Received: from mail.netlandish.com (mail.netlandish.com [174.136.98.166]) by code.netlandish.com (Postfix) with ESMTP id 1C62B560D for <~petersanchez/public-inbox@lists.code.netlandish.com>; Thu, 13 Jun 2024 22:26:38 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.222.49; helo=mail-ua1-f49.google.com; envelope-from=peter@netlandish.com; receiver=lists.code.netlandish.com Authentication-Results: mail.netlandish.com; dkim=pass (1024-bit key; unprotected) header.d=netlandish.com header.i=@netlandish.com header.b=fNN9X3l0 Received: from mail-ua1-f49.google.com (mail-ua1-f49.google.com [209.85.222.49]) by mail.netlandish.com (Postfix) with ESMTP id D355A17A3C7 for <~petersanchez/public-inbox@lists.code.netlandish.com>; Thu, 13 Jun 2024 22:26:50 +0000 (UTC) Received: by mail-ua1-f49.google.com with SMTP id a1e0cc1a2514c-80b86cd882cso454203241.0 for <~petersanchez/public-inbox@lists.code.netlandish.com>; Thu, 13 Jun 2024 15:26:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netlandish.com; s=google; t=1718317609; x=1718922409; darn=lists.code.netlandish.com; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=WSM8ZMmMQ2hY2NzLYX3kCYaccXDWL6R43O/JDcLOCbU=; b=fNN9X3l0/5I3hHxwedBqS+KmVbxOPLjIGnpyW1DZkBGtvgi9pHM7QyzQWwBP2TWtRT kVxVQ23hyzIigq8Slre/vi+RaYMoBZ8TTtjUqKmmbifodNqRZahTPM2cLXMqGnxcHCnh +aQvro3iCoFnOBisqNAJVE7ha5wTNjQn4Thsk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718317609; x=1718922409; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=WSM8ZMmMQ2hY2NzLYX3kCYaccXDWL6R43O/JDcLOCbU=; b=xOpXwPaX0dINKSMQIu1LhUTZZHTv3IsDii5S0L5i1JmX+nMyc1qdQMaFHrtkgKbbin vB2hgv9scg0gc0XYY05JvPeiCmJocCMEapEApq6OIN0YdrSzRO6GbRGYmJpNTb4f3e/5 Gp8U2u5lZL/fXp9DAjlelg2/d9d0syXvAghehvXHpOwgAmd/ThOocssVVClB7mgGaZ4M 2TkoTfqyWEi05qrw4GLQnI6P3l8CVdsEV0Sm5MrVb4I7ZrRai/+mahb7JS55KfQyfqJx UISnaDQPKATfn7QrNJxgMGVCWt6RHUiiFhvmLxDhUAETy9N6iEFvMos8Xu6Tkvetb47J cbXQ== X-Gm-Message-State: AOJu0YzHZDlf7wPzOOT5E7ECotUi65sr2cXAjp5mUW0r+dgzr3qn7MsW LwCZIipDK13rviW80MF10zkPJx8rt1Oh5HunWO3MOvFKI2xOHsJGwUXWV+4/Bb2Z218gKIB/F70 w3dQhmA== X-Google-Smtp-Source: AGHT+IGNaWitmmNPVq1pJ93mRr4sGvTmSltgHQdn1epYCD8n0UV3ZKgYPzcHI+YePKA8k0R95n3LKA== X-Received: by 2002:a05:6102:2a4c:b0:48d:9e53:b3b5 with SMTP id ada2fe7eead31-48dae3b8b8dmr1231935137.27.1718317609237; Thu, 13 Jun 2024 15:26:49 -0700 (PDT) Received: from localhost ([2803:2d60:1118:1c0:17ce:12ab:6f75:381d]) by smtp.gmail.com with ESMTPSA id a1e0cc1a2514c-80d7871f261sm411655241.12.2024.06.13.15.26.48 for <~petersanchez/public-inbox@lists.code.netlandish.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Jun 2024 15:26:48 -0700 (PDT) Date: Thu, 13 Jun 2024 16:26:47 -0600 From: Peter Sanchez To: ~petersanchez/public-inbox@lists.code.netlandish.com Subject: Security fix: django-impersonate 1.9.3 release Message-ID: X-PGP-Key: https://petersanchez.com/publickey.txt MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Hi All, Anyone using django-impersonate versions 1.9.2 and below (which as of this writing is literally everyone using the app) needs to upgrade as soon as they can to version 1.9.3, which I just pushed to pypi. https://pypi.org/project/django-impersonate/1.9.3/ There was a XSS security vulnerability in previous versions. It requires a specially crafted URL and an authorized user (a user who has access to impersonate another user) to click on it. It can be used to run JS code on the authorized users browser. Please see the fix commit here: https://hg.code.netlandish.com/~petersanchez/django-impersonate/rev/06991a735f290884eec08effb3fa31ed45cc26e5 Thanks, Peter