NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
70edac1bc0
kumquat-buildroot/package/python-django/python-django.hash
Peter Korsgaard a62cd7dd4c package/python-django: security bump to version 2.2.4 
Fixes the following security issues:

CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator

If django.utils.text.Truncator's chars() and words() methods were passed the
html=True argument, they were extremely slow to evaluate certain inputs due
to a catastrophic backtracking vulnerability in a regular expression.  The
chars() and words() methods are used to implement the truncatechars_html and
truncatewords_html template filters, which were thus vulnerable.

The regular expressions used by Truncator have been simplified in order to
avoid potential backtracking issues.  As a consequence, trailing punctuation
may now at times be included in the truncated output.

CVE-2019-14233: Denial-of-service possibility in strip_tags()

Due to the behavior of the underlying HTMLParser,
django.utils.html.strip_tags() would be extremely slow to evaluate certain
inputs containing large sequences of nested incomplete HTML entities.  The
strip_tags() method is used to implement the corresponding striptags
template filter, which was thus also vulnerable.

strip_tags() now avoids recursive calls to HTMLParser when progress removing
tags, but necessarily incomplete HTML entities, stops being made.

Remember that absolutely NO guarantee is provided about the results of
strip_tags() being HTML safe.  So NEVER mark safe the result of a
strip_tags() call without escaping it first, for example with
django.utils.html.escape().

CVE-2019-14234: SQL injection possibility in key and index lookups for
JSONField/HStoreField

Key and index lookups for django.contrib.postgres.fields.JSONField and key
lookups for django.contrib.postgres.fields.HStoreField were subject to SQL
injection, using a suitably crafted dictionary, with dictionary expansion,
as the **kwargs passed to QuerySet.filter().

CVE-2019-14235: Potential memory exhaustion in
django.utils.encoding.uri_to_iri()

If passed certain inputs, django.utils.encoding.uri_to_iri could lead to
significant memory usage due to excessive recursion when re-percent-encoding
invalid UTF-8 octet sequences.

uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8
octet sequences.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-01 18:38:12 +02:00

6 lines
321 B
Plaintext
Raw Blame History

# md5, sha256 from https://pypi.org/pypi/django/json
md5 b32e396c354880742d85a7628a0bdd5a Django-2.2.4.tar.gz
sha256 16a5d54411599780ac9dfe3b9b38f90f785c51259a584e0b24b6f14a7f69aae8 Django-2.2.4.tar.gz
# Locally computed sha256 checksums
sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE
Reference in New Issue View Git Blame Copy Permalink