diff options
| author | Stefan Ghinea <stefan.ghinea@windriver.com> | 2021-04-16 18:24:17 +0300 |
|---|---|---|
| committer | Khem Raj <raj.khem@gmail.com> | 2021-04-21 08:26:07 -0700 |
| commit | 660e62b64531df16c616668747a68b9a62774fbf (patch) | |
| tree | 1ebc8c7e39002050ea60485057349197f6a51a1b /meta-python/recipes-devtools/python/python3-django_2.2.16.bb | |
| parent | 19f34ae20712a76a20c1acfc92920bde85ec4b18 (diff) | |
| download | meta-openembedded-660e62b64531df16c616668747a68b9a62774fbf.tar.gz | |
python3-django: fix CVE-2021-28658
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8,
MultiPartParser allowed directory traversal via uploaded files with
suitably crafted file names. Built-in upload handlers were not affected
by this vulnerability.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-28658
Upstream patches:
https://github.com/django/django/commit/4036d62bda0e9e9f6172943794b744a454ca49c2
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Diffstat (limited to 'meta-python/recipes-devtools/python/python3-django_2.2.16.bb')
| -rw-r--r-- | meta-python/recipes-devtools/python/python3-django_2.2.16.bb | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.16.bb b/meta-python/recipes-devtools/python/python3-django_2.2.16.bb index 0715abbd4c..eb626e8d3f 100644 --- a/meta-python/recipes-devtools/python/python3-django_2.2.16.bb +++ b/meta-python/recipes-devtools/python/python3-django_2.2.16.bb | |||
| @@ -7,3 +7,5 @@ SRC_URI[sha256sum] = "62cf45e5ee425c52e411c0742e641a6588b7e8af0d2c274a27940931b2 | |||
| 7 | RDEPENDS_${PN} += "\ | 7 | RDEPENDS_${PN} += "\ |
| 8 | ${PYTHON_PN}-sqlparse \ | 8 | ${PYTHON_PN}-sqlparse \ |
| 9 | " | 9 | " |
| 10 | SRC_URI += "file://CVE-2021-28658.patch \ | ||
| 11 | " | ||