Hi Security Team,
I was just looking at these CVEs for ELTS and LTS, but before I make
a move there, I was just wondering if you were planning on (or would
like) a DSA.
— Chris
> * CVE-2021-45115: Denial-of-service possibility in
> UserAttributeSimilarityValidator [0]
>
> UserAttributeSimilarityValidator incurred significant overhead
> evaluating submitted password that were artificially large in
> relative to the comparison values. On the assumption that access
> to user registration was unrestricted this provided a potential
> vector for a denial-of-service attack.
>
> In order to mitigate this issue, relatively long values are now
> ignored by UserAttributeSimilarityValidator.
>
> * CVE-2021-45116: Potential information disclosure in dictsort
> template filter [1]
>
> Due to leveraging the Django Template Language's variable resolution
> logic, the dictsort template filter was potentially vulnerable to
> information disclosure or unintended method calls, if passed a
> suitably crafted key.
>
> In order to avoid this possibility, dictsort now works with a
> restricted resolution logic, that will not call methods, nor allow
> indexing on dictionaries.
>
> * CVE-2021-45452: Potential directory-traversal via Storage.save() [2]
>
> Storage.save() allowed directory-traversal if directly passed
> suitably crafted file names.
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] 🍥 chris-lamb.co.uk
`-
