[Buildroot] [PATCH] package/python-django: security bump to version 3.0.1
Peter Korsgaard
peter at korsgaard.com
Wed Dec 25 19:58:25 UTC 2019
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security vulnerability:
> - CVE-2019-19844: Potential account hijack via password reset form
> By submitting a suitably crafted email address making use of Unicode
> characters, that compared equal to an existing user email when lower-cased
> for comparison, an attacker could be sent a password reset token for the
> matched account
> In addition, a number of bugs have been fixed. For details, see the release
> notes:
> https://docs.djangoproject.com/en/dev/releases/3.0.1/
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Instead of cherry-picking this commit, I have instead bumped 2019.02.x
and 2019.11.x to 2.2.9, which contains the same fix (and 2.2.x is a LTS
release, 2.1.x is now EOL).
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list