openSUSE-SU-2023:0005-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2023:0005-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2023:0005-1
Related
Published
2023-01-03T11:02:47Z
Modified
2023-01-03T11:02:47Z
Summary
Security update for python-Django
Details

This update for python-Django fixes the following issues:

  • CVE-2022-41323: Fixed potential denial-of-service vulnerability in internationalized URLs (boo#1203793)
  • CVE-2022-36359: Fixed a potential reflected file download vulnerability in FileResponse (boo#1201923)

  • Update from 2.2.12 to 2.2.28 (boo#1198297)

    • Many CVEs fixes (check https://github.com/django/django/blob/main/docs/releases/)

    2.2.28:

    • CVE-2022-28346: Fixed potential SQL injection in QuerySet.annotate(), aggregate(), and extra() (bsc#1198398)
    • CVE-2022-28347: Fixed potential SQL injection via QuerySet.explain(**options) (bsc#1198399)

    2.2.27:

    • CVE-2022-22818: Fixed possible XSS via {% debug %} template tag (bsc#1195086)
    • CVE-2022-23833: Fixed denial-of-service possibility in file uploads (bsc#1195088)

    2.2.26:

    • CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator (bsc#1194115)
    • CVE-2021-45116: Potential information disclosure in dictsort template filter (bsc#1194117)
    • CVE-2021-45452: Potential directory-traversal via Storage.save() (bsc#)

    2.2.25:

    • CVE-2021-44420: Potential bypass of an upstream access control based on URL paths (bsc#1193240)

    2.2.24:

    • CVE-2021-33203: Potential directory traversal via admindocs
    • CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses

    2.2.23:

    • regression fix

    2.2.22:

    • CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+
References

Affected packages

SUSE:Package Hub 15 SP3 / python-Django

Package

Name
python-Django
Purl
purl:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.28-bp153.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "python3-Django": "2.2.28-bp153.2.3.1"
        }
    ]
}

openSUSE:Leap 15.3 / python-Django

Package

Name
python-Django
Purl
purl:rpm/suse/python-Django&distro=openSUSE%20Leap%2015.3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.28-bp153.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "python3-Django": "2.2.28-bp153.2.3.1"
        }
    ]
}