Path to this page:
Subject: CVS commit: pkgsrc/www/py-django2
From: Adam Ciarcinski
Date: 2022-04-20 14:28:57
Message id: 20220420122857.729DDFB1A@cvs.NetBSD.org
Log Message:
py-django2: updated to 2.2.28
Django 2.2.28 fixes two security issues with severity “high” in 2.2.27.
CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and \
extra()
QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL \
injection in column aliases, using a suitably crafted dictionary, with \
dictionary expansion, as the **kwargs passed to these methods.
CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL
QuerySet.explain() method was subject to SQL injection in option names, using a \
suitably crafted dictionary, with dictionary expansion, as the **options \
argument.
Files: