---
- branch: MAIN
  date: Thu Dec 19 13:40:36 UTC 2019
  files:
  - new: '1.24'
    old: '1.23'
    path: pkgsrc/www/py-django2/Makefile
    pathrev: pkgsrc/www/py-django2/Makefile@1.24
    type: modified
  - new: '1.22'
    old: '1.21'
    path: pkgsrc/www/py-django2/distinfo
    pathrev: pkgsrc/www/py-django2/distinfo@1.22
    type: modified
  id: 20191219T134036Z.643e38325cca8baa145f1453d4734964bdce6071
  log: |
    py-django2: updated to 2.2.9

    Django 2.2.9 fixes a security issue and a data loss bug in 2.2.8.

    CVE-2019-19844: Potential account hijack via password reset form

    By submitting a suitably crafted email address making use of Unicode characters, that compared equal to an existing user email when lower-cased for comparison, an attacker could be sent a password reset token for the matched account.

    In order to avoid this vulnerability, password reset requests now compare the submitted email using the stricter, recommended algorithm for case-insensitive comparison of two identifiers from Unicode Technical Report 36, section 2.11.2(B)(2). Upon a match, the email containing the reset token will be sent to the email address on record rather than the submitted address.

    Bugfixes
    * Fixed a data loss possibility in SplitArrayField. When using with ArrayField(BooleanField()), all values after the first True value were marked as checked instead of preserving passed values
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/www/py-django2'
  unixtime: '1576762836'
  user: adam