====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN106
_____________________________________________________________________

DATE                : 05/03/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Django versions prior to
                           3.0.4, 2.2.11, 1.11.29.

=====================================================================
https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
_____________________________________________________________________

Django security releases issued: 3.0.4, 2.2.11, and 1.11.29
Posted by Mariusz Felisiak on mars 4, 2020

In accordance with our security release policy, the Django team is
issuing Django 3.0.4, Django 2.2.11 and Django 1.11.29. These releases
address the security issue detailed below. We encourage all users of
Django to upgrade as soon as possible.


CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS
functions and aggregates on Oracle


GIS functions and aggregates on Oracle were subject to SQL injection,
using a suitably crafted tolerance.


Thank you to Norbert Szetei of Doyensec for the report.


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================