Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update vulnerable dependencies [SECURITY] #1739

Merged
merged 1 commit into from
Dec 23, 2024
Merged

Update vulnerable dependencies [SECURITY] #1739

merged 1 commit into from
Dec 23, 2024

Conversation

pulumi-renovate[bot]
Copy link
Contributor

@pulumi-renovate pulumi-renovate bot commented Dec 16, 2024
edited
Loading

This PR contains the following updates:

Package Type Update Change
django (changelog) patch ==4.2.16 -> ==4.2.17
next (source) dependencies patch 14.2.10 -> 14.2.15

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Django denial-of-service in django.utils.html.strip_tags()

CVE-2024-53907 / GHSA-8498-2h75-472j

More information

Details

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Django SQL injection in HasKey(lhs, rhs) on Oracle

CVE-2024-53908 / GHSA-m9g8-fxxm-xg86

More information

Details

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Next.js authorization bypass vulnerability

CVE-2024-51479 / GHSA-7gfc-8cq8-jh5f

More information

Details

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example:

  • [Not affected] https://example.com/
  • [Affected] https://example.com/foo
  • [Not affected] https://example.com/foo/bar
Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

django/django (django)

v4.2.17

Compare Source

vercel/next.js (next)

v14.2.15

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • support breadcrumb style catch-all parallel routes #​65063
  • Provide non-dynamic segments to catch-all parallel routes #​65233
  • Fix client reference access causing metadata missing #​70732
  • feat(next/image): add support for decoding prop #​70298
  • feat(next/image): add images.localPatterns config #​70529
  • fix(next/image): handle undefined images.localPatterns config in images-manifest.json
  • fix: Do not omit alt on getImgProps return type, ImgProps #​70608
  • [i18n] Routing fix #​70761
Credits

Huge thanks to @​ztanner, @​agadzik, @​huozhi, @​styfle, @​icyJoseph and @​wyattjoh for helping!

v14.2.14

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix: clone response in first handler to prevent race (#​70082) (#​70649)
  • Respect reexports from metadata API routes (#​70508) (#​70647)
  • Externalize node binary modules for app router (#​70646)
  • Fix revalidateTag() behaviour when invoked in server components (#​70446) (#​70642)
  • Fix prefetch bailout detection for nested loading segments (#​70618)
  • Add missing node modules to externals (#​70382)
  • Feature: next/image: add support for images.remotePatterns.search (#​70302)
Credits

Huge thanks to @​styfle, @​ztanner, @​ijjk, @​huozhi and @​wyattjoh for helping!

v14.2.13

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Fix missing cache-control on SSR app route (#​70265)
  • feat: add polyfill of URL.canParse for browser compatibility (#​70228)
  • Fix vercel og package memory leak (#​70214)
  • Fix startTime error on Android 9 with Chrome 74 (#​67391)
Credits

Huge thanks to @​raeyoung-kim, @​huozhi, @​devjiwonchoi, and @​ijjk for helping!

v14.2.12

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • update prefetching jsdoc & documentation (#​68047)
  • Ensure we chunk revalidate tag requests (#​70189)
  • (backport) fix(eslint): allow typescript-eslint v8 (#​70090)
  • [ppr] Don't mark RSC requests as /_next/data requests (backport of #​66249) (#​70083)
Credits

Huge thanks to @​alvarlagerlof, @​wyattjoh, @​delbaoliveira, and @​ijjk for helping!

v14.2.11

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
Credits

Huge thanks to @​huozhi, @​devjiwonchoi, and @​ijjk for helping!

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - "every weekday" (UTC).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@pulumi-renovate pulumi-renovate bot added dependencies Pull requests that update a dependency file impact/no-changelog-required This issue doesn't require a CHANGELOG update labels Dec 16, 2024
@pulumi-renovate pulumi-renovate bot enabled auto-merge (squash) December 16, 2024 20:34
@pulumi-renovate pulumi-renovate bot changed the title Update dependency django to v4.2.17 [SECURITY] Update vulnerable dependencies [SECURITY] Dec 18, 2024
@pulumi-renovate pulumi-renovate bot merged commit 87f2e85 into master Dec 23, 2024
42 checks passed
@pulumi-renovate pulumi-renovate bot deleted the renovate/security branch December 23, 2024 17:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pulumi-renovate-approve pulumi-renovate-approve[bot] pulumi-renovate-approve[bot] approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file impact/no-changelog-required This issue doesn't require a CHANGELOG update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants