method was subject to SQL injection in option names, using a \
suitably crafted dictionary, with dictionary expansion, as the **options \
argument.
|
2022-02-02 11:17:20 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message:
py-django2: updated to 2.2.27
Django 2.2.27 fixes two security issues with severity “medium” in 2.2.26.
CVE-2022-22818: Possible XSS via {% debug %} template tag
CVE-2022-23833: Denial-of-service possibility in file uploads
|
2022-01-19 10:48:47 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message:
py-django2: updated to 2.2.26
Django 2.2.26 fixes one security issue with severity “medium” and two \
security issues with severity “low” in 2.2.25.
- CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator
- CVE-2021-45116: Potential information disclosure in dictsort template filter
- CVE-2021-45452: Potential directory-traversal via Storage.save()
|
2022-01-05 16:51:59 by Thomas Klausner | Files touched by this commit (4) |
Log message:
py-django*: switch to USE_PKG_RESOURCES
|
2022-01-05 11:09:54 by Thomas Klausner | Files touched by this commit (4) |
Log message:
py-django*: add dependency on py-setuptools
These use pkg_resources.
Noted by joerg.
Bump PKGREVISION.
|
2022-01-04 21:55:40 by Thomas Klausner | Files touched by this commit (1595) |
Log message:
*: bump PKGREVISION for egg.mk users
They now have a tool dependency on py-setuptools instead of a DEPENDS
|
2021-12-14 09:57:48 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message:
py-django2: updated to 2.2.25
2.2.25:
CVE-2021-44420: Potential bypass of an upstream access control based on URL paths
HTTP requests for URLs with trailing newlines could bypass an upstream access \
control based on URL paths.
|
2021-10-26 13:31:15 by Nia Alarie | Files touched by this commit (1030) |
Log message:
www: Replace RMD160 checksums with BLAKE2s checksums
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Not committed (merge conflicts):
www/nghttp2/distinfo
Unfetchable distfiles (almost certainly fetched conditionally...):
./www/nginx-devel/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx-devel/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx-devel/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx-devel/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx-devel/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx-devel/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx-devel/distinfo naxsi-1.3.tar.gz
./www/nginx-devel/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx-devel/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx-devel/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx-devel/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx-devel/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx-devel/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx-devel/distinfo njs-0.5.0.tar.gz
./www/nginx-devel/distinfo set-misc-nginx-module-0.32.tar.gz
./www/nginx/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx/distinfo naxsi-1.3.tar.gz
./www/nginx/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx/distinfo njs-0.5.0.tar.gz
./www/nginx/distinfo set-misc-nginx-module-0.32.tar.gz
|
2021-10-07 17:09:00 by Nia Alarie | Files touched by this commit (1033) |
Log message:
www: Remove SHA1 hashes for distfiles
|
2021-06-05 09:24:55 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message:
py-django2: updated to 2.2.24
Django 2.2.24 fixes two security issues in 2.2.23.
CVE-2021-33203: Potential directory traversal via admindocs
Staff members could use the admindocs TemplateDetailView view to check the \
existence of arbitrary files. Additionally, if (and only if) the default \
admindocs templates have been customized by the developers to also expose the \
file contents, then not only the existence but also the file contents would have \
been exposed.
As a mitigation, path sanitation is now applied and only files within the \
template root directories can be loaded.
CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since \
validators accepted leading zeros in IPv4 addresses¶
URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn’t \
prohibit leading zeros in octal literals. If you used such values you could \
suffer from indeterminate SSRF, RFI, and LFI attacks.
validate_ipv4_address() and validate_ipv46_address() validators were not \
affected on Python 3.9.5+.
|