Cumulative fixes in Django 1.11.34
Since the last official release of Django version 1.11 with 1.11.29 on 2020-03-04, CodeStasis fixes the following issues:
-
CVE 2020-13596
Possible XSS via admin ForeignKeyRawIdWidget
-
CVE 2020-13254
Potential data leakage via malformed memcached keys
-
CVE 2020-24584
Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
-
CVE 2020-24583
Incorrect permissions on intermediate-level directories on Python 3.7+
-
31921
Mode argument no longer affects file permission bits of newly-created intermediate-level directories
-
CVE 2021-3281
Directory-traversal via an archive with absolute paths or relative paths with dot segments
-
CVE 2021-23336
Web cache poisoning via django.utils.http.limited_parse_qsl()
-
CVE 2021-28658
MultiPartParser allows directory-traversal via uploaded files with suitably crafted file names
-
CVE-2020-11022 and CVE-2020-11023
Passing HTML from untrusted sources — even after sanitizing — to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code
CodeStasis extends support for old versions of Django with backported security patches and fixes, because sometimes you can't upgrade.