chore(deps): update dependency django [security] #1342
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
forking-renovate
bot
added
the
automerge
Collaborator
|
/gcbrun |
|
Merge-on-green attempted to merge your PR for 6 hours, but it was not mergeable because either one of your required status checks failed, one of your required reviews was not approved, or there is a do not merge label. Learn more about your required status checks here: https://help.github.com/en/github/administering-a-repository/enabling-required-status-checks. You can remove and reapply the label to re-run the bot. |
gcf-merge-on-green
bot
removed
the
automerge
renovate-bot
changed the title
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
b435146 to
d88b9ba
Compare
Collaborator
|
/gcbrun |
renovate-bot
changed the title
renovate-bot
changed the title
renovate-bot
changed the title
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
d88b9ba to
d626b98
Compare
Collaborator
|
/gcbrun |
renovate-bot
changed the title
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
d626b98 to
3e4c7e8
Compare
Collaborator
|
/gcbrun |
renovate-bot
changed the title
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
3e4c7e8 to
65a2c02
Compare
Collaborator
|
/gcbrun |
renovate-bot
changed the title
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
65a2c02 to
c5efc9a
Compare
Collaborator
|
/gcbrun |
renovate-bot
changed the title
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
c5efc9a to
a648078
Compare
Collaborator
|
/gcbrun |
renovate-bot
changed the title
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
a648078 to
79ec444
Compare
Collaborator
|
/gcbrun |
renovate-bot
changed the title
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
79ec444 to
11a8405
Compare
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
256816b to
6c15e85
Compare
Collaborator
|
/gcbrun |
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
6c15e85 to
b5d5335
Compare
Collaborator
|
/gcbrun |
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
b5d5335 to
556781e
Compare
Collaborator
|
/gcbrun |
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
556781e to
5159778
Compare
Collaborator
|
/gcbrun |
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
5159778 to
f5566ab
Compare
Collaborator
|
/gcbrun |
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
f5566ab to
350efc6
Compare
Collaborator
|
/gcbrun |
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
350efc6 to
e9435ae
Compare
Collaborator
|
/gcbrun |
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
e9435ae to
ef64518
Compare
Collaborator
|
/gcbrun |
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
ef64518 to
43ad8cb
Compare
Collaborator
|
/gcbrun |
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
43ad8cb to
2e84a86
Compare
Collaborator
|
/gcbrun |
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
2e84a86 to
4c5ec28
Compare
Collaborator
|
/gcbrun |
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
4c5ec28 to
22c1c72
Compare
Collaborator
|
/gcbrun |
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
22c1c72 to
474ca76
Compare
Collaborator
|
/gcbrun |
renovate-bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
474ca76 to
5abd7d3
Compare
renovate-bot
changed the title
Collaborator
|
/gcbrun |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==4.2.10→==4.2.18==4.2.9→==4.2.18==4.2.10→==4.2.20GitHub Vulnerability Alerts
CVE-2024-27351
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
CVE-2024-38875
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
CVE-2024-39330
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the
django.core.files.storage.Storagebase class, when they overridegenerate_filename()without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during asave()call. (Built-in Storage sub-classes are unaffected.)CVE-2024-39329
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The
django.contrib.auth.backends.ModelBackend.authenticate()method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.CVE-2024-39614
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14.
get_supported_language_variant()was subject to a potential denial-of-service attack when used with very long strings containing specific characters.CVE-2024-41989
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.
CVE-2024-41990
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
CVE-2024-42005
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
CVE-2024-41991
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
CVE-2024-45230
An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
CVE-2024-45231
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).
CVE-2024-53908
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
CVE-2024-53907
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
CVE-2024-56374
An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions
clean_ipv6_addressandis_valid_ipv6_addressare vulnerable, as is thedjango.forms.GenericIPAddressFieldform field. (The django.db.models.GenericIPAddressField model field is not affected.)CVE-2024-24680
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
CVE-2025-26699
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.
Release Notes
django/django (Django)
v4.2.18Compare Source
v4.2.17Compare Source
v4.2.16Compare Source
v4.2.15Compare Source
v4.2.14Compare Source
v4.2.13Compare Source
v4.2.12Compare Source
v4.2.11Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.