Alerts This Week
Warning Icon 1 535
Alerts This Week
Warning Icon 1 535

Mageia 9: MGASA-2025-0039 critical: python-django DoS threats

mageia
Calendar Grey February 5, 2025
Dist Mageia Esm H88
Revised python-django libraries address several urgent vulnerabilities, notably risks of Denial of Service and unauthorized user enumeration.
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7

Summary

An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets. (CVE-2024-38875) An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password. (CVE-2024-39329) An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (CVE-2024-39330) An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-o...

References

- https://bugs.mageia.org/show_bug.cgi?id=33919

- https://bugs.mageia.org/show_bug.cgi?id=33387

- https://bugs.mageia.org/show_bug.cgi?id=33507

- https://www.openwall.com/lists/oss-security/2024/07/09/3

- https://www.djangoproject.com/weblog/2024/jul/09/security-releases/

- https://openwall.com/lists/oss-security/2024/08/06/2

- https://www.openwall.com/lists/oss-security/2024/09/03/3

- https://openwall.com/lists/oss-security/2024/12/04/3

- https://www.openwall.com/lists/oss-security/2025/01/14/2

- https://ubuntu.com/security/notices/USN-7205-1

- https://www.cve.org/CVERecord?id=CVE-2024-56374

- https://www.cve.org/CVERecord?id=CVE-2024-38875

- https://www.cve.org/CVERecord?id=CVE-2024-39329

- https://www.cve.org/CVERecord?id=CVE-2024-39330

- https://www.cve.org/CVERecord?id=CVE-2024-39614

- https://www.cve.org/CVERecord?id=CVE-2024-41989

- https://www.cve.org/CVERecord?id=CVE-2024-41990

- https://www.cve.org/CVERecord?id=CVE-2024-41991

- https://www.cve.org/CVERecord?id=CVE-2024-42005

- https://www.cve.org/CVERecord?id=CVE-2024-45230

- https://www.cve.org/CVERecord?id=CVE-2024-45231

- https://www.cve.org/CVERecord?id=CVE-2024-53907

- https://www.cve.org/CVERecord?id=CVE-2024-53908

Topics%20covered

Topics Covered

security advisory denial of service security issues attack vector python-django Mageia user enumeration

Resolution

SRPMS

- 9/core/python-django-4.1.13-1.2.mga9

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 05 Feb 2025
URL: https://advisories.mageia.org/MGASA-2025-0039.html
Type: security
CVE: CVE-2024-56374, CVE-2024-38875, CVE-2024-39329, CVE-2024-39330, CVE-2024-39614, CVE-2024-41989, CVE-2024-41990, CVE-2024-41991, CVE-2024-42005, CVE-2024-45230, CVE-2024-45231, CVE-2024-53907, CVE-2024-53908

Topics%20covered

Topics Covered

security advisory denial of service security issues attack vector python-django Mageia user enumeration

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here