MGASA-2023-0165 - Updated python-django packages fix security vulnerability
Publication date: 16 May 2023
URL: https://advisories.mageia.org/MGASA-2023-0165.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2023-24580,
CVE-2023-31047
Passing certain inputs (e.g., an excessive number of parts) to multipart
forms could result in too many open files or memory exhaustion, and
provided a potential vector for a denial-of-service attack.
(CVE-2023-24580)
Bypass of validation when using one form field to upload multiple files.
This multiple upload has never been supported by forms.FileField or
forms.ImageField (only the last uploaded file was validated). However,
Django's "Uploading multiple files" documentation suggested otherwise.
(CVE-2023-31047)
References:
- https://bugs.mageia.org/show_bug.cgi?id=31548
- https://www.djangoproject.com/weblog/2023/feb/14/security-releases/
- https://ubuntu.com/security/notices/USN-5868-1
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/
- https://www.djangoproject.com/weblog/2023/may/03/security-releases/
- https://ubuntu.com/security/notices/USN-6054-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24580
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31047
SRPMS:
- 8/core/python-django-3.2.18-1.mga8
Mageia 2023-0165: python-django security update
Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denia...
Summary
Passing certain inputs (e.g., an excessive number of parts) to multipart
forms could result in too many open files or memory exhaustion, and
provided a potential vector for a denial-of-service attack.
(CVE-2023-24580)
Bypass of validation when using one form field to upload multiple files.
This multiple upload has never been supported by forms.FileField or
forms.ImageField (only the last uploaded file was validated). However,
Django's "Uploading multiple files" documentation suggested otherwise.
(CVE-2023-31047)
References
- https://bugs.mageia.org/show_bug.cgi?id=31548
- https://www.djangoproject.com/weblog/2023/feb/14/security-releases/
- https://ubuntu.com/security/notices/USN-5868-1
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/
- https://www.djangoproject.com/weblog/2023/may/03/security-releases/
- https://ubuntu.com/security/notices/USN-6054-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24580
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31047
Resolution
MGASA-2023-0165 - Updated python-django packages fix security vulnerability
SRPMS
- 8/core/python-django-3.2.18-1.mga8
Severity
Publication date: 16 May 2023
URL: https://advisories.mageia.org/MGASA-2023-0165.html
Type: security
CVE: CVE-2023-24580,
CVE-2023-31047
News
HOWTOs
About Us
Powered By
