https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
Django security releases issued: 4.0.6 and 3.2.14Posted by *Mariusz Felisiak* on Julio 4, 2022
In accordance with our security release policy <https://docs.djangoproject.com/en/dev/internals/security/>, the Django team is issuing Django 4.0.6 <https://docs.djangoproject.com/en/dev/releases/4.0.6/> and Django 3.2.14 <https://docs.djangoproject.com/en/dev/releases/3.2.14/>. These release addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.
CVE-2022-34265: Potential SQL injection via Trunc(kind) and
Extract(lookup_name) argumentsTrunc() and Extract() database functions were subject to SQL injection if untrusted data was used as a kind/lookup_name value.
Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
This security release mitigates the issue, but we have identified improvements to the Database API methods related to date extract and truncate that would be beneficial to add to Django 4.1 before it's final release. This will impact 3rd party database backends using Django 4.1 release candidate 1 or newer, until they are able to update to the API changes. We apologize for the inconvenience.
Thanks Takuto Yoshikai (Aeye Security Lab) for the report.
This issue has severity "high" according to the Django security policy.
--
Mailman's content filtering has removed the following MIME parts from this message.
Content-Type: image/png Name: firma-GHP-emails.png
Replaced multipart/alternative part with first alternative.