svn commit: r537897 - head/security/vuxml
Wen Heping
wen at FreeBSD.org
Thu Jun 4 14:25:14 UTC 2020
Author: wen
Date: Thu Jun 4 14:25:13 2020
New Revision: 537897
URL: https://svnweb.freebsd.org/changeset/ports/537897
Log:
- Document Django multiple vulnerabilities
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Thu Jun 4 13:59:06 2020 (r537896)
+++ head/security/vuxml/vuln.xml Thu Jun 4 14:25:13 2020 (r537897)
@@ -58,6 +58,49 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="597d02ce-a66c-11ea-af32-080027846a02">
+ <topic>Django -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>py36-django22</name>
+ <name>py37-django22</name>
+ <name>py38-django22</name>
+ <range><lt>2.2.13</lt></range>
+ </package>
+ <package>
+ <name>py36-django22</name>
+ <name>py37-django22</name>
+ <name>py38-django22</name>
+ <range><lt>3.0.7</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Django security release reports:</p>
+ <blockquote cite="https://www.djangoproject.com/weblog/2020/jun/03/security-releases/">
+ <p>CVE-2020-13254: Potential data leakage via malformed memcached keys</p>
+ <p>In cases where a memcached backend does not perform key validation, passing
+ malformed cache keys could result in a key collision, and potential data leakage.
+ In order to avoid this vulnerability, key validation is added to the memcached
+ cache backends.</p>
+ <p>CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget</p>
+ <p>Query parameters for the admin ForeignKeyRawIdWidget were not properly URL
+ encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query
+ parameters are correctly URL encoded.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.djangoproject.com/weblog/2020/jun/03/security-releases/</url>
+ <cvename>CVE-2020-13254</cvename>
+ <cvename>CVE-2020-13596</cvename>
+ </references>
+ <dates>
+ <discovery>2020-06-01</discovery>
+ <entry>2020-06-04</entry>
+ </dates>
+ </vuln>
+
<vuln vid="ced2d47e-8469-11ea-a283-b42e99a1b9c3">
<topic>malicious URLs may present credentials to wrong server</topic>
<affects>
More information about the svn-ports-all
mailing list