Skip to content

[4.2.x] Refs CVE-2024-11168 -- Updated vendored _urlsplit() to properly validate IPv6 and IPvFuture addresses. #18872

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 3, 2024
Merged

[4.2.x] Refs CVE-2024-11168 -- Updated vendored _urlsplit() to properly validate IPv6 and IPvFuture addresses. #18872

merged 1 commit into from
Dec 3, 2024

Conversation

@felixxm
Copy link
Member

@felixxm felixxm commented Dec 1, 2024

Refs Python CVE-2024-11168. Django should not affected, but others who incorrectly use internal function _urlsplit() with unsanitized input could be at risk.

python/cpython#103849
https://www.cve.org/cverecord?id=CVE-2024-11168

@felixxm felixxm force-pushed the backport-cpython-103848 branch from 28cf7c3 to 7933946 Compare December 1, 2024 11:51
@felixxm
Copy link
Member Author

felixxm commented Dec 1, 2024

Failures on Python 3.13 are expected since Django 4.2 doesn't support it.

felixxm
felixxm commented Dec 2, 2024
View reviewed changes
@felixxm felixxm force-pushed the backport-cpython-103848 branch from 7933946 to fe8d4ca Compare December 2, 2024 16:23
@felixxm @sarahboyce
[4.2.x] Refs CVE-2024-11168 -- Updated vendored _urlsplit() to proper…
18dcf92 
…ly validate IPv6 and IPvFuture addresses.

Refs Python CVE-2024-11168. Django should not affected, but others who
incorrectly use internal function _urlsplit() with unsanitized input
could be at risk.

python/cpython#103849
@sarahboyce sarahboyce force-pushed the backport-cpython-103848 branch from fe8d4ca to 18dcf92 Compare December 3, 2024 08:11
sarahboyce
sarahboyce approved these changes Dec 3, 2024
View reviewed changes
Copy link
Contributor

@sarahboyce sarahboyce left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this @felixxm

@felixxm
Copy link
Member Author

felixxm commented Dec 3, 2024

Thank you for this @felixxm

Thanks 👍

@sarahboyce sarahboyce merged commit f663277 into django:stable/4.2.x Dec 3, 2024
35 of 43 checks passed
@felixxm felixxm deleted the backport-cpython-103848 branch December 8, 2024 16:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sarahboyce sarahboyce sarahboyce approved these changes

+1 more reviewer

@ngnpope ngnpope ngnpope approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

python-matrix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@felixxm @ngnpope @sarahboyce @nessita