84441433ec
Django 3.0.x is EOL, so move to 3.2.x which is the new LTS release. For details of the changes and update instructions, see the announcement: https://www.djangoproject.com/weblog/2021/apr/06/django-32-released/ Fixes the following security issues: - CVE-2021-30459 - SQL Injection via Select, Explain and Analyze forms of the SQLPanel for Django Debug Toolbar >= 0.10.0 With Django Debug Toolbar 0.10.0 and above, attackers are able to execute SQL by changing the raw_sql input of the SQL explain, analyze or select forms and submitting the form. This is a high severity issue for anyone using the toolbar in a production environment. Generally the Django Debug Toolbar team only maintains the latest version of django-debug-toolbar, but an exception was made because of the high severity of this issue. The GitHub Security Advisory can be found here: https://github.com/jazzband/django-debug-toolbar/security/advisories/GHSA-pghf-347x-c2gj - CVE-2021-31542: Potential directory-traversal via uploaded files MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via uploaded files with suitably crafted file names. In order to mitigate this risk, stricter basename and path sanitation is now applied. Specifically, empty file names and paths with dot segments will be rejected. This issue has low severity, according to the Django security policy. - CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+ On Python 3.9.5+, URLValidator didn't prohibit newlines and tabs. If you used values with newlines in HTTP response, you could suffer from header injection attacks. Django itself wasn't vulnerable because HttpResponse prohibits newlines in HTTP headers. Moreover, the URLField form field which uses URLValidator silently removes newlines and tabs on Python 3.9.5+, so the possibility of newlines entering your data only existed if you are using this validator outside of the form fields. This issue was introduced by the bpo-43882 fix. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
||
|---|---|---|
| arch | ||
| board | ||
| boot | ||
| configs | ||
| docs | ||
| fs | ||
| linux | ||
| package | ||
| support | ||
| system | ||
| toolchain | ||
| utils | ||
| .defconfig | ||
| .flake8 | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| CHANGES | ||
| Config.in | ||
| Config.in.legacy | ||
| COPYING | ||
| DEVELOPERS | ||
| Makefile | ||
| Makefile.legacy | ||
| README | ||
Buildroot is a simple, efficient and easy-to-use tool to generate embedded Linux systems through cross-compilation. The documentation can be found in docs/manual. You can generate a text document with 'make manual-text' and read output/docs/manual/manual.text. Online documentation can be found at http://buildroot.org/docs.html To build and use the buildroot stuff, do the following: 1) run 'make menuconfig' 2) select the target architecture and the packages you wish to compile 3) run 'make' 4) wait while it compiles 5) find the kernel, bootloader, root filesystem, etc. in output/images You do not need to be root to build or run buildroot. Have fun! Buildroot comes with a basic configuration for a number of boards. Run 'make list-defconfigs' to view the list of provided configurations. Please feed suggestions, bug reports, insults, and bribes back to the buildroot mailing list: buildroot@buildroot.org You can also find us on #buildroot on Freenode IRC. If you would like to contribute patches, please read https://buildroot.org/manual.html#submitting-patches