New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency django to v3.2.17 [SECURITY] #13
Open
renovate
wants to merge
1
commit into
main
Choose a base branch
from
renovate/pypi-django-vulnerability
base: main
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
November 20, 2022 18:15
e7baed8
to
13a7a05
Compare
renovate
bot
changed the title
Update dependency django to v3.2.15 [SECURITY]
Update dependency django to v3.2.16 [SECURITY]
Nov 20, 2022
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
March 18, 2023 05:56
13a7a05
to
e837fb0
Compare
renovate
bot
changed the title
Update dependency django to v3.2.16 [SECURITY]
Update dependency django to v3.2.18 [SECURITY]
Mar 18, 2023
renovate
bot
changed the title
Update dependency django to v3.2.18 [SECURITY]
Update dependency django to v3.2.17 [SECURITY]
Mar 22, 2023
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
March 22, 2023 13:24
e837fb0
to
c3af545
Compare
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
May 29, 2023 17:50
c3af545
to
fd41643
Compare
renovate
bot
changed the title
Update dependency django to v3.2.17 [SECURITY]
Update dependency django to v3.2.19 [SECURITY]
May 29, 2023
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
June 1, 2023 16:13
fd41643
to
b4439f1
Compare
renovate
bot
changed the title
Update dependency django to v3.2.19 [SECURITY]
Update dependency django to v3.2.17 [SECURITY]
Jun 1, 2023
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
June 18, 2023 14:55
b4439f1
to
e022b08
Compare
renovate
bot
changed the title
Update dependency django to v3.2.17 [SECURITY]
Update dependency django to v3.2.19 [SECURITY]
Jun 18, 2023
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
June 23, 2023 05:10
e022b08
to
e7f327e
Compare
renovate
bot
changed the title
Update dependency django to v3.2.19 [SECURITY]
Update dependency django to v3.2.17 [SECURITY]
Jun 23, 2023
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
July 11, 2023 02:50
e7f327e
to
02fe681
Compare
renovate
bot
changed the title
Update dependency django to v3.2.17 [SECURITY]
Update dependency django to v3.2.20 [SECURITY]
Jul 11, 2023
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
September 20, 2023 02:44
02fe681
to
557933e
Compare
renovate
bot
changed the title
Update dependency django to v3.2.20 [SECURITY]
Update dependency django to v3.2.21 [SECURITY]
Sep 20, 2023
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
September 21, 2023 05:42
557933e
to
9bfb526
Compare
renovate
bot
changed the title
Update dependency django to v3.2.21 [SECURITY]
Update dependency django to v3.2.20 [SECURITY]
Sep 21, 2023
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
September 26, 2023 11:47
9bfb526
to
be6ed06
Compare
renovate
bot
changed the title
Update dependency django to v3.2.20 [SECURITY]
Update dependency django to v3.2.21 [SECURITY]
Sep 26, 2023
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
September 27, 2023 05:16
be6ed06
to
81ab82b
Compare
renovate
bot
changed the title
Update dependency django to v3.2.21 [SECURITY]
Update dependency django to v3.2.20 [SECURITY]
Sep 27, 2023
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
November 17, 2023 12:02
81ab82b
to
27f19ec
Compare
renovate
bot
changed the title
Update dependency django to v3.2.20 [SECURITY]
Update dependency django to v3.2.23 [SECURITY]
Nov 17, 2023
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
November 18, 2023 11:15
27f19ec
to
83e7163
Compare
renovate
bot
changed the title
Update dependency django to v3.2.23 [SECURITY]
Update dependency django to v3.2.20 [SECURITY]
Nov 18, 2023
renovate
bot
changed the title
Update dependency django to v3.2.20 [SECURITY]
Update dependency django to v3.2.23 [SECURITY]
Dec 5, 2023
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
December 5, 2023 02:19
83e7163
to
18cb835
Compare
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
December 6, 2023 08:26
18cb835
to
9e3cbbf
Compare
renovate
bot
changed the title
Update dependency django to v3.2.23 [SECURITY]
Update dependency django to v3.2.20 [SECURITY]
Dec 6, 2023
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
December 8, 2023 08:33
9e3cbbf
to
c8d3235
Compare
renovate
bot
changed the title
Update dependency django to v3.2.20 [SECURITY]
Update dependency django to v3.2.17 [SECURITY]
Dec 8, 2023
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
January 5, 2024 05:12
c8d3235
to
6225151
Compare
renovate
bot
changed the title
Update dependency django to v3.2.17 [SECURITY]
Update dependency django to v3.2.23 [SECURITY]
Jan 5, 2024
renovate
bot
changed the title
Update dependency django to v3.2.23 [SECURITY]
Update dependency django to v3.2.17 [SECURITY]
Jan 6, 2024
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
2 times, most recently
from
January 9, 2024 08:49
6188088
to
84622c0
Compare
renovate
bot
changed the title
Update dependency django to v3.2.17 [SECURITY]
Update dependency django to v3.2.23 [SECURITY]
Jan 9, 2024
renovate
bot
changed the title
Update dependency django to v3.2.23 [SECURITY]
Update dependency django to v3.2.17 [SECURITY]
Jan 10, 2024
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
January 10, 2024 05:47
84622c0
to
0591aac
Compare
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
January 18, 2024 05:27
0591aac
to
305bdf0
Compare
renovate
bot
changed the title
Update dependency django to v3.2.17 [SECURITY]
Update dependency django to v3.2.23 [SECURITY]
Jan 18, 2024
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
January 19, 2024 20:39
305bdf0
to
a9b72ce
Compare
renovate
bot
changed the title
Update dependency django to v3.2.23 [SECURITY]
Update dependency django to v3.2.17 [SECURITY]
Jan 19, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
None yet
0 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==3.2.9
->==3.2.17
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2022-28347
A SQL injection issue was discovered in
QuerySet.explain()
in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the**options
argument, and placing the injection payload in an option name.CVE-2022-28346
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4.
QuerySet.annotate()
,aggregate()
, andextra()
methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed**kwargs
.CVE-2021-45116
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.
CVE-2021-45115
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1.
UserAttributeSimilarityValidator
incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.CVE-2022-36359
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
CVE-2023-36053
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3,
EmailValidator
andURLValidator
are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.CVE-2021-44420
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. This issue has low severity, according to the Django security policy.
CVE-2022-23833
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
CVE-2021-45452
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.
CVE-2023-24580
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.
CVE-2023-31047
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
CVE-2023-46695
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
CVE-2022-34265
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The
Trunc()
andExtract()
database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.CVE-2022-41323
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
CVE-2023-23969
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
CVE-2023-41164
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
CVE-2023-43665
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
CVE-2024-24680
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
CVE-2024-27351
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
CVE-2022-22818
The
{% debug %}
template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.Release Notes
django/django (django)
v3.2.17
Compare Source
v3.2.16
Compare Source
v3.2.15
Compare Source
v3.2.14
Compare Source
v3.2.13
Compare Source
v3.2.12
Compare Source
v3.2.11
Compare Source
v3.2.10
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.