FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
002432c8-ef6a-11ea-ba8f-08002728f74cDjango -- multiple vulnerabilities

Django Release notes:

CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+

On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files and to intermediate-level collected static directories when using the collectstatic management command.

CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+

On Python 3.7+, the intermediate-level directories of the file system cache had the system's standard umask rather than 0o077 (no group or others permissions).


Discovery 2020-09-01
Entry 2020-09-05
py35-django22
py36-django22
py37-django22
py38-django22
< 2.2.16

py36-django30
py37-django30
py38-django30
< 3.0.10

py36-django31
py37-django31
py38-django31
< 3.1.1

https://docs.djangoproject.com/en/2.2/releases/2.2.16/
https://docs.djangoproject.com/en/3.0/releases/3.0.10/
https://docs.djangoproject.com/en/3.1/releases/3.1.1/
CVE-2020-24583
CVE-2020-24584
1685144e-63ff-11ea-a93a-080027846a02Django -- potential SQL injection vulnerability

MITRE CVE reports:

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.


Discovery 2020-02-25
Entry 2020-03-12
py27-django111
py35-django111
py36-django111
py37-django111
py38-django111
< 1.11.29

py35-django22
py36-django22
py37-django22
py38-django22
< 2.2.11

py36-django30
py37-django30
py38-django30
< 3.0.4

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9402
https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
CVE-2020-9402
1766359c-ad6e-11eb-b2a4-080027e50e6dDjango -- multiple vulnerabilities

Django Release reports:

CVE-2021-31542:Potential directory-traversal via uploaded files.

MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via uploaded files with suitably crafted file names.


Discovery 2021-04-22
Entry 2021-05-05
py36-django22
py37-django22
py38-django22
py39-django22
< 2.2.21

py36-django31
py37-django31
py38-django31
py39-django31
< 3.1.9

py36-django32
py37-django32
py38-django32
py39-django32
< 3.2.1

https://www.djangoproject.com/weblog/2021/may/04/security-releases/
CVE-2021-31542
4e3fa78b-1577-11ea-b66e-080027bdabe8Django -- multiple vulnerabilities

Django release reports:

CVE-2019-19118: Privilege escalation in the Django admin.

Since Django 2.1, a Django model admin displaying a parent model with related model inlines, where the user has view-only permissions to a parent model but edit permissions to the inline model, would display a read-only view of the parent model but editable forms for the inline.

Submitting these forms would not allow direct edits to the parent model, but would trigger the parent model's save() method, and cause pre and post-save signal handlers to be invoked. This is a privilege escalation as a user who lacks permission to edit a model should not be able to trigger its save-related signals.


Discovery 2019-11-25
Entry 2019-12-03
py35-django21
py36-django21
py37-django21
py38-django21
< 2.1.15

py35-django22
py36-django22
py37-django22
py38-django22
< 2.2.8

https://www.djangoproject.com/weblog/2019/dec/02/security-releases/
CVE-2019-19118
597d02ce-a66c-11ea-af32-080027846a02Django -- multiple vulnerabilities

Django security release reports:

CVE-2020-13254: Potential data leakage via malformed memcached keys

In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends.

CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget

Query parameters for the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded.


Discovery 2020-06-01
Entry 2020-06-04
py36-django22
py37-django22
py38-django22
< 2.2.13

py36-django30
py37-django30
py38-django30
< 3.0.7

https://www.djangoproject.com/weblog/2020/jun/03/security-releases/
CVE-2020-13254
CVE-2020-13596
5a45649a-4777-11ea-bdec-08002728f74cDjango -- potential SQL injection vulnerability

MITRE CVE reports:

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.


Discovery 2020-02-03
Entry 2020-02-04
py27-django111
py35-django111
py36-django111
py37-django111
py38-django111
< 1.11.28

py35-django22
py36-django22
py37-django22
py38-django22
< 2.2.10

py36-django30
py37-django30
py38-django30
< 3.0.3

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7471
https://docs.djangoproject.com/en/1.11/releases/1.11.28/
https://docs.djangoproject.com/en/2.2/releases/2.2.10/
https://docs.djangoproject.com/en/3.0/releases/3.0.3/
CVE-2020-7471
6e65dfea-b614-11e9-a3a2-1506e15611ccDjango -- multiple vulnerabilities

Django release notes:

CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator

If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable

The regular expressions used by Truncator have been simplified in order to avoid potential backtracking issues. As a consequence, trailing punctuation may now at times be included in the truncated output.

CVE-2019-14233: Denial-of-service possibility in strip_tags()

Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable.

strip_tags() now avoids recursive calls to HTMLParser when progress removing tags, but necessarily incomplete HTML entities, stops being made.

Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape().

CVE-2019-14234: SQL injection possibility in key and index lookups for JSONField/HStoreField

Key and index lookups for JSONField and key lookups for HStoreField were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.filter().

CVE-2019-14235: Potential memory exhaustion in django.utils.encoding.uri_to_iri()

If passed certain inputs, django.utils.encoding.uri_to_iri() could lead to significant memory usage due to excessive recursion when re-percent-encoding invalid UTF-8 octet sequences.

uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8 octet sequences.


Discovery 2019-08-01
Entry 2019-08-03
py27-django111
py35-django111
py36-django111
py37-django111
< 1.11.23

py27-django21
py35-django21
py36-django21
py37-django21
< 2.1.11

py27-django22
py35-django22
py36-django22
py37-django22
< 2.2.4

https://docs.djangoproject.com/en/1.11/releases/1.11.23/
https://docs.djangoproject.com/en/2.1/releases/2.1.11/
https://docs.djangoproject.com/en/2.2/releases/2.2.4/
CVE-2019-14232
CVE-2019-14233
CVE-2019-14234
CVE-2019-14235
b805d7b4-9c0c-11e9-97f0-000c29e96db4Django -- Incorrect HTTP detection with reverse-proxy connecting via HTTPS

Django security releases issued:

When deployed behind a reverse-proxy connecting to Django via HTTPS, django.http.HttpRequest.scheme would incorrectly detect client requests made via HTTP as using HTTPS. This entails incorrect results for is_secure(), and build_absolute_uri(), and that HTTP requests would not be redirected to HTTPS in accordance with SECURE_SSL_REDIRECT.


Discovery 2019-07-01
Entry 2019-07-01
py27-django111
py35-django111
py36-django111
py37-django111
< 1.11.22

py35-django21
py36-django21
py37-django21
< 2.1.10

py35-django22
py36-django22
py37-django22
< 2.2.3

CVE-2019-12781
https://www.djangoproject.com/weblog/2019/jul/01/security-releases/
ffc73e87-87f0-11e9-ad56-fcaa147e860eDjango -- AdminURLFieldWidget XSS

Django security releases issued:

The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link..

jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.


Discovery 2019-06-03
Entry 2019-06-06
py27-django111
py35-django111
py36-django111
py37-django111
< 1.11.21

py35-django21
py36-django21
py37-django21
< 2.1.9

py35-django22
py36-django22
py37-django22
< 2.2.2

CVE-2019-12308
CVE-2019-11358
https://www.djangoproject.com/weblog/2019/jun/03/security-releases/