search

mitodl / ocw-studio

Open Source Courseware authoring tool
BSD 3-Clause "New" or "Revised" License
7 stars 3 forks source link

fix(deps): update dependency social-auth-app-django to v5.4.1 [security] #2167

Closed renovate[bot] closed 2 months ago

renovate[bot] commented 2 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
social-auth-app-django 5.4.0 -> 5.4.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-32879

Impact

Due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match.

Patches

This issue has been addressed by https://github.com/python-social-auth/social-app-django/pull/566 and fix released in 5.4.1.

Workarounds

An immediate workaround would be to change collation of the affected field:

ALTER TABLE `social_auth_association` MODIFY `uid` varchar(255) COLLATE `utf8_bin`;

References

This issue was discovered by folks at https://opencraft.com/.

Release Notes

python-social-auth/social-app-django (social-auth-app-django) ### [`v5.4.1`](https://togithub.com/python-social-auth/social-app-django/blob/HEAD/CHANGELOG.md#541---2024-04-24) [Compare Source](https://togithub.com/python-social-auth/social-app-django/compare/5.4.0...5.4.1) ##### Changed - Added reverse migration for JSON field - Fixed improper handling of case sensitivity with MySQL/MariaDB (CVE-2024-32879)

Configuration

📅 Schedule: Branch creation - "" in timezone US/Eastern, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.