Path to this page:
Subject: CVS commit: pkgsrc/www/py-django3
From: Adam Ciarcinski
Date: 2021-06-05 09:22:03
Message id: 20210605072204.0CB28FA95@cvs.NetBSD.org
Log Message:
py-django3: updated to 3.2.4
Django 3.2.4 fixes two security issues and several bugs in 3.2.3.
CVE-2021-33203: Potential directory traversal via admindocs
Staff members could use the admindocs TemplateDetailView view to check the \
existence of arbitrary files. Additionally, if (and only if) the default \
admindocs templates have been customized by the developers to also expose the \
file contents, then not only the existence but also the file contents would have \
been exposed.
As a mitigation, path sanitation is now applied and only files within the \
template root directories can be loaded.
CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since \
validators accepted leading zeros in IPv4 addresses¶
URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn’t \
prohibit leading zeros in octal literals. If you used such values you could \
suffer from indeterminate SSRF, RFI, and LFI attacks.
validate_ipv4_address() and validate_ipv46_address() validators were not \
affected on Python 3.9.5+.
Bugfixes
Fixed a bug in Django 3.2 where a final catch-all view in the admin didn’t \
respect the server-provided value of SCRIPT_NAME when redirecting \
unauthenticated users to the login page
Fixed a bug in Django 3.2 where a system check would crash on an abstract model
Prevented unnecessary initialization of unused caches following a regression in \
Django 3.2
Fixed a crash in Django 3.2 that could occur when running mod_wsgi with the \
recommended settings while the Windows colorama library was installed
Fixed a bug in Django 3.2 that would trigger the auto-reloader for template \
changes when directory paths were specified with strings
Fixed a regression in Django 3.2 that caused a crash of auto-reloader with \
AttributeError, e.g. inside a Conda environment
Fixed a regression in Django 3.2 that caused a loss of precision for operations \
with DecimalField on MySQL
Files: