[Buildroot] [git commit] package/python-django: security bump to version 3.0.7
Peter Korsgaard
peter at korsgaard.com
Sun Jul 26 15:09:23 UTC 2020
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni at bootlin.com> writes:
> commit: https://git.buildroot.net/buildroot/commit/?id=36d78abceb79ad8b8ea73054cd2e6fcfcc835c4f
> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
> Fixes the following security issues:
> - CVE-2020-13254: Potential data leakage via malformed memcached keys
> In cases where a memcached backend does not perform key validation,
> passing malformed cache keys could result in a key collision, and
> potential data leakage. In order to avoid this vulnerability, key
> validation is added to the memcached cache backends.
> - CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget
> Query parameters for the admin ForeignKeyRawIdWidget were not properly URL
> encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures
> query parameters are correctly URL encoded.
> For details, see the announcement:
> https://docs.djangoproject.com/en/dev/releases/3.0.7/
> Additionally, 3.0.5..3.0.7 contains a number of non-security related
> bugfixes.
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
Committed to 2020.02.x and 2020.05.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list