—

PYSEC-2014-3

Details

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / django

Introduced in: 0 Fixed in: 1.4.11

Fix pip install --upgrade 'django>=1.4.11'

References

https://www.djangoproject.com/weblog/2014/apr/21/security/ [ARTICLE]
http://www.ubuntu.com/usn/USN-2169-1 [ADVISORY]
http://rhn.redhat.com/errata/RHSA-2014-0457.html [ADVISORY]
http://www.debian.org/security/2014/dsa-2934 [ADVISORY]
http://rhn.redhat.com/errata/RHSA-2014-0456.html [ADVISORY]
http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html [WEB]
http://secunia.com/advisories/61281 [ADVISORY]
https://github.com/advisories/GHSA-wqjj-hx84-v449 [ADVISORY]