7 Jul
2022
7 Jul
'22
7:56 a.m.
Thanks to Guillermo for the heads-up.
As far as I can tell, neither of these functions is used in the Mailman suite itself. That doesn't mean they aren't used in one of our dependencies, but it does mean that we can't do much about what's installed on your host. You should upgrade if you are using Django 3 or 4. (Not sure we support Django 4.) We will keep a watch on this.
Again, thank you, Guillermo!
Guillermo Hernandez (Oldno7) via Mailman-users writes:
https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
Django security releases issued: 4.0.6 and 3.2.14Posted by *Mariusz Felisiak* on Julio 4, 2022
CVE-2022-34265: Potential SQL injection via Trunc(kind) and Extract(lookup_name) argumentsTrunc() and Extract() database functions were subject to SQL injection if untrusted data was used as a kind/lookup_name value.