In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
This PR contains the following updates:
==4.2->==4.2.7GitHub Vulnerability Alerts
CVE-2023-36053
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3,
EmailValidatorandURLValidatorare subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.CVE-2023-31047
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
CVE-2023-46695
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Release Notes
django/django (Django)
### [`v4.2.7`](https://togithub.com/django/django/compare/4.2.6...4.2.7) [Compare Source](https://togithub.com/django/django/compare/4.2.6...4.2.7) ### [`v4.2.6`](https://togithub.com/django/django/compare/4.2.5...4.2.6) [Compare Source](https://togithub.com/django/django/compare/4.2.5...4.2.6) ### [`v4.2.5`](https://togithub.com/django/django/compare/4.2.4...4.2.5) [Compare Source](https://togithub.com/django/django/compare/4.2.4...4.2.5) ### [`v4.2.4`](https://togithub.com/django/django/compare/4.2.3...4.2.4) [Compare Source](https://togithub.com/django/django/compare/4.2.3...4.2.4) ### [`v4.2.3`](https://togithub.com/django/django/compare/4.2.2...4.2.3) [Compare Source](https://togithub.com/django/django/compare/4.2.2...4.2.3) ### [`v4.2.2`](https://togithub.com/django/django/compare/4.2.1...4.2.2) [Compare Source](https://togithub.com/django/django/compare/4.2.1...4.2.2) ### [`v4.2.1`](https://togithub.com/django/django/compare/4.2...4.2.1) [Compare Source](https://togithub.com/django/django/compare/4.2...4.2.1)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.