Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 17 articles for you...
203
security advisorydenial of servicesecurity issuesMageia 9: MGASA-2025-0039 critical: python-django DoS threats
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets. (CVE-2024-38875) An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before . MGASA-2025-0039 - Updated python-django packages fix security vulnerabilities Publication date: 05 Feb 2025 URL: https://advisories.mageia.org/MGASA-2025-0039.html Type: security Affected Mageia releases: 9 CVE: CVE-2024-56374, CVE-2024-38875, CVE-2024-39329, CVE-2024-39330, CVE-2024-39614, CVE-2024-41989, CVE-2024-41990, CVE-2024-41991, CVE-2024-42005, CVE-2024-45230, CVE-2024-45231, CVE-2024-53907, CVE-2024-53908 An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets. (CVE-2024-38875) An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password. (CVE-2024-39329) An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (CVE-2024-39330) An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. (CVE-2024-39614) An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a stringrepresentation of a number in scientific notation with a large exponent. (CVE-2024-41989) An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. (CVE-2024-41990) An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. (CVE-2024-41991) An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. (CVE-2024-42005) An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. (CVE-2024-45230) An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). (CVE-2024-45231) An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. (CVE-2024-53907) An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection ifuntrusted data is used as an lhs value. (CVE-2024-53908) An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (CVE-2024-56374) References: - https://bugs.mageia.org/show_bug.cgi?id=33919 - https://bugs.mageia.org/show_bug.cgi?id=33387 - https://bugs.mageia.org/show_bug.cgi?id=33507 - https://www.openwall.com/lists/oss-security/2024/07/09/3 - https://www.djangoproject.com/weblog/2024/jul/09/security-releases/ - https://openwall.com/lists/oss-security/2024/08/06/2 - https://www.openwall.com/lists/oss-security/2024/09/03/3 - https://openwall.com/lists/oss-security/2024/12/04/3 - https://www.openwall.com/lists/oss-security/2025/01/14/2 - https://ubuntu.com/security/notices/USN-7205-1 - https://www.cve.org/CVERecord?id=CVE-2024-56374 - https://www.cve.org/CVERecord?id=CVE-2024-38875 - https://www.cve.org/CVERecord?id=CVE-2024-39329 - https://www.cve.org/CVERecord?id=CVE-2024-39330 - https://www.cve.org/CVERecord?id=CVE-2024-39614 - https://www.cve.org/CVERecord?id=CVE-2024-41989 - https://www.cve.org/CVERecord?id=CVE-2024-41990 - https://www.cve.org/CVERecord?id=CVE-2024-41991 - https://www.cve.org/CVERecord?id=CVE-2024-42005 - https://www.cve.org/CVERecord?id=CVE-2024-45230 - https://www.cve.org/CVERecord?id=CVE-2024-45231 - https://www.cve.org/CVERecord?id=CVE-2024-53907 - https://www.cve.org/CVERecord?id=CVE-2024-53908 SRPMS: - 9/core/python-django-4.1.13-1.2.mga9 . Revised python-django libraries address several urgent vulnerabilities, notably risks of Denial of Service and unauthorized user enumeration.. Django Security, Mageia, Python Updates, Denial Of Service. . Severity: Critical. LinuxSecurity.com Team
Feb 05, 2025
•Critical
Mageia
100
security advisorydenial of serviceSUSESUSE: 2024:3161-1 Important: Python-Django Security Update
* bsc#1229823 * bsc#1229824 Cross-References: * CVE-2024-45230 . # Security update for python-Django Announcement ID: SUSE-SU-2024:3161-1 Rating: important References: * bsc#1229823 * bsc#1229824 Cross-References: * CVE-2024-45230 * CVE-2024-45231 CVSS scores: * CVE-2024-45230 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2024-45231 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products: * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 * SUSE Package Hub 15 15-SP6 An update that solves two vulnerabilities can now be installed. ## Description: This update for python-Django fixes the following issues: * CVE-2024-45230: Fixed potential denial-of-service vulnerability in django.utils.html.urlize(). (bsc#1229823) * CVE-2024-45231: Fixed potential user email enumeration via response status on password reset. (bsc#1229824) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Package Hub 15 15-SP6 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-3161=1 * openSUSE Leap 15.6 zypper in -t patch SUSE-2024-3161=1 openSUSE-SLE-15.6-2024-3161=1 ## Package List: * SUSE Package Hub 15 15-SP6 (noarch) * python311-Django-4.2.11-150600.3.9.1 * openSUSE Leap 15.6 (noarch) * python311-Django-4.2.11-150600.3.9.1 ## References: * https://www.suse.com/security/cve/CVE-2024-45230.html * https://www.suse.com/security/cve/CVE-2024-45231.html * https://bugzilla.suse.com/show_bug.cgi?id=1229823 * https://bugzilla.suse.com/show_bug.cgi?id=1229824 . Notices regarding Django release tackle denial-of-service vulnerabilities alongside user enumeration concerns.Significant updates specific to SUSE environments.. python-Django Security Advisory, SUSE Linux Updates, Denial-of-Service Vulnerability. . Severity: Important. LinuxSecurity.com Team
Sep 06, 2024
•Important
SuSE
202
security advisorydoSpythonopenSUSE: 2024:0282-1 Important: Python-Django DoS and Enumeration Threats
An update that fixes two vulnerabilities is now available. . openSUSE Security Update: Security update for python-Django ______________________________________________________________________________ Announcement ID: openSUSE-SU-2024:0282-1 Rating: important References: #1229823 #1229824 Cross-References: CVE-2024-45230 CVE-2024-45231 CVSS scores: CVE-2024-45230 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-45231 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products: openSUSE Backports SLE-15-SP5 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for python-Django fixes the following issues: * CVE-2024-45230: Fixed Potential denial-of-service vulnerability in django.utils.html.urlize() (boo#1229823) * CVE-2024-45231: Potential user email enumeration via response status on password reset (boo#1229824) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2024-282=1 Package List: References: https://www.suse.com/security/cve/CVE-2024-45230.html https://www.suse.com/security/cve/CVE-2024-45231.html https://bugzilla.suse.com/1229823 https://bugzilla.suse.com/1229824 . Urgent notice from openSUSE regarding the update of python-Django and potential security vulnerabilities.. python-Django security fix, openSUSE advisory, SLE-15-SP5 update. . Severity: Important. LinuxSecurity.com Team
Sep 06, 2024
•Important
OpenSUSE
100
security advisorysoftware updateimportantSUSE: 2024:3139-1 Important: python-Django Denial-Of-Service Issues
* bsc#1229823 * bsc#1229824 Cross-References: * CVE-2024-45230 . # Security update for python-Django Announcement ID: SUSE-SU-2024:3139-1 Rating: important References: * bsc#1229823 * bsc#1229824 Cross-References: * CVE-2024-45230 * CVE-2024-45231 CVSS scores: * CVE-2024-45230 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2024-45231 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products: * openSUSE Leap 15.5 An update that solves two vulnerabilities can now be installed. ## Description: This update for python-Django fixes the following issues: * CVE-2024-45230: Fixed potential denial-of-service vulnerability in django.utils.html.urlize(). (bsc#1229823) * CVE-2024-45231: Fixed potential user email enumeration via response status on password reset. (bsc#1229824) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-3139=1 ## Package List: * openSUSE Leap 15.5 (noarch) * python3-Django-2.0.7-150000.1.33.1 ## References: * https://www.suse.com/security/cve/CVE-2024-45230.html * https://www.suse.com/security/cve/CVE-2024-45231.html * https://bugzilla.suse.com/show_bug.cgi?id=1229823 * https://bugzilla.suse.com/show_bug.cgi?id=1229824 . SUSE-SU-2024:3140-2 resolves critical security vulnerabilities in python-Flask impacting openSUSE Leap 15.5.. python-django, openSUSE Leap, security advisory, software update, denial of service. . Severity: Important. LinuxSecurity.com Team
Sep 04, 2024
•Important
SuSE
197
security advisorysoftware updatenetwork monitoringDebian 10 Buster DLA-3390-1 Moderate: Zabbix User Enumeration Security Fix
Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially allowing User Enumeration, Cross-Site-Scripting or Cross-Site Request Forgery. . -------------------------------------------------------------------------Debian LTS Advisory DLA-3390-1
Apr 12, 2023
•Important
Debian LTS
202
security advisoryopenSUSEuser enumerationopenSUSE: 2022:0089-1 Moderate: Nextcloud User Issues Detected
An update that fixes three vulnerabilities is now available. . openSUSE Security Update: Security update for nextcloud ______________________________________________________________________________ Announcement ID: openSUSE-SU-2022:0089-1 Rating: moderate References: #1196905 #1196908 #1196952 Cross-References: CVE-2021-41239 CVE-2021-41241 CVE-2021-41741 CVSS scores: CVE-2021-41239 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2021-41239 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2021-41241 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2021-41241 (SUSE): 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE Linux Enterprise High Performance Computing 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12-SP3 SUSE Linux Enterprise Server for SAP Applications 12-SP4 SUSE Linux Enterprise Server for SAP Applications 12-SP5 SUSE Package Hub for SUSE Linux Enterprise 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for nextcloud fixes the following issues: nextcloud was updated to 21.0.9: - CVE-2021-41239 (CWE-200): user enumeration setting not obeyed in User Status API (boo#1196905) - CVE-2021-41241 (CWE-863): groupfolders advanced permissions is not obeyed for subfolders (boo#1196908) - CVE-2021-41741 (CWE-400): High memory usage for generating preview of broken image(boo#1196952) - For more changes see https://nextcloud.com/changelog/#21-0-9 Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch openSUSE-2022-89=1 Package List: - SUSE Package Hub for SUSE Linux Enterprise 12 (noarch): nextcloud-21.0.9-37.1 nextcloud-apache-21.0.9-37.1 References: https://www.suse.com/security/cve/CVE-2021-41239.html https://www.suse.com/security/cve/CVE-2021-41241.html https://www.suse.com/security/cve/CVE-2021-41741.html https://bugzilla.suse.com/1196905 https://bugzilla.suse.com/1196908 https://bugzilla.suse.com/1196952 . New release addresses several vulnerabilities in Nextcloud, improving security measures and elevating overall platform efficiency.. Nextcloud Security Update, openSUSE Vulnerability Fix, Update Instructions. . LinuxSecurity.com Team
Mar 23, 2022
OpenSUSE
89
security advisorysecurity issuecriticalFedora 34 Advisory FEDORA-2021-2d145b95f6 Critical: Php-Symfony4 User Enum
**Version 4.4.24** (2021-05-19) * security **CVE-2021-21424** [Security\Core] Fix user enumeration via response body on invalid credentials (chalasr) * bug #41230 [FrameworkBundle][Validator] Fix deprecations from Doctrine Annotations+Cache (derrabus) * bug #41240 Fixed deprecation warnings about passing null as parameter (derrabus) * bug #41241 [Finder] Fix gitignore regex. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-2d145b95f6 2021-05-29 01:04:01.502352 --------------------------------------------------------------------------------Name : php-symfony4 Product : Fedora 34 Version : 4.4.24 Release : 1.fc34 URL : https://symfony.com Summary : Symfony PHP framework (version 4) Description : Symfony PHP framework (version 4). NOTE: Does not require PHPUnit bridge. --------------------------------------------------------------------------------Update Information: **Version 4.4.24** (2021-05-19) * security **CVE-2021-21424** [Security\Core] Fix user enumeration via response body on invalid credentials (chalasr) * bug #41230 [FrameworkBundle][Validator] Fix deprecations from Doctrine Annotations+Cache (derrabus) * bug #41240 Fixed deprecation