Mageia 2022-0281: python-django security update | LinuxSecurity.com
MGASA-2022-0281 - Updated python-django packages fix security vulnerability

Publication date: 13 Aug 2022
URL: https://advisories.mageia.org/MGASA-2022-0281.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2022-34265,
     CVE-2022-36359

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6.
The Trunc() and Extract() database functions are subject to SQL injection
if untrusted data is used as a kind/lookup_name value. Applications that
constrain the lookup name and kind choice to a known safe list are
unaffected. (CVE-2022-34265)
An issue was discovered in the HTTP FileResponse class in Django 3.2
before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a
reflected file download (RFD) attack that sets the Content-Disposition
header of a FileResponse when the filename is derived from user-supplied
input. (CVE-2022-36359)

References:
- https://bugs.mageia.org/show_bug.cgi?id=30603
- https://nvd.nist.gov/vuln/detail/CVE-2022-34265
- https://nvd.nist.gov/vuln/detail/CVE-2022-36359
- https://www.djangoproject.com/weblog/2022/aug/03/security-releases/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34265
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36359

SRPMS:
- 8/core/python-django-3.2.15-1.mga8

Mageia 2022-0281: python-django security update

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6

Summary

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. (CVE-2022-34265) An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. (CVE-2022-36359)

References

- https://bugs.mageia.org/show_bug.cgi?id=30603

- https://nvd.nist.gov/vuln/detail/CVE-2022-34265

- https://nvd.nist.gov/vuln/detail/CVE-2022-36359

- https://www.djangoproject.com/weblog/2022/aug/03/security-releases/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34265

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36359

Resolution

MGASA-2022-0281 - Updated python-django packages fix security vulnerability

SRPMS

- 8/core/python-django-3.2.15-1.mga8

Severity
Publication date: 13 Aug 2022
URL: https://advisories.mageia.org/MGASA-2022-0281.html
Type: security
CVE: CVE-2022-34265, CVE-2022-36359

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.