micromasters icon indicating copy to clipboard operation
micromasters copied to clipboard
verified publisher icon mitodl

chore(deps): update dependency social-auth-app-django to v5 [security]

Open renovate[bot] opened this issue 2 years ago • 0 comments

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
social-auth-app-django ==3.1.0 -> ==5.4.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-32879

Impact

Due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match.

Patches

This issue has been addressed by https://github.com/python-social-auth/social-app-django/pull/566 and fix released in 5.4.1.

Workarounds

An immediate workaround would be to change collation of the affected field:

ALTER TABLE `social_auth_association` MODIFY `uid` varchar(255) COLLATE `utf8_bin`;

References

This issue was discovered by folks at https://opencraft.com/.

Release Notes

python-social-auth/social-app-django (social-auth-app-django)

v5.4.1

Compare Source

Changed
  • Added reverse migration for JSON field
  • Fixed improper handling of case sensitivity with MySQL/MariaDB (CVE-2024-32879)

v5.4.0

Compare Source

Changed
  • Improved JSON field migration performance
  • Introduce configuration to request POST only requests for social authentication
  • Updated list of supported Django and Python versions

v5.3.0

Compare Source

Changed
  • Uses Django native JSON field

v5.2.0

Compare Source

Changed
  • Removed support for Django<3.2
  • Fixed missing migration issue

v5.1.0

Compare Source

Changed
  • Compatibility with recent Django and Python versions
  • Coding style improvements
  • Improved error handling in SocialAuthExceptionMiddleware

v5.0.0

Compare Source

Changed
  • Removed compat shims for obsolete Django versions
  • Switch from deprecated django.conf.urls.url to django.urls.path
  • Use query .exists() instead of .count() > 0
  • Added testing for Django 3.0
  • Drop support for Python 2
  • Django generic JSONField support, details documented here
  • Django 3.2+ compatibility
  • Use _default_manager instead of objects

v4.0.0

Compare Source

Changed
  • Dropped support for older Django versions (1.8, 1.9, 1.10, 2.0)
  • Fix TypeError when continuing a pipeline in Django 2.1

v3.4.0

Compare Source

Changed
  • Correct release mechanism

v3.3.0

Compare Source

Changed
  • Updated release and tests mechanism

Configuration

📅 Schedule: Branch creation - "" in timezone US/Eastern, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate[bot] avatar Apr 24 '24 21:04 renovate[bot]