Next | Query returned 45 messages, browsing 11 to 20 | Previous

History of commit frequency

CVS Commit History:


   2021-05-14 20:53:07 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django2: updated to 2.2.23

Django 2.2.23 fixes a regression in 2.2.21.

Bugfixes

Fixed a regression in Django 2.2.21 where saving FileField would raise a \ 
SuspiciousFileOperation even when a custom upload_to returns a valid file path

Django 2.2.22 fixes a security issue in 2.2.21.

CVE-2021-32052: Header injection possibility since URLValidator accepted \ 
newlines in input on Python 3.9.5+

On Python 3.9.5+, URLValidator didn’t prohibit newlines and tabs. If you used \ 
values with newlines in HTTP response, you could suffer from header injection \ 
attacks. Django itself wasn’t vulnerable because HttpResponse prohibits \ 
newlines in HTTP headers.

Moreover, the URLField form field which uses URLValidator silently removes \ 
newlines and tabs on Python 3.9.5+, so the possibility of newlines entering your \ 
data only existed if you are using this validator outside of the form fields.

This issue was introduced by the bpo-43882 fix.
   2021-05-05 09:04:18 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django2: updated to t 2.2.21

Django 2.2.21 fixes a security issue in 2.2.20.
CVE-2021-31542: Potential directory-traversal via uploaded files
MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via \ 
uploaded files with suitably crafted file names.
In order to mitigate this risk, stricter basename and path sanitation is now \ 
applied. Specifically, empty file names and paths with dot segments will be \ 
rejected.

Django 2.2.20
CVE-2021-28658: Potential directory-traversal via uploaded files
MultiPartParser allowed directory-traversal via uploaded files with suitably \ 
crafted file names.
Built-in upload handlers were not affected by this vulnerability.
   2021-03-01 13:44:07 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django2: updated to 2.2.19

Django 2.2.19 fixes a security issue in 2.2.18.

CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl()

Django contains a copy of urllib.parse.parse_qsl() which was added to backport \ 
some security fixes. A further security fix has been issued recently such that \ 
parse_qsl() no longer allows using ; as a query parameter separator by default. \ 
Django now includes this fix. See bpo-42967 for further details.
   2021-02-05 08:52:37 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django2: updated to 2.2.18

Django 2.2.18 fixes a security issue with severity “low” in 2.2.17.

CVE-2021-3281: Potential directory-traversal via archive.extract()

The django.utils.archive.extract() function, used by startapp --template and \ 
startproject --template, allowed directory-traversal via an archive with \ 
absolute paths or relative paths with dot segments.
   2020-11-02 12:09:35 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django2: updated to 2.2.17

Django 2.2.17 adds compatibility with Python 3.9.
   2020-09-10 11:32:28 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django2: updated to 2.2.16

Django 2.2.16 fixes two security issues and two data loss bugs in 2.2.15.

CVE-2020-24583: Incorrect permissions on intermediate-level directories on \ 
Python 3.7+

On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to \ 
intermediate-level directories created in the process of uploading files and to \ 
intermediate-level collected static directories when using the collectstatic \ 
management command.

You should review and manually fix permissions on existing intermediate-level \ 
directories.

CVE-2020-24584: Permission escalation in intermediate-level directories of the \ 
file system cache on Python 3.7+

On Python 3.7+, the intermediate-level directories of the file system cache had \ 
the system’s standard umask rather than 0o077 (no group or others \ 
permissions).

Bugfixes

Fixed a data loss possibility in the select_for_update(). When using related \ 
fields pointing to a proxy model in the of argument, the corresponding model was \ 
not locked.
Fixed a data loss possibility, following a regression in Django 2.0, when \ 
copying model instances with a cached fields value.

Django 2.2.15 fixes two bugs in 2.2.14.

Bugfixes

Allowed setting the SameSite cookie flag in HttpResponse.delete_cookie().
Fixed crash when sending emails to addresses with display names longer than 75 \ 
chars on Python 3.6.11+, 3.7.8+, and 3.8.4+.
   2020-07-08 17:11:23 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django2: updated to 2.2.14

Django 2.2.14 fixes a bug in 2.2.13.

Bugfixes

Fixed messages of InvalidCacheKey exceptions and CacheKeyWarning warnings raised \ 
by cache key validation
   2020-06-03 17:28:38 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django2: updated to 2.2.13

Django 2.2.13 fixes two security issues and a regression in 2.2.12.

CVE-2020-13254: Potential data leakage via malformed memcached keys

In cases where a memcached backend does not perform key validation, passing \ 
malformed cache keys could result in a key collision, and potential data \ 
leakage. In order to avoid this vulnerability, key validation is added to the \ 
memcached cache backends.

CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget

Query parameters for the admin ForeignKeyRawIdWidget were not properly URL \ 
encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query \ 
parameters are correctly URL encoded.

Bugfixes

Fixed a regression in Django 2.2.12 that affected translation loading for apps \ 
providing translations for territorial language variants as well as a generic \ 
language, where the project has different plural equations for the language.
Tracking a jQuery security release, upgraded the version of jQuery used by the \ 
admin from 3.3.1 to 3.5.1.
   2020-04-06 18:58:56 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django2: updated to 2.2.12

Django 2.2.12:
Added the ability to handle .po files containing different plural equations for \ 
the same language
   2020-03-12 17:21:02 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django2: updated to 2.2.11

Django 2.2.11 fixes a security issue and a data loss bug in 2.2.10.

CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions \ 
and aggregates on Oracle

GIS functions and aggregates on Oracle were subject to SQL injection, using a \ 
suitably crafted tolerance.

Bugfixes

Fixed a data loss possibility in the select_for_update(). When using related \ 
fields or parent link fields with Multi-table inheritance in the of argument, \ 
the corresponding models were not locked

Next | Query returned 45 messages, browsing 11 to 20 | Previous