Subject: CVS commit: pkgsrc/www/py-django
From: Adam Ciarcinski
Date: 2019-12-19 14:39:50
Message id: 20191219133950.54A32FA97@cvs.NetBSD.org

Log Message:
py-django: updated to 1.11.27

Django 1.11.27 fixes a security issue and a data loss bug in 1.11.26.

CVE-2019-19844: Potential account hijack via password reset form

By submitting a suitably crafted email address making use of Unicode characters, \ 
that compared equal to an existing user email when lower-cased for comparison, \ 
an attacker could be sent a password reset token for the matched account.

In order to avoid this vulnerability, password reset requests now compare the \ 
submitted email using the stricter, recommended algorithm for case-insensitive \ 
comparison of two identifiers from Unicode Technical Report 36, section \ 
2.11.2(B)(2). Upon a match, the email containing the reset token will be sent to \ 
the email address on record rather than the submitted address.

Bugfixes
* Fixed a data loss possibility in SplitArrayField. When using with \ 
ArrayField(BooleanField()), all values after the first True value were marked as \ 
checked instead of preserving passed values

Files:
RevisionActionfile
1.112modifypkgsrc/www/py-django/Makefile
1.91modifypkgsrc/www/py-django/distinfo