Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency Django to v4.1.10 [SECURITY] - autoclosed #18

Closed
wants to merge 1 commit into from
Closed

Update dependency Django to v4.1.10 [SECURITY] - autoclosed #18

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 11, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
Django (source, changelog) ==4.0.5 -> ==4.1.10 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-36359

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

CVE-2023-36053

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.

CVE-2023-24580

An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.

CVE-2023-31047

In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.

Release Notes

django/django (Django)

v4.1.10

Compare Source

v4.1.9

Compare Source

v4.1.8

Compare Source

v4.1.7

Compare Source

v4.1.6

Compare Source

v4.1.5

Compare Source

v4.1.4

Compare Source

v4.1.3

Compare Source

v4.1.2

Compare Source

v4.1.1

Compare Source

v4.1

Compare Source

v4.0.10

Compare Source

v4.0.9

Compare Source

v4.0.8

Compare Source

v4.0.7

Compare Source

v4.0.6

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Contributor Author

renovate bot commented Aug 11, 2022
edited
Loading

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Pipfile.lock
Command failed: install-tool pipenv 2023.12.1

@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from f719d3e to 13fae11 Compare August 11, 2022 19:37
@renovate renovate bot changed the title Update dependency Django to v4.1 [SECURITY] Update dependency Django to v4.0.7 [SECURITY] Aug 11, 2022
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from 13fae11 to c8c2a0b Compare August 19, 2022 19:00
@renovate renovate bot changed the title Update dependency Django to v4.0.7 [SECURITY] Update dependency Django to v4.1 [SECURITY] Aug 19, 2022
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from c8c2a0b to ff4e677 Compare August 19, 2022 21:11
@renovate renovate bot changed the title Update dependency Django to v4.1 [SECURITY] Update dependency Django to v4.0.7 [SECURITY] Aug 19, 2022
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from ff4e677 to b20e7a7 Compare August 20, 2022 16:18
@renovate renovate bot changed the title Update dependency Django to v4.0.7 [SECURITY] Update dependency Django to v4.1 [SECURITY] Aug 20, 2022
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from b20e7a7 to 75eb936 Compare August 20, 2022 18:46
@renovate renovate bot changed the title Update dependency Django to v4.1 [SECURITY] Update dependency Django to v4.0.7 [SECURITY] Aug 20, 2022
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from 75eb936 to 5936e5d Compare August 22, 2022 15:11
@renovate renovate bot changed the title Update dependency Django to v4.0.7 [SECURITY] Update dependency Django to v4.1 [SECURITY] Aug 22, 2022
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from 5936e5d to 46cc2a4 Compare August 22, 2022 18:05
@renovate renovate bot changed the title Update dependency Django to v4.1 [SECURITY] Update dependency Django to v4.0.7 [SECURITY] Aug 22, 2022
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from 46cc2a4 to f5c2bd6 Compare August 23, 2022 00:05
@renovate renovate bot changed the title Update dependency Django to v4.0.7 [SECURITY] Update dependency Django to v4.1 [SECURITY] Aug 23, 2022
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from f5c2bd6 to a7579aa Compare August 23, 2022 05:43
@renovate renovate bot changed the title Update dependency Django to v4.1 [SECURITY] Update dependency Django to v4.0.7 [SECURITY] Aug 23, 2022
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from a7579aa to 7503739 Compare August 30, 2022 11:23
@renovate renovate bot changed the title Update dependency Django to v4.0.7 [SECURITY] Update dependency Django to v4.1 [SECURITY] Aug 30, 2022
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from 7503739 to 9e464af Compare August 30, 2022 15:14
@renovate renovate bot changed the title Update dependency Django to v4.1 [SECURITY] Update dependency Django to v4.0.7 [SECURITY] Aug 30, 2022
