py-django: updated to 4.2.27
Django 4.2.27 fixes one security issue with severity “high”, one security issue with severity “moderate”, and one bug in 4.2.26.
CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
FilteredRelation was subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.annotate() or QuerySet.alias() on PostgreSQL.
CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
XML Serialization was subject to a potential denial-of-service attack due to quadratic time complexity when deserializing crafted documents containing many nested invalid elements. The internal helper django.core.serializers.xml_serializer.getInnerText() previously accumulated inner text inefficiently during recursion. It now collects text per element, avoiding excessive resource usage.
Bugfixes
Fixed a regression in Django 4.2.26 where DisallowedRedirect was raised by HttpResponseRedirect and HttpResponsePermanentRedirect for URLs longer than 2048 characters. The limit is now 16384 characters.
py-django: updated to 5.2.9
Django 5.2.9 fixes one security issue with severity “high”, one security issue with severity “moderate”, and several bugs in 5.2.8.
CVE-2025-13372: Potential SQL injection in FilteredRelation column aliases on PostgreSQL
FilteredRelation was subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.annotate() or QuerySet.alias() on PostgreSQL.
CVE-2025-64460: Potential denial-of-service vulnerability in XML Deserializer
XML Serialization was subject to a potential denial-of-service attack due to quadratic time complexity when deserializing crafted documents containing many nested invalid elements. The internal helper django.core.serializers.xml_serializer.getInnerText() previously accumulated inner text inefficiently during recursion. It now collects text per element, avoiding excessive resource usage.
Bugfixes
Fixed a bug in Django 5.2 where django.utils.feedgenerator.Stylesheet.__str__() did not escape the url, mimetype, and media attributes, potentially leading to invalid XML markup.
Fixed a bug in Django 5.2 on PostgreSQL where bulk_create() did not apply a field’s custom query placeholders.
Fixed a regression in Django 5.2.2 that caused a crash when using aggregate functions with an empty Q filter over a queryset with annotations.
[4 lines not shown]
go: update to 1.24.11 and 1.25.5 (security)
These releases include 2 security fixes following the security policy:
- crypto/x509: excessive resource consumption in printing error string for
host certificate validation
Within HostnameError.Error(), when constructing an error string, there is no
limit to the number of hosts that will be printed out.
Furthermore, the error string is constructed by repeated string
concatenation, leading to quadratic runtime.
Therefore, a certificate provided by a malicious actor can result in
excessive resource consumption.
HostnameError.Error() now limits the number of hosts and utilizes
strings.Builder when constructing an error string.
Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
[13 lines not shown]
gam: update to 7.29.01
Changes since 7.19.02:
7.29.01
Added option oneitemperrow to gam <UserTypeEntity> print calendars ... permissions to have each of a calendar's permissions displayed on a separate row with all of the other calendar fields.
Updated gam yubikey reset_piv to handle YubiKey firmware updates that caused an error.
7.29.00
Added options mappermissionsemail <EmailAddress> <EmailAddress> and mappermissionsemailfile <CSVFileInput> endcsv to these commands:
gam [<UserTypeEntity>] copy shareddriveacls <SharedDriveEntity> to <SharedDriveEntity>
gam [<UserTypeEntity>] sync shareddriveacls <SharedDriveEntity> with <SharedDriveEntity>
gam <UserTypeEntity> copy drivefile <DriveFileEntity>
gam <UserTypeEntity> move drivefile <DriveFileEntity>
[318 lines not shown]
Revert the size change of the install ramdisk and instead just remove
a driver from the install kernel. Same ramdisk size as before. Not
sure this platform can have a larger ramdisk size.
py-pip-audit: updated to 2.10.0
2.10.0
Added
pip-audit now supports the --osv-url URL flag, which can be used to
retrieve vulnerabilities from a custom OSV service. This is useful for
organizations that host their own mirror of the OSV database, or that
have custom OSV records
pip-audit now supports the Ecosyste.ms vulnerability service with
--vulnerability-service=esms
Changed
The minimum version of Python is now 3.10
Fixed
[6 lines not shown]
haproxy: updated to 3.3.0
3.3.0
- BUG/MINOR: acme: better challenge_ready processing
- BUG/MINOR: acme: warning ‘ctx’ may be used uninitialized
- MINOR: httpclient: complete the https log
- BUG/MEDIUM: server: do not use default SNI if manually set
- BUG/MINOR: freq_ctr: Prevent possible signed overflow in freq_ctr_overshoot_period
- DOC: ssl: Document the restrictions on 0RTT.
- DOC: ssl: Note that 0rtt works fork QUIC with QuicTLS too.
- BUG/MEDIUM: quic: do not prevent sending if no BE token
- BUG/MINOR: quic/server: free quic_retry_token on srv drop
- MINOR: quic: split global CID tree between FE and BE sides
- MINOR: quic: use separate global quic_conns FE/BE lists
- MINOR: quic: add "clo" filter on show quic
- MINOR: quic: dump backend connections on show quic
- MINOR: quic: mark backend conns on show quic
- BUG/MINOR: quic: fix uninit list on show quic handler
- BUG/MINOR: quic: release BE quic_conn on connect failure
[10 lines not shown]
