FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-11-23 17:01:17 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
6e65dfea-b614-11e9-a3a2-1506e15611cc	Django -- multiple vulnerabilities Django release notes: CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable The regular expressions used by Truncator have been simplified in order to avoid potential backtracking issues. As a consequence, trailing punctuation may now at times be included in the truncated output. CVE-2019-14233: Denial-of-service possibility in strip_tags() Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable. strip_tags() now avoids recursive calls to HTMLParser when progress removing tags, but necessarily incomplete HTML entities, stops being made. Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape(). CVE-2019-14234: SQL injection possibility in key and index lookups for JSONField/HStoreField Key and index lookups for JSONField and key lookups for HStoreField were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.filter(). CVE-2019-14235: Potential memory exhaustion in django.utils.encoding.uri_to_iri() If passed certain inputs, django.utils.encoding.uri_to_iri() could lead to significant memory usage due to excessive recursion when re-percent-encoding invalid UTF-8 octet sequences. uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8 octet sequences. Discovery 2019-08-01 Entry 2019-08-03 py27-django111 py35-django111 py36-django111 py37-django111 < 1.11.23 py27-django21 py35-django21 py36-django21 py37-django21 < 2.1.11 py27-django22 py35-django22 py36-django22 py37-django22 < 2.2.4 https://docs.djangoproject.com/en/1.11/releases/1.11.23/ https://docs.djangoproject.com/en/2.1/releases/2.1.11/ https://docs.djangoproject.com/en/2.2/releases/2.2.4/ CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235
4e3fa78b-1577-11ea-b66e-080027bdabe8	Django -- multiple vulnerabilities Django release reports: CVE-2019-19118: Privilege escalation in the Django admin. Since Django 2.1, a Django model admin displaying a parent model with related model inlines, where the user has view-only permissions to a parent model but edit permissions to the inline model, would display a read-only view of the parent model but editable forms for the inline. Submitting these forms would not allow direct edits to the parent model, but would trigger the parent model's save() method, and cause pre and post-save signal handlers to be invoked. This is a privilege escalation as a user who lacks permission to edit a model should not be able to trigger its save-related signals. Discovery 2019-11-25 Entry 2019-12-03 py35-django21 py36-django21 py37-django21 py38-django21 < 2.1.15 py35-django22 py36-django22 py37-django22 py38-django22 < 2.2.8 https://www.djangoproject.com/weblog/2019/dec/02/security-releases/ CVE-2019-19118

VuXML ID

Description

6e65dfea-b614-11e9-a3a2-1506e15611cc

Django -- multiple vulnerabilities

Django release notes:

CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator

If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable

The regular expressions used by Truncator have been simplified in order to avoid potential backtracking issues. As a consequence, trailing punctuation may now at times be included in the truncated output.

CVE-2019-14233: Denial-of-service possibility in strip_tags()

Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable.

strip_tags() now avoids recursive calls to HTMLParser when progress removing tags, but necessarily incomplete HTML entities, stops being made.

Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape().

CVE-2019-14234: SQL injection possibility in key and index lookups for JSONField/HStoreField

Key and index lookups for JSONField and key lookups for HStoreField were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.filter().

CVE-2019-14235: Potential memory exhaustion in django.utils.encoding.uri_to_iri()

If passed certain inputs, django.utils.encoding.uri_to_iri() could lead to significant memory usage due to excessive recursion when re-percent-encoding invalid UTF-8 octet sequences.

uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8 octet sequences.

Discovery 2019-08-01
Entry 2019-08-03
py27-django111
py35-django111
py36-django111
py37-django111

< 1.11.23

py27-django21
py35-django21
py36-django21
py37-django21

< 2.1.11

py27-django22
py35-django22
py36-django22
py37-django22

< 2.2.4

https://docs.djangoproject.com/en/1.11/releases/1.11.23/
https://docs.djangoproject.com/en/2.1/releases/2.1.11/
https://docs.djangoproject.com/en/2.2/releases/2.2.4/
CVE-2019-14232
CVE-2019-14233
CVE-2019-14234
CVE-2019-14235

4e3fa78b-1577-11ea-b66e-080027bdabe8

Django -- multiple vulnerabilities

Django release reports:

CVE-2019-19118: Privilege escalation in the Django admin.

Since Django 2.1, a Django model admin displaying a parent model with related model inlines, where the user has view-only permissions to a parent model but edit permissions to the inline model, would display a read-only view of the parent model but editable forms for the inline.

Submitting these forms would not allow direct edits to the parent model, but would trigger the parent model's save() method, and cause pre and post-save signal handlers to be invoked. This is a privilege escalation as a user who lacks permission to edit a model should not be able to trigger its save-related signals.

Discovery 2019-11-25
Entry 2019-12-03
py35-django21
py36-django21
py37-django21
py38-django21

< 2.1.15

py35-django22
py36-django22
py37-django22
py38-django22

< 2.2.8

https://www.djangoproject.com/weblog/2019/dec/02/security-releases/
CVE-2019-19118