NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6e18892733
kumquat-buildroot/package/python-django/python-django.hash
Peter Korsgaard 426084e25f package/python-django: security bump to version 2.1.9 
Fixes the following security issues:

CVE-2019-12308: AdminURLFieldWidget XSS¶

The clickable "Current URL" link generated by AdminURLFieldWidget displayed
the provided value without validating it as a safe URL.  Thus, an
unvalidated value stored in the database, or a value provided as a URL query
parameter payload, could result in an clickable JavaScript link.

AdminURLFieldWidget now validates the provided value using URLValidator
before displaying the clickable link.  You may customize the validator by
passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g.
when using formfield_overrides.

Patched bundled jQuery for CVE-2019-11358: Prototype pollution¶

jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of
Object.prototype pollution.  If an unsanitized source object contained an
enumerable __proto__ property, it could extend the native Object.prototype.

The bundled version of jQuery used by the Django admin has been patched to
allow for the select2 library’s use of jQuery.extend().

For more details, see the release notes:
https://docs.djangoproject.com/en/dev/releases/2.1.9/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 14:20:41 +02:00

6 lines
321 B
Plaintext
Raw Blame History

# md5, sha256 from https://pypi.org/pypi/django/json
md5 909c2e7761893a922dcf721521d9239e Django-2.1.9.tar.gz
sha256 5052def4ff0a84bdf669827fdbd7b7cc1ac058f10232be6b21f37c6824f578da Django-2.1.9.tar.gz
# Locally computed sha256 checksums
sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
Reference in New Issue View Git Blame Copy Permalink