Received: from mail.netlandish.com (mail.netlandish.com [174.136.98.166])
by code.netlandish.com (Postfix) with ESMTP id 1C62B560D
for <~petersanchez/public-inbox@lists.code.netlandish.com>; Thu, 13 Jun 2024 22:26:38 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.222.49; helo=mail-ua1-f49.google.com; envelope-from=peter@netlandish.com; receiver=lists.code.netlandish.com
Authentication-Results: mail.netlandish.com;
dkim=pass (1024-bit key; unprotected) header.d=netlandish.com header.i=@netlandish.com header.b=fNN9X3l0
Received: from mail-ua1-f49.google.com (mail-ua1-f49.google.com [209.85.222.49])
by mail.netlandish.com (Postfix) with ESMTP id D355A17A3C7
for <~petersanchez/public-inbox@lists.code.netlandish.com>; Thu, 13 Jun 2024 22:26:50 +0000 (UTC)
Received: by mail-ua1-f49.google.com with SMTP id a1e0cc1a2514c-80b86cd882cso454203241.0
for <~petersanchez/public-inbox@lists.code.netlandish.com>; Thu, 13 Jun 2024 15:26:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=netlandish.com; s=google; t=1718317609; x=1718922409; darn=lists.code.netlandish.com;
h=content-disposition:mime-version:message-id:subject:to:from:date
:from:to:cc:subject:date:message-id:reply-to;
bh=WSM8ZMmMQ2hY2NzLYX3kCYaccXDWL6R43O/JDcLOCbU=;
b=fNN9X3l0/5I3hHxwedBqS+KmVbxOPLjIGnpyW1DZkBGtvgi9pHM7QyzQWwBP2TWtRT
kVxVQ23hyzIigq8Slre/vi+RaYMoBZ8TTtjUqKmmbifodNqRZahTPM2cLXMqGnxcHCnh
+aQvro3iCoFnOBisqNAJVE7ha5wTNjQn4Thsk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1718317609; x=1718922409;
h=content-disposition:mime-version:message-id:subject:to:from:date
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=WSM8ZMmMQ2hY2NzLYX3kCYaccXDWL6R43O/JDcLOCbU=;
b=xOpXwPaX0dINKSMQIu1LhUTZZHTv3IsDii5S0L5i1JmX+nMyc1qdQMaFHrtkgKbbin
vB2hgv9scg0gc0XYY05JvPeiCmJocCMEapEApq6OIN0YdrSzRO6GbRGYmJpNTb4f3e/5
Gp8U2u5lZL/fXp9DAjlelg2/d9d0syXvAghehvXHpOwgAmd/ThOocssVVClB7mgGaZ4M
2TkoTfqyWEi05qrw4GLQnI6P3l8CVdsEV0Sm5MrVb4I7ZrRai/+mahb7JS55KfQyfqJx
UISnaDQPKATfn7QrNJxgMGVCWt6RHUiiFhvmLxDhUAETy9N6iEFvMos8Xu6Tkvetb47J
cbXQ==
X-Gm-Message-State: AOJu0YzHZDlf7wPzOOT5E7ECotUi65sr2cXAjp5mUW0r+dgzr3qn7MsW
LwCZIipDK13rviW80MF10zkPJx8rt1Oh5HunWO3MOvFKI2xOHsJGwUXWV+4/Bb2Z218gKIB/F70
w3dQhmA==
X-Google-Smtp-Source: AGHT+IGNaWitmmNPVq1pJ93mRr4sGvTmSltgHQdn1epYCD8n0UV3ZKgYPzcHI+YePKA8k0R95n3LKA==
X-Received: by 2002:a05:6102:2a4c:b0:48d:9e53:b3b5 with SMTP id ada2fe7eead31-48dae3b8b8dmr1231935137.27.1718317609237;
Thu, 13 Jun 2024 15:26:49 -0700 (PDT)
Received: from localhost ([2803:2d60:1118:1c0:17ce:12ab:6f75:381d])
by smtp.gmail.com with ESMTPSA id a1e0cc1a2514c-80d7871f261sm411655241.12.2024.06.13.15.26.48
for <~petersanchez/public-inbox@lists.code.netlandish.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 13 Jun 2024 15:26:48 -0700 (PDT)
Date: Thu, 13 Jun 2024 16:26:47 -0600
From: Peter Sanchez <peter@netlandish.com>
To: ~petersanchez/public-inbox@lists.code.netlandish.com
Subject: Security fix: django-impersonate 1.9.3 release
Message-ID: <t5pgizrp24etpcgo3sdbt2kvtmltwjybjzojg7tknuhpr56ffx@vmsradru5t34>
X-PGP-Key: https://petersanchez.com/publickey.txt
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
Hi All,
Anyone using django-impersonate versions 1.9.2 and below (which as of
this writing is literally everyone using the app) needs to upgrade as
soon as they can to version 1.9.3, which I just pushed to pypi.
https://pypi.org/project/django-impersonate/1.9.3/
There was a XSS security vulnerability in previous versions. It requires
a specially crafted URL and an authorized user (a user who has access to
impersonate another user) to click on it. It can be used to run JS code
on the authorized users browser.
Please see the fix commit here:
https://hg.code.netlandish.com/~petersanchez/django-impersonate/rev/06991a735f290884eec08effb3fa31ed45cc26e5
Thanks,
Peter