An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.
This PR contains the following updates:
==5.0.6
->==5.0.7
GitHub Vulnerability Alerts
CVE-2024-39330
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the
django.core.files.storage.Storage
base class, when they overridegenerate_filename()
without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during asave()
call. (Built-in Storage sub-classes are unaffected.)CVE-2024-38875
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
CVE-2024-39329
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The
django.contrib.auth.backends.ModelBackend.authenticate()
method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.CVE-2024-39614
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14.
get_supported_language_variant()
was subject to a potential denial-of-service attack when used with very long strings containing specific characters.Release Notes
django/django (Django)
### [`v5.0.7`](https://togithub.com/django/django/compare/5.0.6...5.0.7) [Compare Source](https://togithub.com/django/django/compare/5.0.6...5.0.7)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.