Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Bump Django to 3.0.1 #101

Merged
merged 1 commit into from
Dec 19, 2019
Merged

[Security] Bump Django to 3.0.1 #101

merged 1 commit into from
Dec 19, 2019

Conversation

phacks
Copy link
Contributor

@phacks phacks commented Dec 19, 2019

PR Checklist

Please check if your PR fulfills the following requirements:

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?

  • Bugfix
  • Feature
  • Code style update (formatting)
  • Refactoring (no functional changes)
  • Documentation content changes

Other information

This bump fixes CVE-2019-19844:

Django's password-reset form uses a case-insensitive query to retrieve accounts matching the email address requesting the password reset. Because this typically involves explicit or implicit case transformations, an attacker who knows the email address associated with a user account can craft an email address which is distinct from the address associated with that account, but which -- due to the behavior of Unicode case transformations -- ceases to be distinct after case transformation, or which will otherwise compare equal given database case-transformation or collation behavior. In such a situation, the attacker can receive a valid password-reset token for the user account.

Source: https://www.djangoproject.com/weblog/2019/dec/18/security-releases/

@phacks phacks self-assigned this Dec 19, 2019
@phacks phacks added the dependencies Pull requests that update a dependency file label Dec 19, 2019
@phacks phacks temporarily deployed to falco-security-bump-dja-diazdk December 19, 2019 13:46 Inactive
@phacks phacks merged commit 1fe3d8a into master Dec 19, 2019
@phacks phacks deleted the security-bump-django-version branch December 19, 2019 13:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@phacks phacks

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@phacks