This update for python-Django fixes the following issues:
Changes in python-Django:
- CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation (bsc#1261729)
- CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin (bsc#1261731)
- CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable (bsc#1261732)
- CVE-2026-33033: Potential denial-of-service vulnerability in
MultiPartParser via base64-encoded file upload (bsc#1261722)
- CVE-2026-33034: Potential denial-of-service vulnerability in
ASGI requests via memory upload limit bypass (bsc#1261724)
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-packagehub-196=1
- openSUSE Leap 16.0:
python313-Django-5.2.4-bp160.7.1
* bsc#1261722
* bsc#1261724
* bsc#1261729
* bsc#1261731
* bsc#1261732
References:
* https://www.suse.com/security/cve/CVE-2026-33033.html
* https://www.suse.com/security/cve/CVE-2026-33034.html
* https://www.suse.com/security/cve/CVE-2026-3902.html
* https://www.suse.com/security/cve/CVE-2026-4277.html
* https://www.suse.com/security/cve/CVE-2026-4292.html
Get the latest Linux and open source security news straight to your inbox.