MGASA-2022-0011 - Updated python-django packages fix security vulnerability

Publication date: 11 Jan 2022
URL: https://advisories.mageia.org/MGASA-2022-0011.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2021-45115,
     CVE-2021-45116,
     CVE-2021-45452

UserAttributeSimilarityValidator incurred significant overhead evaluating
submitted password that were artificially large in relative to the
comparison values. On the assumption that access to user registration was
unrestricted this provided a potential vector for a denial-of-service
attack. (CVE-2021-45115)
Due to leveraging the Django Template Language's variable resolution
logic, the dictsort template filter was potentially vulnerable to
information disclosure or unintended method calls, if passed a suitably
crafted key. (CVE-2021-45116)
Storage.save() allowed directory-traversal if directly passed suitably
crafted file names. (CVE-2021-45452)

References:
- https://bugs.mageia.org/show_bug.cgi?id=29843
- https://www.djangoproject.com/weblog/2022/jan/04/security-releases/
- https://ubuntu.com/security/notices/USN-5204-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45115
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45116
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45452

SRPMS:
- 8/core/python-django-3.1.14-1.1.mga8