Path to this page:
Subject: CVS commit: pkgsrc/www/py-django2
From: Adam Ciarcinski
Date: 2021-06-05 09:24:55
Message id: 20210605072455.7F6CFFA95@cvs.NetBSD.org
Log Message:
py-django2: updated to 2.2.24
Django 2.2.24 fixes two security issues in 2.2.23.
CVE-2021-33203: Potential directory traversal via admindocs
Staff members could use the admindocs TemplateDetailView view to check the \
existence of arbitrary files. Additionally, if (and only if) the default \
admindocs templates have been customized by the developers to also expose the \
file contents, then not only the existence but also the file contents would have \
been exposed.
As a mitigation, path sanitation is now applied and only files within the \
template root directories can be loaded.
CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since \
validators accepted leading zeros in IPv4 addresses¶
URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn’t \
prohibit leading zeros in octal literals. If you used such values you could \
suffer from indeterminate SSRF, RFI, and LFI attacks.
validate_ipv4_address() and validate_ipv46_address() validators were not \
affected on Python 3.9.5+.
Files: