django/docs/releases/3.2.11.txt

===========================
Django 3.2.11 release notes
===========================

*January 4, 2022*

Django 3.2.11 fixes one security issue with severity "medium" and two security
issues with severity "low" in 3.2.10.

CVE-2021-45115: Denial-of-service possibility in ``UserAttributeSimilarityValidator``
=====================================================================================

:class:`.UserAttributeSimilarityValidator` incurred significant overhead
evaluating submitted password that were artificially large in relative to the
comparison values. On the assumption that access to user registration was
unrestricted this provided a potential vector for a denial-of-service attack.

In order to mitigate this issue, relatively long values are now ignored by
``UserAttributeSimilarityValidator``.

This issue has severity "medium" according to the :ref:`Django security policy
<security-disclosure>`.

CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter
================================================================================

Due to leveraging the Django Template Language's variable resolution logic, the
:tfilter:`dictsort` template filter was potentially vulnerable to information
disclosure or unintended method calls, if passed a suitably crafted key.

In order to avoid this possibility, ``dictsort`` now works with a restricted
resolution logic, that will not call methods, nor allow indexing on
dictionaries.

As a reminder, all untrusted user input should be validated before use.

This issue has severity "low" according to the :ref:`Django security policy
<security-disclosure>`.

CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
====================================================================

``Storage.save()`` allowed directory-traversal if directly passed suitably
crafted file names.

This issue has severity "low" according to the :ref:`Django security policy
<security-disclosure>`.
Added stub release notes for 4.0.1, 3.2.11, and 2.2.26 releases. 2021-12-27 13:42:14 +00:00			`===========================`
			`Django 3.2.11 release notes`
			`===========================`

			`January 4, 2022`

			`Django 3.2.11 fixes one security issue with severity "medium" and two security`
			`issues with severity "low" in 3.2.10.`

Fixed CVE-2021-45115 -- Prevented DoS vector in UserAttributeSimilarityValidator. Thanks Chris Bailey for the report. Co-authored-by: Adam Johnson <me@adamj.eu> 2021-12-27 13:48:03 +00:00			CVE-2021-45115: Denial-of-service possibility in ``UserAttributeSimilarityValidator``
			`=====================================================================================`

			:class:`.UserAttributeSimilarityValidator` incurred significant overhead
			`evaluating submitted password that were artificially large in relative to the`
			`comparison values. On the assumption that access to user registration was`
			`unrestricted this provided a potential vector for a denial-of-service attack.`

			`In order to mitigate this issue, relatively long values are now ignored by`
			``UserAttributeSimilarityValidator``.

			This issue has severity "medium" according to the :ref:`Django security policy
			<security-disclosure>`.
Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter. Thanks to Dennis Brinkrolf for the report. Co-authored-by: Adam Johnson <me@adamj.eu> 2021-12-27 13:53:18 +00:00
			CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter
			`================================================================================`

			`Due to leveraging the Django Template Language's variable resolution logic, the`
			:tfilter:`dictsort` template filter was potentially vulnerable to information
			`disclosure or unintended method calls, if passed a suitably crafted key.`

			In order to avoid this possibility, ``dictsort`` now works with a restricted
			`resolution logic, that will not call methods, nor allow indexing on`
			`dictionaries.`

			`As a reminder, all untrusted user input should be validated before use.`
Corrected merge error in release notes. 2022-01-04 09:50:23 +00:00
			This issue has severity "low" according to the :ref:`Django security policy
			<security-disclosure>`.

Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem. Thanks to Dennis Brinkrolf for the report. 2021-12-17 20:07:50 +00:00			CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
			`====================================================================`

			``Storage.save()`` allowed directory-traversal if directly passed suitably
			`crafted file names.`
Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter. Thanks to Dennis Brinkrolf for the report. Co-authored-by: Adam Johnson <me@adamj.eu> 2021-12-27 13:53:18 +00:00
			This issue has severity "low" according to the :ref:`Django security policy
			<security-disclosure>`.