Path to this page:
Subject: CVS commit: pkgsrc/www/py-django2
From: Adam Ciarcinski
Date: 2019-12-19 14:40:36
Message id: 20191219134036.6F30BFA97@cvs.NetBSD.org
Log Message:
py-django2: updated to 2.2.9
Django 2.2.9 fixes a security issue and a data loss bug in 2.2.8.
CVE-2019-19844: Potential account hijack via password reset form
By submitting a suitably crafted email address making use of Unicode characters, \
that compared equal to an existing user email when lower-cased for comparison, \
an attacker could be sent a password reset token for the matched account.
In order to avoid this vulnerability, password reset requests now compare the \
submitted email using the stricter, recommended algorithm for case-insensitive \
comparison of two identifiers from Unicode Technical Report 36, section \
2.11.2(B)(2). Upon a match, the email containing the reset token will be sent to \
the email address on record rather than the submitted address.
Bugfixes
* Fixed a data loss possibility in SplitArrayField. When using with \
ArrayField(BooleanField()), all values after the first True value were marked as \
checked instead of preserving passed values
Files: