Python/django/2.0.9
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
https://pypi.org/project/django
BSD
5 Security Vulnerabilities
Improper Input Validation in Django
Published date: 2019-01-14T16:20:05Z
CVE: CVE-2019-3498
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2019-3498
- https://github.com/advisories/GHSA-337x-4q8g-prc5
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#!topic/django-announce/VYU7xQQTEPQ
- https://lists.debian.org/debian-lts-announce/2019/01/msg00005.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/
- https://usn.ubuntu.com/3851-1/
- https://www.debian.org/security/2019/dsa-4363
- https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
- http://www.securityfocus.com/bid/106453
- https://web.archive.org/web/20200227094237/http://www.securityfocus.com/bid/106453
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
Affected versions:
["2.1", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.0", "2.0.1", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.10", "1.10.1", "1.10.2", "1.10.3", "1.10.4", "1.10.5", "1.10.6", "1.10.7", "1.10.8", "1.10a1", "1.10b1", "1.10rc1", "1.11", "1.11.1", "1.11.10", "1.11.11", "1.11.12", "1.11.13", "1.11.14", "1.11.15", "1.11.16", "1.11.17", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.11.8", "1.11.9", "1.11a1", "1.11b1", "1.11rc1", "1.2", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.3", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.3.7", "1.4", "1.4.1", "1.4.10", "1.4.11", "1.4.12", "1.4.13", "1.4.14", "1.4.15", "1.4.16", "1.4.17", "1.4.18", "1.4.19", "1.4.2", "1.4.20", "1.4.21", "1.4.22", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.9", "1.5", "1.5.1", "1.5.10", "1.5.11", "1.5.12", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "1.6", "1.6.1", "1.6.10", "1.6.11", "1.6.2", "1.6.3", "1.6.4", "1.6.5", "1.6.6", "1.6.7", "1.6.8", "1.6.9", "1.7", "1.7.1", "1.7.10", "1.7.11", "1.7.2", "1.7.3", "1.7.4", "1.7.5", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8", "1.8.1", "1.8.10", "1.8.11", "1.8.12", "1.8.13", "1.8.14", "1.8.15", "1.8.16", "1.8.17", "1.8.18", "1.8.19", "1.8.2", "1.8.3", "1.8.4", "1.8.5", "1.8.6", "1.8.7", "1.8.8", "1.8.9", "1.9", "1.9.1", "1.9.10", "1.9.11", "1.9.12", "1.9.13", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.9.8", "1.9.9"]
Secure versions:
[3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation:
Update to version 5.1.3.
Path Traversal in Django
Published date: 2021-06-10T17:21:00Z
CVE: CVE-2021-33203
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-33203
- https://github.com/advisories/GHSA-68w8-qjq3-2gfm
- https://docs.djangoproject.com/en/3.2/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
- https://security.netapp.com/advisory/ntap-20210727-0004/
- https://github.com/django/django/commit/053cc9534d174dc89daba36724ed2dcb36755b90
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
- https://github.com/django/django/commit/20c67a0693c4ede2b09af02574823485e82e4c8f
- https://github.com/django/django/commit/dfaba12cda060b8b292ae1d271b44bf810b1c5b9
- https://docs.djangoproject.com/en/3.2/releases/security
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-98.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
- https://security.netapp.com/advisory/ntap-20210727-0004
- https://www.djangoproject.com/weblog/2021/jun/02/security-releases
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.
Affected versions:
["1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.10", "1.10.1", "1.10.2", "1.10.3", "1.10.4", "1.10.5", "1.10.6", "1.10.7", "1.10.8", "1.10a1", "1.10b1", "1.10rc1", "1.11", "1.11.1", "1.11.10", "1.11.11", "1.11.12", "1.11.13", "1.11.14", "1.11.15", "1.11.16", "1.11.17", "1.11.18", "1.11.2", "1.11.20", "1.11.21", "1.11.22", "1.11.23", "1.11.24", "1.11.25", "1.11.26", "1.11.27", "1.11.28", "1.11.29", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.11.8", "1.11.9", "1.11a1", "1.11b1", "1.11rc1", "1.2", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.3", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.3.7", "1.4", "1.4.1", "1.4.10", "1.4.11", "1.4.12", "1.4.13", "1.4.14", "1.4.15", "1.4.16", "1.4.17", "1.4.18", "1.4.19", "1.4.2", "1.4.20", "1.4.21", "1.4.22", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.9", "1.5", "1.5.1", "1.5.10", "1.5.11", "1.5.12", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "1.6", "1.6.1", "1.6.10", "1.6.11", "1.6.2", "1.6.3", "1.6.4", "1.6.5", "1.6.6", "1.6.7", "1.6.8", "1.6.9", "1.7", "1.7.1", "1.7.10", "1.7.11", "1.7.2", "1.7.3", "1.7.4", "1.7.5", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8", "1.8.1", "1.8.10", "1.8.11", "1.8.12", "1.8.13", "1.8.14", "1.8.15", "1.8.16", "1.8.17", "1.8.18", "1.8.19", "1.8.2", "1.8.3", "1.8.4", "1.8.5", "1.8.6", "1.8.7", "1.8.8", "1.8.9", "1.8a1", "1.8b1", "1.8b2", "1.8c1", "1.9", "1.9.1", "1.9.10", "1.9.11", "1.9.12", "1.9.13", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.9.8", "1.9.9", "1.9a1", "1.9b1", "1.9rc1", "1.9rc2", "2.0", "2.0.1", "2.0.10", "2.0.12", "2.0.13", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.0a1", "2.0b1", "2.0rc1", "2.1", "2.1.1", "2.1.10", "2.1.11", "2.1.12", "2.1.13", "2.1.14", "2.1.15", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.7", "2.1.8", "2.1.9", "2.1a1", "2.1b1", "2.1rc1", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.14", "2.2.15", "2.2.16", "2.2.17", "2.2.18", "2.2.19", "2.2.2", "2.2.20", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2a1", "2.2b1", "2.2rc1", "2.2.21", "2.2.22", "2.2.23"]
Secure versions:
[3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation:
Update to version 5.1.3.
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
Published date: 2019-04-26T16:29:11Z
CVE: CVE-2019-11358
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2019-11358
- https://backdropcms.org/security/backdrop-sa-core-2019-009
- https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
- https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
- https://github.com/jquery/jquery/pull/4333
- https://snyk.io/vuln/SNYK-JS-JQUERY-174006
- https://www.drupal.org/sa-core-2019-006
- https://access.redhat.com/errata/RHSA-2019:3023
- https://access.redhat.com/errata/RHSA-2019:3024
- https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E
- https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html
- https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html
- https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/
- https://security.netapp.com/advisory/ntap-20190919-0001/
- https://www.debian.org/security/2019/dsa-4434
- https://www.debian.org/security/2019/dsa-4460
- https://www.synology.com/security/advisory/Synology_SA_19_19
- https://www.tenable.com/security/tns-2019-08
- https://www.tenable.com/security/tns-2020-02
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
- http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html
- http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html
- http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
- http://www.openwall.com/lists/oss-security/2019/06/03/2
- https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
- https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2019-11358.yml
- https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450226
- https://access.redhat.com/errata/RHBA-2019:1570
- https://access.redhat.com/errata/RHSA-2019:1456
- https://access.redhat.com/errata/RHSA-2019:2587
- https://seclists.org/bugtraq/2019/Apr/32
- https://seclists.org/bugtraq/2019/Jun/12
- https://seclists.org/bugtraq/2019/May/18
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/
- http://seclists.org/fulldisclosure/2019/May/10
- http://seclists.org/fulldisclosure/2019/May/11
- http://seclists.org/fulldisclosure/2019/May/13
- https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1
- https://web.archive.org/web/20190824065237/http://www.securityfocus.com/bid/108023
- https://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f
- https://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829
- https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
- https://www.djangoproject.com/weblog/2019/jun/03/security-releases/
- http://www.securityfocus.com/bid/108023
- https://github.com/advisories/GHSA-6c3j-c64m-qhgq
- https://blog.jquery.com/2019/04/10/jquery-3-4-0-released
- https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc%40%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844%40%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f%40%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7%40%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205%40%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766%40%3Cdev.syncope.apache.org%3E
- https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355%40%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734%40%3Cdev.storm.apache.org%3E
- https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5
- https://security.netapp.com/advisory/ntap-20190919-0001
- https://www.djangoproject.com/weblog/2019/jun/03/security-releases
- https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery
- https://github.com/maximebf/php-debugbar/issues/447
- https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Affected versions:
["2.0b1", "2.0rc1", "2.1b1", "2.1rc1", "2.2", "2.2.1", "2.2a1", "2.2b1", "2.2rc1", "2.0", "2.0.1", "2.0.10", "2.0.12", "2.0.13", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.0a1", "2.1", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.7", "2.1.8", "2.1a1"]
Secure versions:
[3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation:
Update to version 5.1.3.
Uncontrolled Memory Consumption in Django
Published date: 2019-02-12T15:36:37Z
CVE: CVE-2019-6975
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2019-6975
- https://github.com/advisories/GHSA-wh4h-v3f2-r2pp
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#!topic/django-announce/WTwEAprR0IQ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66WMXHGBXD7GSM3PEXVCMCAGLMQYHZCU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/
- https://seclists.org/bugtraq/2019/Jul/10
- https://usn.ubuntu.com/3890-1/
- https://www.debian.org/security/2019/dsa-4476
- https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
- https://www.openwall.com/lists/oss-security/2019/02/11/1
- http://www.securityfocus.com/bid/106964
- https://github.com/django/django/commit/0bbb560183fabf0533289700845dafa94951f227
- https://github.com/django/django/commit/1f42f82566c9d2d73aff1c42790d6b1b243f7676
- https://github.com/django/django/commit/40cd19055773705301c3428ed5e08a036d2091f3
- https://web.archive.org/web/20200227084713/http://www.securityfocus.com/bid/106964
Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.
Affected versions:
["2.1", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.0", "2.0.1", "2.0.10", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.10", "1.10.1", "1.10.2", "1.10.3", "1.10.4", "1.10.5", "1.10.6", "1.10.7", "1.10.8", "1.10a1", "1.10b1", "1.10rc1", "1.11", "1.11.1", "1.11.10", "1.11.11", "1.11.12", "1.11.13", "1.11.14", "1.11.15", "1.11.16", "1.11.17", "1.11.18", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.11.8", "1.11.9", "1.11a1", "1.11b1", "1.11rc1", "1.2", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.3", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.3.7", "1.4", "1.4.1", "1.4.10", "1.4.11", "1.4.12", "1.4.13", "1.4.14", "1.4.15", "1.4.16", "1.4.17", "1.4.18", "1.4.19", "1.4.2", "1.4.20", "1.4.21", "1.4.22", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.9", "1.5", "1.5.1", "1.5.10", "1.5.11", "1.5.12", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "1.6", "1.6.1", "1.6.10", "1.6.11", "1.6.2", "1.6.3", "1.6.4", "1.6.5", "1.6.6", "1.6.7", "1.6.8", "1.6.9", "1.7", "1.7.1", "1.7.10", "1.7.11", "1.7.2", "1.7.3", "1.7.4", "1.7.5", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8", "1.8.1", "1.8.10", "1.8.11", "1.8.12", "1.8.13", "1.8.14", "1.8.15", "1.8.16", "1.8.17", "1.8.18", "1.8.19", "1.8.2", "1.8.3", "1.8.4", "1.8.5", "1.8.6", "1.8.7", "1.8.8", "1.8.9", "1.9", "1.9.1", "1.9.10", "1.9.11", "1.9.12", "1.9.13", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.9.8", "1.9.9"]
Secure versions:
[3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation:
Update to version 5.1.3.
Data leakage via cache key collision in Django
Published date: 2020-06-05T16:20:44Z
CVE: CVE-2020-13254
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2020-13254
- https://github.com/advisories/GHSA-wpjr-j57x-wxfw
- https://docs.djangoproject.com/en/3.0/releases/security/
- https://groups.google.com/d/msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ
- https://www.djangoproject.com/weblog/2020/jun/03/security-releases/
- https://lists.debian.org/debian-lts-announce/2020/06/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
- https://security.netapp.com/advisory/ntap-20200611-0002/
- https://usn.ubuntu.com/4381-1/
- https://usn.ubuntu.com/4381-2/
- https://www.debian.org/security/2020/dsa-4705
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://github.com/django/django/commit/07e59caa02831c4569bbebb9eb773bdd9cb4b206
- https://github.com/django/django/commit/84b2da5552e100ae3294f564f6c862fef8d0e693
An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
Affected versions:
["3.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "2.0", "2.0.1", "2.0.10", "2.0.12", "2.0.13", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.1", "2.1.1", "2.1.10", "2.1.11", "2.1.12", "2.1.13", "2.1.14", "2.1.15", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.7", "2.1.8", "2.1.9", "2.1a1", "2.1b1", "2.1rc1", "2.2", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7", "2.2.8", "2.2.9", "2.2a1", "2.2b1", "2.2rc1"]
Secure versions:
[3.0a1, 3.1.12, 3.1.13, 3.1.14, 2.2.27, 2.2.28, 4.2a1, 4.2b1, 4.2rc1, 5.0a1, 5.0b1, 4.1.13, 5.0rc1, 3.2.25, 4.2.11, 5.0.3, 5.0.4, 4.2.12, 5.0.5, 4.2.13, 5.0.6, 5.1a1, 5.1b1, 4.2.14, 5.0.7, 5.1rc1, 4.2.15, 5.0.8, 5.1, 4.2.16, 5.0.9, 5.1.1, 5.1.2, 5.1.3]
Recommendation:
Update to version 5.1.3.
373 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 1.10.6 | BSD | 8 | 2017-03-01 - 13:37 | over 7 years |
| 1.10.5 | BSD | 8 | 2017-01-04 - 19:22 | almost 8 years |
| 1.10.4 | BSD | 8 | 2016-12-01 - 23:46 | almost 8 years |
| 1.10.3 | BSD | 8 | 2016-11-01 - 13:56 | about 8 years |
| 1.10.2 | BSD | 10 | 2016-10-01 - 20:05 | about 8 years |
| 1.10.1 | BSD | 10 | 2016-09-01 - 23:17 | about 8 years |
| 1.10 | BSD | 10 | 2016-08-01 - 18:32 | over 8 years |
| 1.9.13 | BSD | 5 | 2017-04-04 - 14:14 | over 7 years |
| 1.9.12 | BSD | 7 | 2016-12-01 - 23:16 | almost 8 years |
| 1.9.11 | BSD | 7 | 2016-11-01 - 14:02 | about 8 years |
| 1.9.10 | BSD | 9 | 2016-09-26 - 18:32 | about 8 years |
| 1.9.9 | BSD | 10 | 2016-08-01 - 18:10 | over 8 years |
| 1.9.8 | BSD | 10 | 2016-07-18 - 18:19 | over 8 years |
| 1.9.7 | BSD | 11 | 2016-06-04 - 23:43 | over 8 years |
| 1.9.6 | BSD | 11 | 2016-05-02 - 22:33 | over 8 years |
| 1.9.5 | BSD | 11 | 2016-04-01 - 17:47 | over 8 years |
| 1.9.4 | BSD | 11 | 2016-03-05 - 14:31 | over 8 years |
| 1.9.3 | BSD | 11 | 2016-03-01 - 17:00 | over 8 years |
| 1.9.2 | BSD | 12 | 2016-02-01 - 17:17 | almost 9 years |
| 1.9.1 | BSD | 13 | 2016-01-02 - 13:50 | almost 9 years |
| 1.9 | BSD | 13 | 2015-12-01 - 23:55 | almost 9 years |
| 1.8.19 | BSD | 5 | 2018-03-06 - 14:22 | over 6 years |
| 1.8.18 | BSD | 7 | 2017-04-04 - 14:07 | over 7 years |
| 1.8.17 | BSD | 9 | 2016-12-01 - 23:03 | almost 8 years |
| 1.8.16 | BSD | 9 | 2016-11-01 - 14:09 | about 8 years |
| 1.8.15 | BSD | 11 | 2016-09-26 - 18:30 | about 8 years |
| 1.8.14 | BSD | 12 | 2016-07-18 - 18:38 | over 8 years |
| 1.8.13 | BSD | 13 | 2016-05-02 - 22:49 | over 8 years |
| 1.8.12 | BSD | 13 | 2016-04-01 - 17:54 | over 8 years |
| 1.8.11 | BSD | 13 | 2016-03-05 - 18:36 | over 8 years |
| 1.8.10 | BSD | 13 | 2016-03-01 - 17:10 | over 8 years |
| 1.8.9 | BSD | 15 | 2016-02-01 - 17:24 | almost 9 years |
| 1.8.8 | BSD | 15 | 2016-01-02 - 14:28 | almost 9 years |
| 1.8.7 | BSD | 15 | 2015-11-24 - 17:28 | almost 9 years |
| 1.8.6 | BSD | 15 | 2015-11-04 - 17:03 | about 9 years |
| 1.8.5 | BSD | 15 | 2015-10-04 - 00:06 | about 9 years |
| 1.8.4 | BSD | 15 | 2015-08-18 - 17:06 | about 9 years |
| 1.8.3 | BSD | 16 | 2015-07-08 - 19:43 | over 9 years |
| 1.8.2 | BSD | 17 | 2015-05-20 - 18:02 | over 9 years |
| 1.8.1 | BSD | 17 | 2015-05-01 - 20:36 | over 9 years |
| 1.8 | BSD | 17 | 2015-04-01 - 20:12 | over 9 years |
| 1.7.11 | BSD | 9 | 2015-11-24 - 17:19 | almost 9 years |
| 1.7.10 | BSD | 10 | 2015-08-18 - 17:15 | about 9 years |
| 1.7.9 | BSD | 11 | 2015-07-08 - 21:33 | over 9 years |
| 1.7.8 | BSD | 11 | 2015-05-01 - 20:42 | over 9 years |
| 1.7.7 | BSD | 11 | 2015-03-18 - 23:49 | over 9 years |
| 1.7.6 | BSD | 11 | 2015-03-09 - 15:30 | over 9 years |
| 1.7.5 | BSD | 12 | 2015-02-25 - 13:58 | over 9 years |
| 1.7.4 | BSD | 12 | 2015-01-27 - 17:22 | almost 10 years |
| 1.7.3 | BSD | 12 | 2015-01-13 - 18:39 | almost 10 years |
| 1.7.2 | BSD | 12 | 2015-01-03 - 01:37 | almost 10 years |
| 1.7.1 | BSD | 12 | 2014-10-22 - 16:56 | about 10 years |
| 1.7 | BSD | 12 | 2014-09-02 - 21:09 | about 10 years |
| 1.6.11 | BSD | 10 | 2015-03-18 - 23:57 | over 9 years |
| 1.6.10 | BSD | 10 | 2015-01-13 - 18:48 | almost 10 years |
| 1.6.9 | BSD | 10 | 2015-01-03 - 01:52 | almost 10 years |
| 1.6.8 | BSD | 10 | 2014-10-22 - 16:50 | about 10 years |
| 1.6.7 | BSD | 10 | 2014-09-02 - 20:55 | about 10 years |
| 1.6.6 | BSD | 10 | 2014-08-20 - 20:17 | about 10 years |
| 1.6.5 | BSD | 11 | 2014-05-14 - 18:33 | over 10 years |
| 1.6.4 | BSD | 13 | 2014-04-28 - 20:40 | over 10 years |
| 1.6.3 | BSD | 13 | 2014-04-21 - 23:12 | over 10 years |
| 1.6.2 | BSD | 13 | 2014-02-06 - 21:51 | almost 11 years |
| 1.6.1 | BSD | 13 | 2013-12-12 - 20:04 | almost 11 years |
| 1.6 | BSD | 13 | 2013-11-06 - 15:01 | about 11 years |
| 1.5.12 | BSD | 10 | 2015-01-03 - 02:09 | almost 10 years |
| 1.5.11 | BSD | 10 | 2014-10-22 - 16:45 | about 10 years |
| 1.5.10 | BSD | 10 | 2014-09-02 - 20:51 | about 10 years |
| 1.5.9 | BSD | 10 | 2014-08-20 - 20:10 | about 10 years |
| 1.5.8 | BSD | 10 | 2014-05-14 - 18:35 | over 10 years |
| 1.5.7 | BSD | 12 | 2014-04-28 - 20:35 | over 10 years |
| 1.5.6 | BSD | 12 | 2014-04-21 - 22:53 | over 10 years |
| 1.5.5 | BSD | 12 | 2013-10-25 - 04:32 | about 11 years |
| 1.5.4 | BSD | 12 | 2013-09-15 - 06:30 | about 11 years |
| 1.5.3 | BSD | 13 | 2013-09-11 - 01:26 | about 11 years |
| 1.5.2 | BSD | 14 | 2013-08-13 - 16:54 | over 11 years |
| 1.5.1 | BSD | 16 | 2013-03-28 - 20:57 | over 11 years |
| 1.5 | BSD | 16 | 2013-02-26 - 19:30 | over 11 years |
| 1.4.22 | BSD | 10 | 2015-08-18 - 17:22 | about 9 years |
| 1.4.21 | BSD | 11 | 2015-07-08 - 19:56 | over 9 years |
| 1.4.20 | BSD | 13 | 2015-03-19 - 00:03 | over 9 years |
| 1.4.19 | BSD | 13 | 2015-01-27 - 17:11 | almost 10 years |
| 1.4.18 | BSD | 13 | 2015-01-13 - 18:54 | almost 10 years |
| 1.4.17 | BSD | 16 | 2015-01-03 - 02:20 | almost 10 years |
| 1.4.16 | BSD | 16 | 2014-10-22 - 16:37 | about 10 years |
| 1.4.15 | BSD | 16 | 2014-09-02 - 20:44 | about 10 years |
| 1.4.14 | BSD | 16 | 2014-08-20 - 20:01 | about 10 years |
| 1.4.13 | BSD | 19 | 2014-05-14 - 18:27 | over 10 years |
| 1.4.12 | BSD | 21 | 2014-04-28 - 20:30 | over 10 years |
| 1.4.11 | BSD | 21 | 2014-04-21 - 22:40 | over 10 years |
| 1.4.10 | BSD | 23 | 2013-11-06 - 14:21 | about 11 years |
| 1.4.9 | BSD | 23 | 2013-10-25 - 04:38 | about 11 years |
| 1.4.8 | BSD | 23 | 2013-09-15 - 06:22 | about 11 years |
| 1.4.7 | BSD | 24 | 2013-09-11 - 01:18 | about 11 years |
| 1.4.6 | BSD | 25 | 2013-08-13 - 16:52 | over 11 years |
| 1.4.5 | BSD | 26 | 2013-02-20 - 19:54 | over 11 years |
| 1.4.4 | BSD | 26 | 2013-02-19 - 20:27 | over 11 years |
| 1.4.3 | BSD | 28 | 2012-12-10 - 21:46 | almost 12 years |
| 1.4.2 | BSD | 28 | 2012-10-17 - 22:18 | about 12 years |
| 1.4.1 | BSD | 29 | 2012-07-30 - 22:48 | over 12 years |