discovery-artifact-manager icon indicating copy to clipboard operation
discovery-artifact-manager copied to clipboard

Published 20 hours ago verified publisher icon googleapis

chore(deps): update dependency django to v3 [security]

Open renovate-bot opened this issue 3 years ago • 0 comments

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
django (changelog) ==1.8.12 -> ==3.2.15 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2018-7537

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

CVE-2017-7234

A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the django.views.static.serve() view could redirect to any other domain, aka an open redirect vulnerability.

CVE-2019-19844

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

CVE-2020-7471

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

CVE-2021-33203

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.

CVE-2016-6186

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.

CVE-2016-7401

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.

CVE-2022-36359

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

CVE-2016-9013

Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.

CVE-2017-7233

Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.

CVE-2016-9014

Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.

CVE-2018-7536

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.

Release Notes

django/django (django)

v3.2.15

Compare Source

v3.2.14

Compare Source

v3.2.13

Compare Source

v3.2.12

Compare Source

v3.2.11

Compare Source

v3.2.10

Compare Source

v3.2.9

Compare Source

v3.2.8

Compare Source

v3.2.7

Compare Source

v3.2.6

Compare Source

v3.2.5

Compare Source

v3.2.4

Compare Source

v3.2.3

Compare Source

v3.2.2

Compare Source

v3.2.1

Compare Source

v3.2

Compare Source

v3.1.14

Compare Source

v3.1.13

Compare Source

v3.1.12

Compare Source

v3.1.11

Compare Source

v3.1.10

Compare Source

v3.1.9

Compare Source

v3.1.8

Compare Source

v3.1.7

Compare Source

v3.1.6

Compare Source

v3.1.5

Compare Source

v3.1.4

Compare Source

v3.1.3

Compare Source

v3.1.2

Compare Source

v3.1.1

Compare Source

v3.1

Compare Source

v3.0.14

Compare Source

v3.0.13

Compare Source

v3.0.12

Compare Source

v3.0.11

Compare Source

v3.0.10

Compare Source

v3.0.9

Compare Source

v3.0.8

Compare Source

v3.0.7

Compare Source

v3.0.6

Compare Source

v3.0.5

Compare Source

v3.0.4

Compare Source

v3.0.3

Compare Source

v3.0.2

Compare Source

v3.0.1

Compare Source

v3.0

Compare Source

v2.2.28

Compare Source

v2.2.27

Compare Source

v2.2.26

Compare Source

v2.2.25

Compare Source

v2.2.24

Compare Source

v2.2.23

Compare Source

v2.2.22

Compare Source

v2.2.21

Compare Source

v2.2.20

Compare Source

v2.2.19

Compare Source

v2.2.18

Compare Source

v2.2.17

Compare Source

v2.2.16

Compare Source

v2.2.15

Compare Source

v2.2.14

Compare Source

v2.2.13

Compare Source

v2.2.12

Compare Source

v2.2.11

Compare Source

v2.2.10

Compare Source

v2.2.9

Compare Source

v2.2.8

Compare Source

v2.2.7

Compare Source

v2.2.6

Compare Source

v2.2.5

Compare Source

v2.2.4

Compare Source

v2.2.3

Compare Source

v2.2.2

Compare Source

v2.2.1

Compare Source

v2.2

Compare Source

v2.1.15

Compare Source

v2.1.14

Compare Source

v2.1.13

Compare Source

v2.1.12

Compare Source

v2.1.11

Compare Source

v2.1.10

Compare Source

v2.1.9

Compare Source

v2.1.8

Compare Source

v2.1.7

Compare Source

v2.1.5

Compare Source

v2.1.4

Compare Source

v2.1.3

Compare Source

v2.1.2

Compare Source

v2.1.1

Compare Source

v2.1

Compare Source

v2.0.13

Compare Source

v2.0.12

Compare Source

v2.0.10

Compare Source

v2.0.9

Compare Source

v2.0.8

Compare Source

v2.0.7

Compare Source

v2.0.6

Compare Source

v2.0.5

Compare Source

v2.0.4

Compare Source

v2.0.3

Compare Source

v2.0.2

Compare Source

v2.0.1

Compare Source

v2.0

Compare Source

v1.11.29

Compare Source

v1.11.28

Compare Source

v1.11.27

Compare Source

v1.11.26

Compare Source

v1.11.25

Compare Source

v1.11.24

Compare Source

v1.11.23

Compare Source

v1.11.22

Compare Source

v1.11.21

Compare Source

v1.11.20

Compare Source

v1.11.18

Compare Source

v1.11.17

Compare Source

v1.11.16

Compare Source

v1.11.15

Compare Source

v1.11.14

Compare Source

v1.11.13

Compare Source

v1.11.12

Compare Source

v1.11.11

Compare Source

v1.11.10

Compare Source

v1.11.9

Compare Source

v1.11.8

Compare Source

v1.11.7

Compare Source

v1.11.6

Compare Source

v1.11.5

Compare Source

v1.11.4

Compare Source

v1.11.3

Compare Source

v1.11.2

Compare Source

v1.11.1

Compare Source

v1.11

Compare Source

v1.10.8

Compare Source

v1.10.7

Compare Source

v1.10.6

Compare Source

v1.10.5

Compare Source

v1.10.4

Compare Source

v1.10.3

Compare Source

v1.10.2

Compare Source

v1.10.1

Compare Source

v1.10

Compare Source

v1.9.13

Compare Source

v1.9.12

Compare Source

v1.9.11

Compare Source

v1.9.10

Compare Source

v1.9.9

Compare Source

v1.9.8

Compare Source

v1.9.7

Compare Source

v1.9.6

Compare Source

v1.9.5

Compare Source

v1.9.4

Compare Source

v1.9.3

Compare Source

v1.9.2

Compare Source

v1.9.1

Compare Source

v1.9

Compare Source

v1.8.19

Compare Source

v1.8.18

Compare Source

v1.8.17

Compare Source

v1.8.16

Compare Source

v1.8.15

Compare Source

v1.8.14

Compare Source

v1.8.13

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate-bot avatar Feb 02 '22 16:02 renovate-bot