Cumulative fixes in Django 1.11.34

Since the last official release of Django version 1.11 with 1.11.29 on 2020-03-04, CodeStasis fixes the following issues:

• CVE 2020-13596

  Possible XSS via admin ForeignKeyRawIdWidget

• CVE 2020-13254

  Potential data leakage via malformed memcached keys

• CVE 2020-24584

  Permission escalation in intermediate-level directories of the file system cache on Python 3.7+

• CVE 2020-24583

  Incorrect permissions on intermediate-level directories on Python 3.7+

• 31921

  Mode argument no longer affects file permission bits of newly-created intermediate-level directories

• CVE 2021-3281

  Directory-traversal via an archive with absolute paths or relative paths with dot segments

• CVE 2021-23336

  Web cache poisoning via django.utils.http.limited_parse_qsl()

• CVE 2021-28658

  MultiPartParser allows directory-traversal via uploaded files with suitably crafted file names

• CVE-2020-11022 and CVE-2020-11023

  Passing HTML from untrusted sources — even after sanitizing — to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code

CodeStasis extends support for old versions of Django with backported security patches and fixes, because sometimes you can't upgrade.

See CodeStasis Pricing

Read the 1.11 release announcement