Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency django to v4.2.16 [security] #343

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 11, 2023

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
django (changelog) ==4.1.6 -> ==4.2.16 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-41164

In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.

CVE-2023-24580

An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.

CVE-2023-43665

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.

CVE-2023-46695

An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.

CVE-2023-31047

In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.

CVE-2023-36053

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.

CVE-2024-45231

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).


Release Notes

django/django (django)

v4.2.16

Compare Source

v4.2.15

Compare Source

v4.2.14

Compare Source

v4.2.13

Compare Source

v4.2.12

Compare Source

v4.2.11

Compare Source

v4.2.10

Compare Source

v4.2.9

Compare Source

v4.2.8

Compare Source

v4.2.7

Compare Source

v4.2.6

Compare Source

v4.2.5

Compare Source

v4.2.4

Compare Source

v4.2.3

Compare Source

v4.2.2

Compare Source

v4.2.1

Compare Source

v4.2

Compare Source

v4.1.13

Compare Source

v4.1.12

Compare Source

v4.1.11

Compare Source

v4.1.10

Compare Source

v4.1.9

Compare Source

v4.1.8

Compare Source

v4.1.7

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title chore(deps): update dependency django to v4.1.10 [security] chore(deps): update dependency django to v4.1.13 [security] Nov 3, 2023
@renovate renovate bot force-pushed the renovate/pypi-django-vulnerability branch from be07c0a to 7c5eaae Compare November 3, 2023 01:29
@renovate renovate bot force-pushed the renovate/pypi-django-vulnerability branch from 7c5eaae to 86b0f89 Compare April 3, 2024 17:20
@renovate renovate bot changed the title chore(deps): update dependency django to v4.1.13 [security] chore(deps): update dependency django to v4.1.12 [security] Apr 3, 2024
@renovate renovate bot force-pushed the renovate/pypi-django-vulnerability branch from 86b0f89 to 598c1f2 Compare August 6, 2024 09:40
@renovate renovate bot changed the title chore(deps): update dependency django to v4.1.12 [security] chore(deps): update dependency django to v4.1.13 [security] Aug 6, 2024
@renovate renovate bot changed the title chore(deps): update dependency django to v4.1.13 [security] chore(deps): update dependency django to v4.2.16 [security] Oct 9, 2024
@renovate renovate bot force-pushed the renovate/pypi-django-vulnerability branch from 598c1f2 to 8ed8232 Compare October 9, 2024 08:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant