Zowongolera za Django web framework 4.0.6 ndi 3.2.14 zasindikizidwa, zomwe zimakonza chiwopsezo (CVE-2022-34265) chomwe chingathe kukulolani kuti mulowe m'malo mwa SQL code yanu. Nkhaniyi ikukhudza mapulogalamu omwe amagwiritsa ntchito deta yakunja yosatsimikiziridwa mumtundu wamtundu ndi lookup_name magawo omwe amaperekedwa ku ntchito za Trunc(kind) ndi Extract(lookup_name). Mapulogalamu omwe amalola deta yotsimikizika yokha mu lookup_name ndi zabwino zake samakhudzidwa ndi chiwopsezocho.
Vutoli lidatsekedwa poletsa kugwiritsa ntchito zilembo zina kupatula zilembo, manambala, β-β, β_β, β(β ndi β)β pamikangano ya ntchito za Extract and Trunc. M'mbuyomu, mawu amodzi sanadulidwe pamakhalidwe omwe adatumizidwa, zomwe zidapangitsa kuti muzitha kupanga SQL yanu podutsa zikhalidwe monga "tsiku' KUCHOKERA kuyambira_datetime)) KAPENA 1=1;-" ndi "chaka', start_datetime) ) KAPENA 1=1;ββ. Pakumasulidwa kotsatira 4.1, ikukonzekera kupititsa patsogolo chitetezo cha njira zochotsera tsiku ndi kudulidwa, koma kusintha kwa API kudzatsogolera kuwonongeka kwa kugwirizana ndi ma backends a chipani chachitatu.
Source: opennet.ru