Date: Tue, 4 Feb 2020 18:17:29 +0000 (UTC) From: Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r525230 - head/security/vuxml Message-ID: <202002041817.014IHTgQ009907@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: sunpoet Date: Tue Feb 4 18:17:28 2020 New Revision: 525230 URL: https://svnweb.freebsd.org/changeset/ports/525230 Log: Document Django vulnerability Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Feb 4 18:17:22 2020 (r525229) +++ head/security/vuxml/vuln.xml Tue Feb 4 18:17:28 2020 (r525230) @@ -58,6 +58,57 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="5a45649a-4777-11ea-bdec-08002728f74c"> + <topic>Django -- potential SQL injection vulnerability</topic> + <affects> + <package> + <name>py27-django111</name> + <name>py35-django111</name> + <name>py36-django111</name> + <name>py37-django111</name> + <name>py38-django111</name> + <range><lt>1.11.28</lt></range> + </package> + <package> + <name>py35-django22</name> + <name>py36-django22</name> + <name>py37-django22</name> + <name>py38-django22</name> + <range><lt>2.2.10</lt></range> + </package> + <package> + <name>py36-django30</name> + <name>py37-django30</name> + <name>py38-django30</name> + <range><lt>3.0.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>MITRE CVE reports:</p> + <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7471"> + <p>Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 + allows SQL Injection if untrusted data is used as a StringAgg delimiter + (e.g., in Django applications that offer downloads of data as a series + of rows with a user-specified column delimiter). By passing a suitably + crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, + it was possible to break escaping and inject malicious SQL.</p> + </blockquote> + </body> + </description> + <references> + <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7471</url> + <url>https://docs.djangoproject.com/en/1.11/releases/1.11.28/</url> + <url>https://docs.djangoproject.com/en/2.2/releases/2.2.10/</url> + <url>https://docs.djangoproject.com/en/3.0/releases/3.0.3/</url> + <cvename>CVE-2020-7471</cvename> + </references> + <dates> + <discovery>2020-02-03</discovery> + <entry>2020-02-04</entry> + </dates> + </vuln> + <vuln vid="cb0183bb-45f6-11ea-a1c7-b499baebfeaf"> <topic>MariaDB -- Vulnerability in C API</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202002041817.014IHTgQ009907>