Описание
Security update for python-django-grappelli
This update for python-django-grappelli fixes the following issues:
Update to 2.14.4:
- CVE-2021-46898: Fixed views/switch.py vulnerable to protocol-relative URL attacks (boo#1216481)
- Fixed: Redirect with switch user.
- Improved: Remove extra filtering in AutocompleteLookup.
- Improved: Added import statement with URLs for quickstart docs.
- Improved: Added additional blocks with inlines to allow override.
- Fixed: Compatibility with Django 3.1.
- Fixed: Docs about adding Grappelli documentation URLS.
Список пакетов
SUSE Package Hub 15 SP4
python3-django-grappelli-2.14.4-bp154.2.3.1
openSUSE Leap 15.4
python3-django-grappelli-2.14.4-bp154.2.3.1
Ссылки
- E-Mail link for openSUSE-SU-2023:0384-1
- SUSE Security Ratings
- SUSE Bug 1216481
- SUSE CVE CVE-2021-46898 page
Описание
views/switch.py in django-grappelli (aka Django Grappelli) before 2.15.2 attempts to prevent external redirection with startswith("/") but this does not consider a protocol-relative URL (e.g., //example.com) attack.
Затронутые продукты
SUSE Package Hub 15 SP4:python3-django-grappelli-2.14.4-bp154.2.3.1
openSUSE Leap 15.4:python3-django-grappelli-2.14.4-bp154.2.3.1
Ссылки
- CVE-2021-46898
- SUSE Bug 1216481