Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency Django to v4 [SECURITY] #291

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
Django (changelog) ==3.0.8 -> ==4.2.16 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-24584

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.

CVE-2021-3281

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.

CVE-2022-36359

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

CVE-2020-24583

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.

CVE-2021-35042

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.

CVE-2021-31542

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

CVE-2021-33203

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.

CVE-2021-44420

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. This issue has low severity, according to the Django security policy.

CVE-2021-28658

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

CVE-2021-33571

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .

CVE-2024-45231

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).


Release Notes

django/django (Django)

v4.2.16

Compare Source

v4.2.15

Compare Source

v4.2.14

Compare Source

v4.2.13

Compare Source

v4.2.12

Compare Source

v4.2.11

Compare Source

v4.2.10

Compare Source

v4.2.9

Compare Source

v4.2.8

Compare Source

v4.2.7

Compare Source

v4.2.6

Compare Source

v4.2.5

Compare Source

v4.2.4

Compare Source

v4.2.3

Compare Source

v4.2.2

Compare Source

v4.2.1

Compare Source

v4.2

Compare Source

v4.1.13

Compare Source

v4.1.12

Compare Source

v4.1.11

Compare Source

v4.1.10

Compare Source

v4.1.9

Compare Source

v4.1.8

Compare Source

v4.1.7

Compare Source

v4.1.6

Compare Source

v4.1.5

Compare Source

v4.1.4

Compare Source

v4.1.3

Compare Source

v4.1.2

Compare Source

v4.1.1

Compare Source

v4.1

Compare Source

v4.0.10

Compare Source

v4.0.9

Compare Source

v4.0.8

Compare Source

v4.0.7

Compare Source

v4.0.6

Compare Source

v4.0.5

Compare Source

v4.0.4

Compare Source

v4.0.3

Compare Source

v4.0.2

Compare Source

v4.0.1

Compare Source

v4.0

Compare Source

v3.2.25

Compare Source

v3.2.24

Compare Source

v3.2.23

Compare Source

v3.2.22

Compare Source

v3.2.21

Compare Source

v3.2.20

Compare Source

v3.2.19

Compare Source

v3.2.18

Compare Source

v3.2.17

Compare Source

v3.2.16

Compare Source

v3.2.15

Compare Source

v3.2.14

Compare Source

v3.2.13

Compare Source

v3.2.12

Compare Source

v3.2.11

Compare Source

v3.2.10

Compare Source

v3.2.9

Compare Source

v3.2.8

Compare Source

v3.2.7

Compare Source

v3.2.6

Compare Source

v3.2.5

Compare Source

v3.2.4

Compare Source

v3.2.3

Compare Source

v3.2.2

Compare Source

v3.2.1

Compare Source

v3.2

Compare Source

v3.1.14

Compare Source

v3.1.13

Compare Source

v3.1.12

Compare Source

v3.1.11

Compare Source

v3.1.10

Compare Source

v3.1.9

Compare Source

v3.1.8

Compare Source

v3.1.7

Compare Source

v3.1.6

Compare Source

v3.1.5

Compare Source

v3.1.4

Compare Source

v3.1.3

Compare Source

v3.1.2

Compare Source

v3.1.1

Compare Source

v3.1

Compare Source

v3.0.14

Compare Source

v3.0.13

Compare Source

v3.0.12

Compare Source

v3.0.11

Compare Source

v3.0.10

Compare Source

v3.0.9

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from Clivern as a code owner August 6, 2024 08:56
@renovate renovate bot force-pushed the renovate/pypi-django-vulnerability branch from 2198124 to 737c047 Compare September 20, 2024 16:13
@renovate renovate bot changed the title Update dependency Django to v3.2.24 [SECURITY] Update dependency Django to v3.2.15 [SECURITY] Sep 20, 2024
@renovate renovate bot changed the title Update dependency Django to v3.2.15 [SECURITY] Update dependency Django to v4 [SECURITY] Oct 9, 2024
@renovate renovate bot force-pushed the renovate/pypi-django-vulnerability branch from 737c047 to b3efb1a Compare October 9, 2024 00:48
Copy link

sonarqubecloud bot commented Oct 9, 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants