Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⬆️(dependencies) update django to v5.0.8 [SECURITY] #329

Merged
merged 1 commit into from
Aug 8, 2024
Merged

⬆️(dependencies) update django to v5.0.8 [SECURITY] #329

merged 1 commit into from
Aug 8, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 7, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
django (source, changelog) ==5.0.7 -> ==5.0.8 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-41989

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.

CVE-2024-41990

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

CVE-2024-42005

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.

CVE-2024-41991

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.

Release Notes

django/django (django)

v5.0.8

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added dependencies Pull requests that update a dependency file noChangeLog labels Aug 7, 2024
@mjeammet mjeammet self-assigned this Aug 8, 2024
mjeammet
mjeammet approved these changes Aug 8, 2024
View reviewed changes
Copy link
Member

@mjeammet mjeammet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked back-end tests suite

@mjeammet mjeammet merged commit d812197 into main Aug 8, 2024
15 checks passed
@mjeammet mjeammet deleted the renovate/pypi-django-vulnerability branch August 8, 2024 09:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mjeammet mjeammet mjeammet approved these changes

Assignees

@mjeammet mjeammet

Labels
dependencies Pull requests that update a dependency file noChangeLog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mjeammet