Path to this page:
Subject: CVS commit: pkgsrc/www/py-django2
From: Adam Ciarcinski
Date: 2021-05-05 09:04:18
Message id: 20210505070418.C11F9FA95@cvs.NetBSD.org
Log Message:
py-django2: updated to t 2.2.21
Django 2.2.21 fixes a security issue in 2.2.20.
CVE-2021-31542: Potential directory-traversal via uploaded files
MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via \
uploaded files with suitably crafted file names.
In order to mitigate this risk, stricter basename and path sanitation is now \
applied. Specifically, empty file names and paths with dot segments will be \
rejected.
Django 2.2.20
CVE-2021-28658: Potential directory-traversal via uploaded files
MultiPartParser allowed directory-traversal via uploaded files with suitably \
crafted file names.
Built-in upload handlers were not affected by this vulnerability.
Files: