Update dependency django to v4 [SECURITY] #710
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==3.0.5
->==4.2.16
GitHub Vulnerability Alerts
CVE-2020-24584
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.
CVE-2021-3281
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
CVE-2022-36359
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
CVE-2020-24583
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.
CVE-2020-13254
An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
CVE-2021-35042
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
CVE-2021-31542
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
CVE-2021-33203
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.
CVE-2020-13596
An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
CVE-2021-44420
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. This issue has low severity, according to the Django security policy.
CVE-2021-28658
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
CVE-2021-33571
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .
CVE-2024-45231
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).
Release Notes
django/django (django)
v4.2.16
Compare Source
v4.2.15
Compare Source
v4.2.14
Compare Source
v4.2.13
Compare Source
v4.2.12
Compare Source
v4.2.11
Compare Source
v4.2.10
Compare Source
v4.2.9
Compare Source
v4.2.8
Compare Source
v4.2.7
Compare Source
v4.2.6
Compare Source
v4.2.5
Compare Source
v4.2.4
Compare Source
v4.2.3
Compare Source
v4.2.2
Compare Source
v4.2.1
Compare Source
v4.2
Compare Source
v4.1.13
Compare Source
v4.1.12
Compare Source
v4.1.11
Compare Source
v4.1.10
Compare Source
v4.1.9
Compare Source
v4.1.8
Compare Source
v4.1.7
Compare Source
v4.1.6
Compare Source
v4.1.5
Compare Source
v4.1.4
Compare Source
v4.1.3
Compare Source
v4.1.2
Compare Source
v4.1.1
Compare Source
v4.1
Compare Source
v4.0.10
Compare Source
v4.0.9
Compare Source
v4.0.8
Compare Source
v4.0.7
Compare Source
v4.0.6
Compare Source
v4.0.5
Compare Source
v4.0.4
Compare Source
v4.0.3
Compare Source
v4.0.2
Compare Source
v4.0.1
Compare Source
v4.0
Compare Source
v3.2.25
Compare Source
v3.2.24
Compare Source
v3.2.23
Compare Source
v3.2.22
Compare Source
v3.2.21
Compare Source
v3.2.20
Compare Source
v3.2.19
Compare Source
v3.2.18
Compare Source
v3.2.17
Compare Source
v3.2.16
Compare Source
v3.2.15
Compare Source
v3.2.14
Compare Source
v3.2.13
Compare Source
v3.2.12
Compare Source
v3.2.11
Compare Source
v3.2.10
Compare Source
v3.2.9
Compare Source
v3.2.8
Compare Source
v3.2.7
Compare Source
v3.2.6
Compare Source
v3.2.5
Compare Source
v3.2.4
Compare Source
v3.2.3
Compare Source
v3.2.2
Compare Source
v3.2.1
Compare Source
v3.2
Compare Source
v3.1.14
Compare Source
v3.1.13
Compare Source
v3.1.12
Compare Source
v3.1.11
Compare Source
v3.1.10
Compare Source
v3.1.9
Compare Source
v3.1.8
Compare Source
v3.1.7
Compare Source
v3.1.6
Compare Source
v3.1.5
Compare Source
v3.1.4
Compare Source
v3.1.3
Compare Source
v3.1.2
Compare Source
v3.1.1
Compare Source
v3.1
Compare Source
v3.0.14
Compare Source
v3.0.13
Compare Source
v3.0.12
Compare Source
v3.0.11
Compare Source
v3.0.10
Compare Source
v3.0.9
Compare Source
v3.0.8
Compare Source
v3.0.7
Compare Source
v3.0.6
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.