Next | Query returned 41 messages, browsing 1 to 10 | Previous

History of commit frequency

CVS Commit History:


   2024-11-11 08:29:31 by Thomas Klausner | Files touched by this commit (862)
Log message:
py-*: remove unused tool dependency

py-setuptools includes the py-wheel functionality nowadays
   2024-03-04 16:47:29 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django3: updated to 3.2.25

Django 3.2.25 fixes a security issue with severity “moderate” and a \ 
regression in 3.2.24.

CVE-2024-27351: Potential regular expression denial-of-service in \ 
django.utils.text.Truncator.words()

django.utils.text.Truncator.words() method (with html=True) and \ 
truncatewords_html template filter were subject to a potential regular \ 
expression denial-of-service attack using a suitably crafted string (follow up \ 
to CVE-2019-14232 and CVE-2023-43665).

Bugfixes

Fixed a regression in Django 3.2.24 where intcomma template filter could return \ 
a leading comma for string representation of floats.
   2024-02-09 11:34:29 by Adam Ciarcinski | Files touched by this commit (4)
Log message:
Replace databases/py-mysqldb with databases/py-mysqlclient
   2024-02-08 23:46:48 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
py-django3: updated to 3.2.24

Django 3.2.24 fixes a security issue with severity “moderate” in 3.2.23.

CVE-2024-24680: Potential denial-of-service in intcomma template filter

The intcomma template filter was subject to a potential denial-of-service attack \ 
when used with very long strings.
   2023-11-01 21:17:00 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django3: updated to 3.2.23

Django 3.2.23

CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows
   2023-10-04 22:13:51 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django3: updated to 3.2.22

Django 3.2.22 fixes a security issue with severity “moderate” in 3.2.21.

CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator

Following the fix for CVE-2019-14232, the regular expressions used in the \ 
implementation of django.utils.text.Truncator’s chars() and words() methods \ 
(with html=True) were revised and improved. However, these regular expressions \ 
still exhibited linear backtracking complexity, so when given a very long, \ 
potentially malformed HTML input, the evaluation would still be slow, leading to \ 
a potential denial of service vulnerability.

The chars() and words() methods are used to implement the truncatechars_html and \ 
truncatewords_html template filters, which were thus also vulnerable.

The input processed by Truncator, when operating in HTML mode, has been limited \ 
to the first five million characters in order to avoid potential performance and \ 
memory issues.
   2023-09-13 11:58:30 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django3: updated to 3.2.21

Django 3.2.21 fixes a security issue with severity “moderate” in 3.2.20.

CVE-2023-41164: Potential denial of service vulnerability in \ 
django.utils.encoding.uri_to_iri()
   2023-08-04 07:22:05 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django3: updated to 3.2.20

Django 3.2.20 fixes a security issue with severity “moderate” in 3.2.19.

CVE-2023-36053: Potential regular expression denial of service vulnerability in \ 
EmailValidator/URLValidator¶

EmailValidator and URLValidator were subject to potential regular expression \ 
denial of service attack via a very large number of domain name labels of emails \ 
and URLs.
   2023-05-10 11:01:46 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django3: updated to 3.2.19

Django 3.2.19

CVE-2023-31047: Potential bypass of validation when uploading multiple files \ 
using one form field
   2023-02-14 10:50:16 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
py-django: update to 3.2.18.

===========================
Django 3.2.18 release notes
===========================

*February 14, 2023*

Django 3.2.18 fixes a security issue with severity "moderate" in 3.2.17.

CVE-2023-24580: Potential denial-of-service vulnerability in file uploads
=========================================================================

Passing certain inputs to multipart forms could result in too many open files
or memory exhaustion, and provided a potential vector for a denial-of-service
attack.

The number of files parts parsed is now limited via the new
:setting:`DATA_UPLOAD_MAX_NUMBER_FILES` setting.

===========================
Django 3.2.17 release notes
===========================

*February 1, 2023*

Django 3.2.17 fixes a security issue with severity "moderate" in 3.2.16.

CVE-2023-23969: Potential denial-of-service via ``Accept-Language`` headers
===========================================================================

The parsed values of ``Accept-Language`` headers are cached in order to avoid
repetitive parsing. This leads to a potential denial-of-service vector via
excessive memory usage if large header values are sent.

In order to avoid this vulnerability, the ``Accept-Language`` header is now
parsed up to a maximum length.

Next | Query returned 41 messages, browsing 1 to 10 | Previous