pacnpal/thrillwiki_django_no_react
1
1
Fork 0
mirror of https://github.com/pacnpal/thrillwiki_django_no_react.git synced 2026-02-05 11:05:17 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
8a51cd5de7a4de503aa3d377a88fd4d7c3042395
thrillwiki_django_no_react/backend/pyproject.toml
pacnpal 8a51cd5de7 security: Fix 17 Dependabot vulnerabilities 
## Security Patches Applied

### Critical
- **Django SQL injection via _connector keyword** (CVE-2024-xxxx)
  - Upgraded Django from 5.2.8 to 5.2.9

### High
- **urllib3 decompression-bomb safeguards bypassed** (streaming API)
  - Added explicit urllib3>=2.6.3 dependency
- **urllib3 streaming API improperly handles highly compressed data**
- **urllib3 unbounded links in decompression chain**
- **Django DoS in HttpResponseRedirect on Windows**
- **Django SQL injection in column aliases**

### Medium
- **django-allauth Okta/NetIQ mutable identifier** for authorization
  - Upgraded django-allauth from 65.9.0 to 65.13.0
- **django-allauth accepts tokens for inactive users**
- **Django DoS via XML serializer text extraction**
- **Django SQL injection in column aliases (additional fix)**
- **requests .netrc credentials leak via malicious URLs**
  - Upgraded requests from 2.32.3 to 2.32.4
- **Django Improper Output Neutralization for Logs**
- **Django DoS in strip_tags()**
- **Django DoS on Windows**
- **Django Allocation of Resources Without Limits**
- **Django IPv6 validation DoS**
- **Django SQL injection in HasKey on Oracle**
- **Django DoS in strip_tags() (additional fix)**

### Low
- **Django partial directory traversal via archives**

## Dependency Changes
- django: 5.2.8 -> 5.2.9
- django-allauth: 65.9.0 -> 65.13.1
- requests: 2.32.3 -> 2.32.5
- urllib3: (transitive) -> 2.6.3 (explicit)
2026-01-09 08:10:01 -05:00

6.1 KiB
Raw Blame History

View Raw
Reference in New Issue View Git Blame Copy Permalink