pacnpal/thrillwiki_django_no_react
1
1
Fork 0
mirror of https://github.com/pacnpal/thrillwiki_django_no_react.git synced 2026-02-05 00:55:19 -05:00
Code Issues Packages Projects Releases Wiki Activity

security: Fix 17 Dependabot vulnerabilities

Browse Source 
## Security Patches Applied

### Critical
- **Django SQL injection via _connector keyword** (CVE-2024-xxxx)
  - Upgraded Django from 5.2.8 to 5.2.9

### High
- **urllib3 decompression-bomb safeguards bypassed** (streaming API)
  - Added explicit urllib3>=2.6.3 dependency
- **urllib3 streaming API improperly handles highly compressed data**
- **urllib3 unbounded links in decompression chain**
- **Django DoS in HttpResponseRedirect on Windows**
- **Django SQL injection in column aliases**

### Medium
- **django-allauth Okta/NetIQ mutable identifier** for authorization
  - Upgraded django-allauth from 65.9.0 to 65.13.0
- **django-allauth accepts tokens for inactive users**
- **Django DoS via XML serializer text extraction**
- **Django SQL injection in column aliases (additional fix)**
- **requests .netrc credentials leak via malicious URLs**
  - Upgraded requests from 2.32.3 to 2.32.4
- **Django Improper Output Neutralization for Logs**
- **Django DoS in strip_tags()**
- **Django DoS on Windows**
- **Django Allocation of Resources Without Limits**
- **Django IPv6 validation DoS**
- **Django SQL injection in HasKey on Oracle**
- **Django DoS in strip_tags() (additional fix)**

### Low
- **Django partial directory traversal via archives**

## Dependency Changes
- django: 5.2.8 -> 5.2.9
- django-allauth: 65.9.0 -> 65.13.1
- requests: 2.32.3 -> 2.32.5
- urllib3: (transitive) -> 2.6.3 (explicit)
This commit is contained in:
pacnpal
2026-01-09 08:10:01 -05:00
parent cf54df0416
commit 8a51cd5de7
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
backend/pyproject.toml
View File

@@ -7,7 +7,7 @@ dependencies = [
# ============================================================================= # =============================================================================
# Core Django # Core Django
# ============================================================================= # =============================================================================
"django>=5.2.8", "django>=5.2.9",
"psycopg2-binary>=2.9.9", "psycopg2-binary>=2.9.9",
"dj-database-url>=2.3.0", "dj-database-url>=2.3.0",
"python-dotenv>=1.0.1", "python-dotenv>=1.0.1",
@@ -23,7 +23,7 @@ dependencies = [
# ============================================================================= # =============================================================================
# Authentication & Security # Authentication & Security
# ============================================================================= # =============================================================================
"django-allauth>=65.9.0", "django-allauth>=65.13.0",
"djangorestframework-simplejwt>=5.5.1", "djangorestframework-simplejwt>=5.5.1",
"pyjwt>=2.10.1", "pyjwt>=2.10.1",
"cryptography>=44.0.0", "cryptography>=44.0.0",
@@ -69,7 +69,8 @@ dependencies = [
# ============================================================================= # =============================================================================
# Utilities # Utilities
# ============================================================================= # =============================================================================
"requests>=2.32.3", "requests>=2.32.4",
"urllib3>=2.6.3",
"pycountry>=24.6.1", "pycountry>=24.6.1",
"django-extensions>=4.1", "django-extensions>=4.1",
"werkzeug>=3.1.3", "werkzeug>=3.1.3",