---
- branch: MAIN
  date: Sat Jun  5 07:22:03 UTC 2021
  files:
  - new: '1.16'
    old: '1.15'
    path: pkgsrc/www/py-django3/Makefile
    pathrev: pkgsrc/www/py-django3/Makefile@1.16
    type: modified
  - new: '1.16'
    old: '1.15'
    path: pkgsrc/www/py-django3/distinfo
    pathrev: pkgsrc/www/py-django3/distinfo@1.16
    type: modified
  id: 20210605T072203Z.68b3531f9789911549b2a7fa29bcabfaf80ac015
  log: "py-django3: updated to 3.2.4\n\nDjango 3.2.4 fixes two security issues and
    several bugs in 3.2.3.\n\nCVE-2021-33203: Potential directory traversal via admindocs\n\nStaff
    members could use the admindocs TemplateDetailView view to check the existence
    of arbitrary files. Additionally, if (and only if) the default admindocs templates
    have been customized by the developers to also expose the file contents, then
    not only the existence but also the file contents would have been exposed.\n\nAs
    a mitigation, path sanitation is now applied and only files within the template
    root directories can be loaded.\n\nCVE-2021-33571: Possible indeterminate SSRF,
    RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresseså\N¶\n\nURLValidator,
    validate_ipv4_address(), and validate_ipv46_address() didn���t prohibit
    leading zeros in octal literals. If you used such values you could suffer from
    indeterminate SSRF, RFI, and LFI attacks.\n\nvalidate_ipv4_address() and validate_ipv46_address()
    validators were not affected on Python 3.9.5+.\n\nBugfixes\n\nFixed a bug in Django
    3.2 where a final catch-all view in the admin didn���t respect the server-provided
    value of SCRIPT_NAME when redirecting unauthenticated users to the login page\nFixed
    a bug in Django 3.2 where a system check would crash on an abstract model\nPrevented
    unnecessary initialization of unused caches following a regression in Django 3.2\nFixed
    a crash in Django 3.2 that could occur when running mod_wsgi with the recommended
    settings while the Windows colorama library was installed\nFixed a bug in Django
    3.2 that would trigger the auto-reloader for template changes when directory paths
    were specified with strings\nFixed a regression in Django 3.2 that caused a crash
    of auto-reloader with AttributeError, e.g. inside a Conda environment\nFixed a
    regression in Django 3.2 that caused a loss of precision for operations with DecimalField
    on MySQL\n"
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/www/py-django3'
  unixtime: '1622877723'
  user: adam