chore(deps): update dependency django to v4.1.10 [security] #231
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
cff4298 to
5a74d20
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
2 times, most recently
from
d9b65ca to
5590d95
Compare
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
5590d95 to
561c0b4
Compare
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
561c0b4 to
28b2acc
Compare
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
28b2acc to
b51c614
Compare
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
2 times, most recently
from
c713c6d to
2986034
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
2986034 to
f0e8eeb
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
f0e8eeb to
6d13ac6
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
6d13ac6 to
c578f27
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
c578f27 to
5eb5efe
Compare
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
5eb5efe to
fe88710
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.0.6->4.1.10GitHub Vulnerability Alerts
CVE-2022-36359
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
CVE-2022-41323
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
CVE-2023-23969
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
CVE-2023-24580
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.
CVE-2023-31047
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
CVE-2023-36053
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3,
EmailValidatorandURLValidatorare subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.Release Notes
django/django (Django)
v4.1.10Compare Source
v4.1.9Compare Source
v4.1.8Compare Source
v4.1.7Compare Source
v4.1.6Compare Source
v4.1.5Compare Source
v4.1.4Compare Source
v4.1.3Compare Source
v4.1.2Compare Source
v4.1.1Compare Source
v4.1Compare Source
v4.0.10Compare Source
v4.0.9Compare Source
v4.0.8Compare Source
v4.0.7Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.