Overview

File _patchinfo of Package patchinfo.17686

<patchinfo incident="17686">
  <issue tracker="cve" id="2021-32052"/>
  <issue tracker="cve" id="2021-33571"/>
  <issue tracker="cve" id="2021-33203"/>
  <issue tracker="cve" id="2021-44420"/>
  <issue tracker="cve" id="2021-45452"/>
  <issue tracker="cve" id="2021-45116"/>
  <issue tracker="cve" id="2021-45115"/>
  <issue tracker="cve" id="2022-41323"/>
  <issue tracker="cve" id="2022-36359"/>
  <issue tracker="cve" id="2022-28346"/>
  <issue tracker="cve" id="2022-28347"/>
  <issue tracker="cve" id="2022-22818"/>
  <issue tracker="cve" id="2022-23833"/>
  <issue tracker="bnc" id="1185713">VUL-0: CVE-2021-32052: python-Django,python-Django1: header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+</issue>
  <issue tracker="bnc" id="1198297">python-Django and pythonDjango1: test_validators fails at AssertionError: ValidationError not raised</issue>
  <issue tracker="bnc" id="1201923">VUL-0: CVE-2022-36359: django: potential reflected file download vulnerability in FileResponse</issue>
  <issue tracker="bnc" id="1203793">VUL-0: CVE-2022-41323: python-Django: potential denial-of-service vulnerability in internationalized URLs</issue>
  <issue tracker="bnc" id="1198398">VUL-0: CVE-2022-28346: python-Django,python-Django1: Potential SQL injection in QuerySet.annotate(),aggregate() and extra()</issue>
  <issue tracker="bnc" id="1198399">VUL-0: CVE-2022-28347: python-Django1,python-Django: Potential SQL injection via QuerySet.explain(options) on PostgreSQL</issue>
  <issue tracker="bnc" id="1195086">VUL-0: CVE-2022-22818: python-Django,python-Django1: Possible XSS via {% debug %} template tag</issue>
  <issue tracker="bnc" id="1195088">VUL-0: CVE-2022-23833: python-Django,python-Django1: Denial-of-service possibility in file uploads</issue>
  <issue tracker="bnc" id="1194115">VUL-0: CVE-2021-45115: python-Django,python-Django1: Denial-of-service possibility in UserAttributeSimilarityValidator</issue>
  <issue tracker="bnc" id="1194117">VUL-0: CVE-2021-45116: python-Django,python-Django1: Potential information disclosure in dictsort template filter</issue>
  <issue tracker="bnc" id="1194116">VUL-0: CVE-2021-45452: python-Django,python-Django1: Potential directory-traversal via Storage.save()</issue>
  <issue tracker="bnc" id="1193240">VUL-0: CVE-2021-44420: python-Django,python-Django1: Potential bypass of an upstream access control based on URL paths</issue>
  <issue tracker="bnc" id="1186608">VUL-0: CVE-2021-33203: python-Django,python-Django1: Potential directory traversal via admindocs</issue>
  <issue tracker="bnc" id="1186611">VUL-0: CVE-2021-33571: python-Django,python-Django1: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses</issue>
  <packager>aplanas</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for python-Django</summary>
  <description>This update for python-Django fixes the following issues:

- CVE-2022-41323: Fixed potential denial-of-service vulnerability in internationalized URLs (boo#1203793)
- CVE-2022-36359: Fixed a potential reflected file download vulnerability in FileResponse (boo#1201923)

- Update from 2.2.12 to 2.2.28 (boo#1198297)

  * Many CVEs fixes (check https://github.com/django/django/blob/main/docs/releases/)

  2.2.28:

  - CVE-2022-28346: Fixed potential SQL injection in QuerySet.annotate(), aggregate(), and extra() (bsc#1198398)
  - CVE-2022-28347: Fixed potential SQL injection via QuerySet.explain(**options) (bsc#1198399)

  2.2.27:

  - CVE-2022-22818: Fixed possible XSS via ``{% debug %}`` template tag (bsc#1195086)
  - CVE-2022-23833: Fixed denial-of-service possibility in file uploads (bsc#1195088)

  2.2.26: 

  - CVE-2021-45115: Denial-of-service possibility in ``UserAttributeSimilarityValidator`` (bsc#1194115)
  - CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter (bsc#1194117)
  - CVE-2021-45452: Potential directory-traversal via ``Storage.save()`` (bsc#)

  2.2.25:

  - CVE-2021-44420: Potential bypass of an upstream access control based on URL paths (bsc#1193240)

  2.2.24:

  - CVE-2021-33203: Potential directory traversal via ``admindocs``
  - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses

  2.2.23:

  - regression fix

  2.2.22:

  - CVE-2021-32052: Header injection possibility since ``URLValidator`` accepted newlines in input on Python 3.9.5+

</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places