From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Korsgaard Date: Thu, 06 Jun 2019 14:20:54 +0200 Subject: [Buildroot] [PATCH] package/python-django: security bump to version 2.1.9 In-Reply-To: <20190605172307.28636-1-peter@korsgaard.com> (Peter Korsgaard's message of "Wed, 5 Jun 2019 19:23:07 +0200") References: <20190605172307.28636-1-peter@korsgaard.com> Message-ID: <878suenbvd.fsf@dell.be.48ers.dk> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: buildroot@busybox.net >>>>> "Peter" == Peter Korsgaard writes: > Fixes the following security issues: > CVE-2019-12308: AdminURLFieldWidget XSS? > The clickable "Current URL" link generated by AdminURLFieldWidget displayed > the provided value without validating it as a safe URL. Thus, an > unvalidated value stored in the database, or a value provided as a URL query > parameter payload, could result in an clickable JavaScript link. > AdminURLFieldWidget now validates the provided value using URLValidator > before displaying the clickable link. You may customize the validator by > passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. > when using formfield_overrides. > Patched bundled jQuery for CVE-2019-11358: Prototype pollution? > jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of > Object.prototype pollution. If an unsanitized source object contained an > enumerable __proto__ property, it could extend the native Object.prototype. > The bundled version of jQuery used by the Django admin has been patched to > allow for the select2 library?s use of jQuery.extend(). > For more details, see the release notes: > https://docs.djangoproject.com/en/dev/releases/2.1.9/ > Signed-off-by: Peter Korsgaard Committed, thanks. -- Bye, Peter Korsgaard