openSUSE Build Service

Overview Details Repositories Revisions Requests Users Attributes Meta

Security update for python-Django

This update for python-Django to version 1.18.18 fixes multiple issues.

Security issues fixed:

- CVE-2018-7537: Fixed catastrophic backtracking in django.utils.text.Truncator. (bsc#1083305)
- CVE-2018-7536: Fixed catastrophic backtracking in urlize and urlizetrunc template filters (bsc#1083304).
- CVE-2016-7401: CSRF protection bypass on a site with Google Analytics (bsc#1001374).
- CVE-2016-2513: User enumeration through timing difference on password hasher work factor upgrade (bsc#968000).
- CVE-2016-2512: Fixed malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth (bsc#967999).
- CVE-2016-9013: User with hardcoded password created when running tests on Oracle (bsc#1008050).
- CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True (bsc#1008047).
- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() (bsc#1031451).
- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (bsc#1031450).
- CVE-2017-12794: Fixed XSS possibility in traceback section of technical 500 debug page (bsc#1056284)

Submitted by Andreas Stieger (AndreasStieger)

Fixed bugs

bnc#1083305

VUL-0: CVE-2018-7537: python-Django: Denial-of-service possibility in truncatechars_html and truncatewords_html template filters

bnc#1083304

VUL-0: CVE-2018-7536: python-Django: Denial-of-service possibility in urlize and urlizetrunc template filters

bnc#1001374

VUL-1: CVE-2016-7401: python-Django: CSRF protection bypass on a site with Google Analytics

bnc#968000

VUL-0: CVE-2016-2513: python-django, python-Django: User enumeration through timing difference on password hasher work factor upgrade

bnc#1008050

VUL-1: CVE-2016-9013: python-django: user with hardcoded password created when running tests on Oracle

bnc#1008047

VUL-1: CVE-2016-9014: python-django: DNS rebinding vulnerability when DEBUG=True

bnc#1031451

VUL-1: CVE-2017-7234: python-django: Open redirect vulnerability in django.views.static.serve()

bnc#1031450

VUL-1: CVE-2017-7233: python-django: Open redirect and possible XSS attack via user-supplied numeric redirect URLs

bnc#967999

VUL-0: CVE-2016-2512: python-django, python-Django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth

bnc#1056284

VUL-0: CVE-2017-12794: python-Django: Fixed XSS possibility in traceback section of technical 500 debug page.

Places

Fixed bugs

Selected Binaries

Places