Описание
Security update for python-Django
This update for python-Django fixes the following issues:
- CVE-2025-13372: Fixed SQL Injection in FilteredRelation (bsc#1254437)
- CVE-2025-64460: Fixed denial of service via specially crafted XML input in django.core.serializers.xml_serializer.getInnerText() (bsc#1254437)
Список пакетов
SUSE Linux Enterprise Module for Package Hub 15 SP6
SUSE Linux Enterprise Module for Package Hub 15 SP7
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2025:4384-1
- E-Mail link for SUSE-SU-2025:4384-1
- SUSE Security Ratings
- SUSE Bug 1254437
- SUSE CVE CVE-2025-13372 page
- SUSE CVE CVE-2025-64460 page
Описание
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.
Затронутые продукты
Ссылки
- CVE-2025-13372
- SUSE Bug 1254437
Описание
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
Затронутые продукты
Ссылки
- CVE-2025-64460
- SUSE Bug 1254437