openSUSE-SU-2023:0005-1
See a problem?- Import Source
- https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2023:0005-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/openSUSE-SU-2023:0005-1
- Related
- Published
- 2023-01-03T11:02:47Z
- Modified
- 2023-01-03T11:02:47Z
- Summary
- Security update for python-Django
- Details
-
This update for python-Django fixes the following issues:
- CVE-2022-41323: Fixed potential denial-of-service vulnerability in internationalized URLs (boo#1203793)
CVE-2022-36359: Fixed a potential reflected file download vulnerability in FileResponse (boo#1201923)
Update from 2.2.12 to 2.2.28 (boo#1198297)
- Many CVEs fixes (check https://github.com/django/django/blob/main/docs/releases/)
2.2.28:
- CVE-2022-28346: Fixed potential SQL injection in QuerySet.annotate(), aggregate(), and extra() (bsc#1198398)
- CVE-2022-28347: Fixed potential SQL injection via QuerySet.explain(**options) (bsc#1198399)
2.2.27:
- CVE-2022-22818: Fixed possible XSS via
{% debug %}template tag (bsc#1195086) - CVE-2022-23833: Fixed denial-of-service possibility in file uploads (bsc#1195088)
2.2.26:
- CVE-2021-45115: Denial-of-service possibility in
UserAttributeSimilarityValidator(bsc#1194115) - CVE-2021-45116: Potential information disclosure in
dictsorttemplate filter (bsc#1194117) - CVE-2021-45452: Potential directory-traversal via
Storage.save()(bsc#)
2.2.25:
- CVE-2021-44420: Potential bypass of an upstream access control based on URL paths (bsc#1193240)
2.2.24:
- CVE-2021-33203: Potential directory traversal via
admindocs - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses
2.2.23:
- regression fix
2.2.22:
- CVE-2021-32052: Header injection possibility since
URLValidatoraccepted newlines in input on Python 3.9.5+
- References
-
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UHF5IZKTZ2T4T4QQYZMUFHW422X3WCU6/
- https://bugzilla.suse.com/1185713
- https://bugzilla.suse.com/1186608
- https://bugzilla.suse.com/1186611
- https://bugzilla.suse.com/1193240
- https://bugzilla.suse.com/1194115
- https://bugzilla.suse.com/1194116
- https://bugzilla.suse.com/1194117
- https://bugzilla.suse.com/1195086
- https://bugzilla.suse.com/1195088
- https://bugzilla.suse.com/1198297
- https://bugzilla.suse.com/1198398
- https://bugzilla.suse.com/1198399
- https://bugzilla.suse.com/1201923
- https://bugzilla.suse.com/1203793
- https://www.suse.com/security/cve/CVE-2021-32052
- https://www.suse.com/security/cve/CVE-2021-33203
- https://www.suse.com/security/cve/CVE-2021-33571
- https://www.suse.com/security/cve/CVE-2021-44420
- https://www.suse.com/security/cve/CVE-2021-45115
- https://www.suse.com/security/cve/CVE-2021-45116
- https://www.suse.com/security/cve/CVE-2021-45452
- https://www.suse.com/security/cve/CVE-2022-22818
- https://www.suse.com/security/cve/CVE-2022-23833
- https://www.suse.com/security/cve/CVE-2022-28346
- https://www.suse.com/security/cve/CVE-2022-28347
- https://www.suse.com/security/cve/CVE-2022-36359
- https://www.suse.com/security/cve/CVE-2022-41323
Affected packages
SUSE:Package Hub 15 SP3 / python-Django
Package
- Name
- python-Django
- Purl
- purl:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2015%20SP3