mirror of
https://github.com/pacnpal/thrillwiki_django_no_react.git
synced 2026-02-05 15:55:19 -05:00
8a51cd5de7
## Security Patches Applied ### Critical - **Django SQL injection via _connector keyword** (CVE-2024-xxxx) - Upgraded Django from 5.2.8 to 5.2.9 ### High - **urllib3 decompression-bomb safeguards bypassed** (streaming API) - Added explicit urllib3>=2.6.3 dependency - **urllib3 streaming API improperly handles highly compressed data** - **urllib3 unbounded links in decompression chain** - **Django DoS in HttpResponseRedirect on Windows** - **Django SQL injection in column aliases** ### Medium - **django-allauth Okta/NetIQ mutable identifier** for authorization - Upgraded django-allauth from 65.9.0 to 65.13.0 - **django-allauth accepts tokens for inactive users** - **Django DoS via XML serializer text extraction** - **Django SQL injection in column aliases (additional fix)** - **requests .netrc credentials leak via malicious URLs** - Upgraded requests from 2.32.3 to 2.32.4 - **Django Improper Output Neutralization for Logs** - **Django DoS in strip_tags()** - **Django DoS on Windows** - **Django Allocation of Resources Without Limits** - **Django IPv6 validation DoS** - **Django SQL injection in HasKey on Oracle** - **Django DoS in strip_tags() (additional fix)** ### Low - **Django partial directory traversal via archives** ## Dependency Changes - django: 5.2.8 -> 5.2.9 - django-allauth: 65.9.0 -> 65.13.1 - requests: 2.32.3 -> 2.32.5 - urllib3: (transitive) -> 2.6.3 (explicit)
6.1 KiB
6.1 KiB