py-django: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle (CVE-2020-9402)

A flaw was found in Django in a way that GIS functions and aggregates on Oracle were subject to SQL injection, using a suitably crafted tolerance.

Fixed In Version:

Django 1.11.29

References:

• https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
• https://www.openwall.com/lists/oss-security/2020/03/04/1

Affected branches:

• master (5625fb44)
• 3.11-stable (0301b076)
• 3.10-stable (de8f6b00)
• 3.9-stable (032abeb0)
• 3.8-stable (ec2cb0ea)