2021-06-05 09:24:55 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django2: updated to 2.2.24 Django 2.2.24 fixes two security issues in 2.2.23. CVE-2021-33203: Potential directory traversal via admindocs Staff members could use the admindocs TemplateDetailView view to check the \ existence of arbitrary files. Additionally, if (and only if) the default \ admindocs templates have been customized by the developers to also expose the \ file contents, then not only the existence but also the file contents would have \ been exposed. As a mitigation, path sanitation is now applied and only files within the \ template root directories can be loaded. CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since \ validators accepted leading zeros in IPv4 addresses¶ URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn’t \ prohibit leading zeros in octal literals. If you used such values you could \ suffer from indeterminate SSRF, RFI, and LFI attacks. validate_ipv4_address() and validate_ipv46_address() validators were not \ affected on Python 3.9.5+. |
2021-05-14 20:53:07 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django2: updated to 2.2.23 Django 2.2.23 fixes a regression in 2.2.21. Bugfixes Fixed a regression in Django 2.2.21 where saving FileField would raise a \ SuspiciousFileOperation even when a custom upload_to returns a valid file path Django 2.2.22 fixes a security issue in 2.2.21. CVE-2021-32052: Header injection possibility since URLValidator accepted \ newlines in input on Python 3.9.5+ On Python 3.9.5+, URLValidator didn’t prohibit newlines and tabs. If you used \ values with newlines in HTTP response, you could suffer from header injection \ attacks. Django itself wasn’t vulnerable because HttpResponse prohibits \ newlines in HTTP headers. Moreover, the URLField form field which uses URLValidator silently removes \ newlines and tabs on Python 3.9.5+, so the possibility of newlines entering your \ data only existed if you are using this validator outside of the form fields. This issue was introduced by the bpo-43882 fix. |
2021-05-05 09:04:18 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django2: updated to t 2.2.21 Django 2.2.21 fixes a security issue in 2.2.20. CVE-2021-31542: Potential directory-traversal via uploaded files MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via \ uploaded files with suitably crafted file names. In order to mitigate this risk, stricter basename and path sanitation is now \ applied. Specifically, empty file names and paths with dot segments will be \ rejected. Django 2.2.20 CVE-2021-28658: Potential directory-traversal via uploaded files MultiPartParser allowed directory-traversal via uploaded files with suitably \ crafted file names. Built-in upload handlers were not affected by this vulnerability. |
2021-03-01 13:44:07 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django2: updated to 2.2.19 Django 2.2.19 fixes a security issue in 2.2.18. CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl() Django contains a copy of urllib.parse.parse_qsl() which was added to backport \ some security fixes. A further security fix has been issued recently such that \ parse_qsl() no longer allows using ; as a query parameter separator by default. \ Django now includes this fix. See bpo-42967 for further details. |
2021-02-05 08:52:37 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django2: updated to 2.2.18 Django 2.2.18 fixes a security issue with severity “low” in 2.2.17. CVE-2021-3281: Potential directory-traversal via archive.extract() The django.utils.archive.extract() function, used by startapp --template and \ startproject --template, allowed directory-traversal via an archive with \ absolute paths or relative paths with dot segments. |
2020-11-02 12:09:35 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django2: updated to 2.2.17 Django 2.2.17 adds compatibility with Python 3.9. |
2020-09-10 11:32:28 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django2: updated to 2.2.16 Django 2.2.16 fixes two security issues and two data loss bugs in 2.2.15. CVE-2020-24583: Incorrect permissions on intermediate-level directories on \ Python 3.7+ On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to \ intermediate-level directories created in the process of uploading files and to \ intermediate-level collected static directories when using the collectstatic \ management command. You should review and manually fix permissions on existing intermediate-level \ directories. CVE-2020-24584: Permission escalation in intermediate-level directories of the \ file system cache on Python 3.7+ On Python 3.7+, the intermediate-level directories of the file system cache had \ the system’s standard umask rather than 0o077 (no group or others \ permissions). Bugfixes Fixed a data loss possibility in the select_for_update(). When using related \ fields pointing to a proxy model in the of argument, the corresponding model was \ not locked. Fixed a data loss possibility, following a regression in Django 2.0, when \ copying model instances with a cached fields value. Django 2.2.15 fixes two bugs in 2.2.14. Bugfixes Allowed setting the SameSite cookie flag in HttpResponse.delete_cookie(). Fixed crash when sending emails to addresses with display names longer than 75 \ chars on Python 3.6.11+, 3.7.8+, and 3.8.4+. |
2020-07-08 17:11:23 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django2: updated to 2.2.14 Django 2.2.14 fixes a bug in 2.2.13. Bugfixes Fixed messages of InvalidCacheKey exceptions and CacheKeyWarning warnings raised \ by cache key validation |
2020-06-03 17:28:38 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django2: updated to 2.2.13 Django 2.2.13 fixes two security issues and a regression in 2.2.12. CVE-2020-13254: Potential data leakage via malformed memcached keys In cases where a memcached backend does not perform key validation, passing \ malformed cache keys could result in a key collision, and potential data \ leakage. In order to avoid this vulnerability, key validation is added to the \ memcached cache backends. CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget Query parameters for the admin ForeignKeyRawIdWidget were not properly URL \ encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query \ parameters are correctly URL encoded. Bugfixes Fixed a regression in Django 2.2.12 that affected translation loading for apps \ providing translations for territorial language variants as well as a generic \ language, where the project has different plural equations for the language. Tracking a jQuery security release, upgraded the version of jQuery used by the \ admin from 3.3.1 to 3.5.1. |
2020-04-06 18:58:56 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: py-django2: updated to 2.2.12 Django 2.2.12: Added the ability to handle .po files containing different plural equations for \ the same language |