Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2024:2577-1

Опубликовано: 22 июл. 2024
Источник: suse-cvrf

Описание

Security update for python-Django

This update for python-Django fixes the following issues:

  • CVE-2024-38875: Fixed potential denial-of-service attack via certain inputs with a very large number of brackets (bsc#1227590)
  • CVE-2024-39329: Fixed username enumeration through timing difference for users with unusable passwords (bsc#1227593)
  • CVE-2024-39330: Fixed potential directory traversal in django.core.files.storage.Storage.save() (bsc#1227594)
  • CVE-2024-39614: Fixed potential denial-of-service through django.utils.translation.get_supported_language_variant() (bsc#1227595)

Список пакетов

SUSE Linux Enterprise Module for Package Hub 15 SP6
python311-Django-4.2.11-150600.3.3.1
openSUSE Leap 15.6
python311-Django-4.2.11-150600.3.3.1

Ссылки

Описание

An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.

Затронутые продукты
SUSE Linux Enterprise Module for Package Hub 15 SP6:python311-Django-4.2.11-150600.3.3.1
openSUSE Leap 15.6:python311-Django-4.2.11-150600.3.3.1
Ссылки

Описание

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.

Затронутые продукты
SUSE Linux Enterprise Module for Package Hub 15 SP6:python311-Django-4.2.11-150600.3.3.1
openSUSE Leap 15.6:python311-Django-4.2.11-150600.3.3.1
Ссылки

Описание

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)

Затронутые продукты
SUSE Linux Enterprise Module for Package Hub 15 SP6:python311-Django-4.2.11-150600.3.3.1
openSUSE Leap 15.6:python311-Django-4.2.11-150600.3.3.1
Ссылки

Описание

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.

Затронутые продукты
SUSE Linux Enterprise Module for Package Hub 15 SP6:python311-Django-4.2.11-150600.3.3.1
openSUSE Leap 15.6:python311-Django-4.2.11-150600.3.3.1
Ссылки
Уязвимость SUSE-SU-2024:2577-1