./www/py-django4, Django, a high-level Python Web framework

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 4.2.17, Package name: py312-django-4.2.17, Maintainer: pkgsrc-users

Django is a high-level Python Web framework that encourages rapid development
and clean, pragmatic design. Django was designed to make common Web-development
tasks fast and easy.

Master sites:

Filesize: 10193.041 KB

Version history: (Expand)

CVS history: (Expand)


   2024-12-04 21:21:06 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django4: updated to 4.2.17

4.2.17

Django 4.2.17 fixes one security issue with severity “high” and one security \ 
issue with severity “moderate” in 4.2.16.

CVE-2024-53907: Denial-of-service possibility in strip_tags()

strip_tags() would be extremely slow to evaluate certain inputs containing large \ 
sequences of nested incomplete HTML entities. The strip_tags() method is used to \ 
implement the corresponding striptags template filter, which was thus also \ 
vulnerable.

strip_tags() now has an upper limit of recursive calls to HTMLParser before \ 
raising a SuspiciousOperation exception.

Remember that absolutely NO guarantee is provided about the results of \ 
strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() \ 
call without escaping it first, for example with django.utils.html.escape().

CVE-2024-53908: Potential SQL injection via HasKey(lhs, rhs) on Oracle

Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle was \ 
subject to SQL injection if untrusted data was used as a lhs value.

Applications that use the has_key lookup through the __ syntax are unaffected.
   2024-11-11 08:29:31 by Thomas Klausner | Files touched by this commit (862) 
Log message:
py-*: remove unused tool dependency

py-setuptools includes the py-wheel functionality nowadays
   2024-08-15 23:55:19 by Thomas Klausner | Files touched by this commit (6) 
Log message:
*: remove Python 3.9 specific dependencies

in a quest to fix pbulk
   2024-05-07 20:17:41 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django4: updated to 4.2.13

Django 4.2.13 fixes a packaging error in 4.2.12.
   2024-05-07 05:56:44 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django4: updated to 4.2.12

Django 4.2.12 fixes a compatibility issue with Python 3.11.9+ and 3.12.3+.

Fixed a crash in Django 4.2 when validating email max line lengths with content \ 
decoded using the surrogateescape error handling scheme
   2024-03-04 16:48:16 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-django4: updated to 4.2.11

Django 4.2.11 fixes a security issue with severity “moderate” and a \ 
regression in 4.2.10.

CVE-2024-27351: Potential regular expression denial-of-service in \ 
django.utils.text.Truncator.words()

django.utils.text.Truncator.words() method (with html=True) and \ 
truncatewords_html template filter were subject to a potential regular \ 
expression denial-of-service attack using a suitably crafted string (follow up \ 
to CVE-2019-14232 and CVE-2023-43665).

Bugfixes

Fixed a regression in Django 4.2.10 where intcomma template filter could return \ 
a leading comma for string representation of floats.
   2024-02-09 11:34:29 by Adam Ciarcinski | Files touched by this commit (4) 
Log message:
Replace databases/py-mysqldb with databases/py-mysqlclient
   2024-02-08 23:42:53 by Adam Ciarcinski | Files touched by this commit (6) 
Log message:
py-django4: added version 4.2.10

Django 4.2.10 fixes a security issue with severity “moderate” in 4.2.9.

CVE-2024-24680: Potential denial-of-service in intcomma template filter

The intcomma template filter was subject to a potential denial-of-service attack \ 
when used with very long strings.