Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency django to v5.0.8 [security] #158

Merged
merged 1 commit into from
Sep 10, 2024
Merged

fix(deps): update dependency django to v5.0.8 [security] #158

merged 1 commit into from
Sep 10, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024
edited by github-actions bot
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
django (changelog) 5.0.6 -> 5.0.8 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-39330

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)

CVE-2024-38875

An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.

CVE-2024-39329

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.

CVE-2024-39614

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.

CVE-2024-41989

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.

CVE-2024-41990

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

CVE-2024-42005

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.

CVE-2024-41991

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.

Release Notes

django/django (django)

v5.0.8

Compare Source

v5.0.7

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Thanks for the PR!

Deployments, as required, will be available below:

Please create PRs in draft mode. Mark as ready to enable:

After merge, new images are deployed in:

@renovate renovate bot force-pushed the renovate/pypi-django-vulnerability branch from 24f50a4 to 918e8cb Compare August 7, 2024 20:44
@renovate renovate bot changed the title fix(deps): update dependency django to v5.0.7 [security] fix(deps): update dependency django to v5.0.8 [security] Aug 7, 2024
@renovate renovate bot force-pushed the renovate/pypi-django-vulnerability branch from 918e8cb to ebc3e79 Compare August 11, 2024 00:27
@renovate renovate bot force-pushed the renovate/pypi-django-vulnerability branch from ebc3e79 to 90d2756 Compare September 10, 2024 22:18
@renovate renovate bot force-pushed the renovate/pypi-django-vulnerability branch 2 times, most recently from 53fa280 to dfb7242 Compare September 10, 2024 22:26
@renovate renovate bot enabled auto-merge (squash) September 10, 2024 23:22
@renovate renovate bot force-pushed the renovate/pypi-django-vulnerability branch from dfb7242 to 522f098 Compare September 10, 2024 23:22
@renovate renovate bot merged commit ab481a9 into main Sep 10, 2024
11 of 15 checks passed
@renovate renovate bot deleted the renovate/pypi-django-vulnerability branch September 10, 2024 23:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DerekRoberts DerekRoberts DerekRoberts approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@DerekRoberts