warnings about passing null as parameter (derrabus) * bug #41241 [Finder] Fix gitignore regex build with "**" (mvorisek) * bug #41224 [HttpClient] fix adding query string to relative URLs with scoped clients (nicolas-grekas) * bug #41233 [DependencyInjection][ProxyManagerBridge] Don't call class_exists() on null (derrabus) * bug #41210 [Console] Fix Windows code page support (orkan) ----**Version 4.4.23** (2021-05-12) * security **CVE-2021-21424** [Security][Guard] Prevent user enumeration (chalasr) * bug #41176 [DependencyInjection] fix dumping service-closure-arguments (nicolas-grekas) * bug #41168 WDT: Only load "Sfjs" if it is not present already (weaverryan) * bug #41147 [Inflector][String] wrong plural form of wordsending by "pectus" (makraz) * bug #41160 [HttpClient] Don't prepare the request in ScopingHttpClient (nicolas-grekas) * bug #40763 Fix/Rewrite .gitignore regex builder (mvorisek) * bug #40917 [Config][DependencyInjection] Uniformize trailing slash handling (dunglas) * bug #40699 [PropertyInfo] Make ReflectionExtractor correctly extract nullability (shiftby) * bug #40874 [PropertyInfo] fix attribute namespace with recursive traits (soullivaneuh) * bug #41099 [Cache] Check if phpredis version is compatible with stream parameter (nicolassing) * bug #41072 [VarExporter] Add support of PHP enumerations (alexandre-daubois) * bug #41105 [Inflector][String] Fixed singularize `edges` > `edge` (ruudk) * bug #41075 [ErrorHandler] Skip "same vendor" ``@method`` deprecations for `Symfony\*` classes unless symfony/symfony is being tested (nicolas-grekas) --------------------------------------------------------------------------------ChangeLog: * Wed May 19 2021 Remi Collet - 4.4.24-1 - update to 4.4.24 * Mon May 17 2021 Remi Collet - 4.4.23-1 - update to 4.4.23 --------------------------------------------------------------------------------References: [ 1 ] Bug #1960631 - CVE-2021-21424 php-symfony: user enumeration in authentication mechanisms [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1960631 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-2d145b95f6' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list
May 28, 2021
•Critical
Fedora
89
security advisorycriticalsoftware updateFedora 34: 2021-C57937AB9F Critical User Enumeration Fix
**Version 3.4.49** (2021-05-19) * security **CVE-2021-21424** [Security\Core] Fix user enumeration via response body on invalid credentials (chalasr) ---- **Version 3.4.48** (2021-05-12) * security **CVE-2021-21424** [Security][Guard] Prevent user enumeration (chalasr). --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-c57937ab9f 2021-05-29 01:04:01.502342 --------------------------------------------------------------------------------Name : php-symfony3 Product : Fedora 34 Version : 3.4.49 Release : 1.fc34 URL : https://symfony.com Summary : Symfony PHP framework (version 3) Description : Symfony PHP framework (version 3). NOTE: Does not require PHPUnit bridge. --------------------------------------------------------------------------------Update Information: **Version 3.4.49** (2021-05-19) * security **CVE-2021-21424** [Security\Core] Fix user enumeration via response body on invalid credentials (chalasr) ----**Version 3.4.48** (2021-05-12) * security **CVE-2021-21424** [Security][Guard] Prevent user enumeration (chalasr) --------------------------------------------------------------------------------ChangeLog: * Wed May 19 2021 Remi Collet - 3.4.49-1 - update to 3.4.49 * Mon May 17 2021 Remi Collet - 3.4.48-1 - update to 3.4.48 --------------------------------------------------------------------------------References: [ 1 ] Bug #1960631 - CVE-2021-21424 php-symfony: user enumeration in authentication mechanisms [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1960631 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-c57937ab9f' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with theFedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
May 28, 2021
•Critical
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!