Описание
Security update for python-django-grappelli
This update for python-django-grappelli fixes the following issues:
Update to 2.14.4:
- CVE-2021-46898: Fixed views/switch.py vulnerable to protocol-relative URL attacks (boo#1216481)
- Fixed: Redirect with switch user.
- Improved: Remove extra filtering in AutocompleteLookup.
- Improved: Added import statement with URLs for quickstart docs.
- Improved: Added additional blocks with inlines to allow override.
- Fixed: Compatibility with Django 3.1.
- Fixed: Docs about adding Grappelli documentation URLS.
Список пакетов
SUSE Package Hub 15 SP5
python3-django-grappelli-2.14.4-bp155.3.3.1
openSUSE Leap 15.5
python3-django-grappelli-2.14.4-bp155.3.3.1
Ссылки
- E-Mail link for openSUSE-SU-2024:0017-1
- SUSE Security Ratings
- SUSE Bug 1216481
- SUSE CVE CVE-2021-46898 page
Описание
views/switch.py in django-grappelli (aka Django Grappelli) before 2.15.2 attempts to prevent external redirection with startswith("/") but this does not consider a protocol-relative URL (e.g., //example.com) attack.
Затронутые продукты
SUSE Package Hub 15 SP5:python3-django-grappelli-2.14.4-bp155.3.3.1
openSUSE Leap 15.5:python3-django-grappelli-2.14.4-bp155.3.3.1
Ссылки
- CVE-2021-46898
- SUSE Bug 1216481