| 1234567891011121314151617181920212223242526272829303132333435363738 |
- ===========================
- Django 3.2.11 release notes
- ===========================
- *January 4, 2022*
- Django 3.2.11 fixes one security issue with severity "medium" and two security
- issues with severity "low" in 3.2.10.
- CVE-2021-45115: Denial-of-service possibility in ``UserAttributeSimilarityValidator``
- =====================================================================================
- :class:`.UserAttributeSimilarityValidator` incurred significant overhead
- evaluating submitted password that were artificially large in relative to the
- comparison values. On the assumption that access to user registration was
- unrestricted this provided a potential vector for a denial-of-service attack.
- In order to mitigate this issue, relatively long values are now ignored by
- ``UserAttributeSimilarityValidator``.
- This issue has severity "medium" according to the :ref:`Django security policy
- <security-disclosure>`.
- CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter
- ================================================================================
- Due to leveraging the Django Template Language's variable resolution logic, the
- :tfilter:`dictsort` template filter was potentially vulnerable to information
- disclosure or unintended method calls, if passed a suitably crafted key.
- In order to avoid this possibility, ``dictsort`` now works with a restricted
- resolution logic, that will not call methods, nor allow indexing on
- dictionaries.
- As a reminder, all untrusted user input should be validated before use.
- This issue has severity "low" according to the :ref:`Django security policy
- <security-disclosure>`.
|
