<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Django: CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Mariusz Felisiak <felisiak.mariusz () gmail com>
Date: Wed, 4 Mar 2020 10:43:59 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the
Django team is issuing `Django 3.0.4
<https://docs.djangoproject.com/en/dev/releases/3.0.4/>`_, `Django
2.2.11 <https://docs.djangoproject.com/en/dev/releases/2.2.11/>`_ and
`Django 1.11.29
<https://docs.djangoproject.com/en/dev/releases/1.11.29/>`_. These
releases address the security issue detailed below. We encourage all
users of Django to upgrade as soon as possible.
CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in
GIS functions and aggregates on Oracle
============================================================================================================
GIS functions and aggregates on Oracle were subject to SQL injection,
using a suitably crafted ``tolerance``.
Thank you to Norbert Szetei for the report.
Affected supported versions
===========================
* Django master branch
* Django 3.0
* Django 2.2
* Django 1.11
Resolution
==========
Patches to resolve the issue have been applied to Django's master branch and
the 3.0, 2.2, and 1.11 release branches. The patches may be obtained
from the following changesets:
* On the `master branch
<https://github.com/django/django/commit/6695d29b1c1ce979725816295a26ecc64ae0e927>`__
* On the `3.0 release branch
<https://github.com/django/django/commit/26a5cf834526e291db00385dd33d319b8271fc4c>`__
* On the `2.2 release branch
<https://github.com/django/django/commit/fe886a3b58a93cfbe8864b485f93cb6d426cd1f2>`__
* On the `1.11 release branch
<https://github.com/django/django/commit/02d97f3c9a88adc890047996e5606180bd1c6166>`__
The following releases have been issued:
* Django 3.0.4 (`download Django 3.0.4
<https://www.djangoproject.com/m/releases/3.0/Django-3.0.4.tar.gz>`_ |
`3.0.4 checksums
<https://www.djangoproject.com/m/pgp/Django-3.0.4.checksum.txt>`_)
* Django 2.2.11 (`download Django 2.2.11
<https://www.djangoproject.com/m/releases/2.2/Django-2.2.11.tar.gz>`_ |
`2.2.11 checksums
<https://www.djangoproject.com/m/pgp/Django-2.2.11.checksum.txt>`_)
* Django 1.11.29 (`download Django 1.11.29
<https://www.djangoproject.com/m/releases/1.11/Django-1.11.29.tar.gz>`_
| `1.11.29 checksums
<https://www.djangoproject.com/m/pgp/Django-1.11.29.checksum.txt>`_)
The PGP key ID used for these releases is Mariusz Felisiak:
2EF56372BA48CD1B.
General notes regarding security reporting
==========================================
As always, we ask that potential security issues be reported via
private email to ``security () djangoproject com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies <https://www.djangoproject.com/security/>`_ for further
information.
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Django: CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle Mariusz Felisiak (Mar 04)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->