Описание
Security update for python-Django
This update for python-Django fixes the following issues:
- CVE-2024-38875: Fixed potential denial-of-service attack via certain inputs with a very large number of brackets (bsc#1227590)
- CVE-2024-39329: Fixed username enumeration through timing difference for users with unusable passwords (bsc#1227593)
- CVE-2024-39330: Fixed potential directory traversal in django.core.files.storage.Storage.save() (bsc#1227594)
- CVE-2024-39614: Fixed potential denial-of-service through django.utils.translation.get_supported_language_variant() (bsc#1227595)
- CVE-2023-23969: Fixed potential denial-of-service via Accept-Language headers (bsc#1207565)
Список пакетов
openSUSE Leap 15.5
Ссылки
- Link for SUSE-SU-2024:2545-1
- E-Mail link for SUSE-SU-2024:2545-1
- SUSE Security Ratings
- SUSE Bug 1207565
- SUSE Bug 1227590
- SUSE Bug 1227593
- SUSE Bug 1227594
- SUSE Bug 1227595
- SUSE CVE CVE-2023-23969 page
- SUSE CVE CVE-2024-38875 page
- SUSE CVE CVE-2024-39329 page
- SUSE CVE CVE-2024-39330 page
- SUSE CVE CVE-2024-39614 page
Описание
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
Затронутые продукты
Ссылки
- CVE-2023-23969
- SUSE Bug 1207565
Описание
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
Затронутые продукты
Ссылки
- CVE-2024-38875
- SUSE Bug 1227590
Описание
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.
Затронутые продукты
Ссылки
- CVE-2024-39329
- SUSE Bug 1227590
- SUSE Bug 1227593
Описание
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)
Затронутые продукты
Ссылки
- CVE-2024-39330
- SUSE Bug 1227590
- SUSE Bug 1227594
Описание
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.
Затронутые продукты
Ссылки
- CVE-2024-39614
- SUSE Bug 1227590
- SUSE Bug 1227595