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from 9e464af to a0e74f3 Compare September 2, 2022 06:15
@renovate renovate bot changed the title Update dependency Django to v4.0.7 [SECURITY] Update dependency Django to v4.1 [SECURITY] Sep 2, 2022
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from a0e74f3 to 5c8072e Compare September 2, 2022 12:13
@renovate renovate bot changed the title Update dependency Django to v4.1 [SECURITY] Update dependency Django to v4.0.7 [SECURITY] Sep 2, 2022
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from 5c8072e to a17855f Compare September 25, 2022 22:11
@renovate renovate bot changed the title Update dependency Django to v4.0.7 [SECURITY] Update dependency Django to v4.1.1 [SECURITY] Sep 25, 2022
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from a17855f to 2c3b6c3 Compare November 20, 2022 18:11
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from 8de7d34 to e63c8a8 Compare January 4, 2024 13:49
@renovate renovate bot changed the title Update dependency Django to v4.1.10 [SECURITY] Update dependency Django to v4.2.9 [SECURITY] Jan 4, 2024
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from e63c8a8 to b7d8962 Compare January 4, 2024 16:40
@renovate renovate bot changed the title Update dependency Django to v4.2.9 [SECURITY] Update dependency Django to v4.1.10 [SECURITY] Jan 4, 2024
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from b7d8962 to 0c48386 Compare January 9, 2024 08:29
@renovate renovate bot changed the title Update dependency Django to v4.1.10 [SECURITY] Update dependency Django to v4.2.9 [SECURITY] Jan 9, 2024
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from 0c48386 to 3228a86 Compare January 9, 2024 09:47
@renovate renovate bot changed the title Update dependency Django to v4.2.9 [SECURITY] Update dependency Django to v4.1.10 [SECURITY] Jan 9, 2024
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from 3228a86 to 85afa19 Compare January 16, 2024 11:27
@renovate renovate bot changed the title Update dependency Django to v4.1.10 [SECURITY] Update dependency Django to v4.2.9 [SECURITY] Jan 16, 2024
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from 85afa19 to c6ea7d9 Compare January 16, 2024 14:08
@renovate renovate bot changed the title Update dependency Django to v4.2.9 [SECURITY] Update dependency Django to v4.1.10 [SECURITY] Jan 16, 2024
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from c6ea7d9 to 9215bc0 Compare February 6, 2024 18:49
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from 9215bc0 to de9a35d Compare March 4, 2024 13:08
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from de9a35d to 996940b Compare April 3, 2024 23:01
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch 2 times, most recently from a373912 to 051ec43 Compare May 7, 2024 22:08
@renovate renovate bot changed the title Update dependency Django to v4.1.10 [SECURITY] Update dependency Django to v4.1.10 [SECURITY] - autoclosed Jul 7, 2024
@renovate renovate bot closed this Jul 7, 2024
@renovate renovate bot deleted the renovate/pypi-Django-vulnerability branch July 7, 2024 13:36
@renovate renovate bot changed the title Update dependency Django to v4.1.10 [SECURITY] - autoclosed Update dependency Django to v4.1.10 [SECURITY] Jul 7, 2024
@renovate renovate bot restored the renovate/pypi-Django-vulnerability branch July 7, 2024 15:50
@renovate renovate bot reopened this Jul 7, 2024
@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from 051ec43 to 7f3ec29 Compare July 7, 2024 15:50
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Jul 7, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Pipfile.lock
Command failed: install-tool pipenv 2024.0.1

@renovate renovate bot force-pushed the renovate/pypi-Django-vulnerability branch from 7f3ec29 to 99e1de6 Compare July 9, 2024 18:55
@renovate renovate bot changed the title Update dependency Django to v4.1.10 [SECURITY] Update dependency Django to v4.1.10 [SECURITY] - autoclosed Aug 6, 2024
@renovate renovate bot closed this Aug 6, 2024
@renovate renovate bot deleted the renovate/pypi-Django-vulnerability branch August 6, 2024 08:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants