linux/meta-openembedded.git/meta-python/recipes-devtools/python/python3-django_2.2.28.bb, branch kirkstone-next

python3-django: Fix CVE-2024-53907

2025-01-23T00:23:09+00:00

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-53907 Upstream-patch: https://github.com/django/django/commit/790eb058b0716c536a2f2e8d1c6d5079d776c22b Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster

python3-django: Fix CVE-2024-45231

2025-01-23T00:23:05+00:00

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-45231 Upstream-patch: https://github.com/django/django/commit/bf4888d317ba4506d091eeac6e8b4f1fcc731199 Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster

python3-django: Fix CVE-2024-45230

2025-01-23T00:23:02+00:00

An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-45230 Upstream-patch: https://github.com/django/django/commit/d147a8ebbdf28c17cafbbe2884f0bc57e2bf82e2 Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster

python3-django: Fix CVE-2024-41991

2025-01-23T00:22:59+00:00

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-41991 Upstream-patch: https://github.com/django/django/commit/efea1ef7e2190e3f77ca0651b5458297bc0f6a9f Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster

python3-django: Fix CVE-2024-41990

2025-01-23T00:22:56+00:00

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-41990 Upstream-patch: https://github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88 Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster

python3-django: Fix CVE-2024-41989

2025-01-23T00:20:15+00:00

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-41989 Upstream-patches: https://github.com/django/django/commit/08c5a787262c1ae57f6517d4574b54a5fcaad124 https://github.com/django/django/commit/4b066bde692078b194709d517b27e55defae787c https://github.com/django/django/commit/dcd974698301a38081c141ccba6dcafa5ed2c80e https://github.com/django/django/commit/fc76660f589ac07e45e9cd34ccb8087aeb11904b Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster

python3-django: Fix CVE-2024-39614

2025-01-23T00:20:12+00:00

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-39614 Upstream-patch: https://github.com/django/django/commit/17358fb35fb7217423d4c4877ccb6d1a3a40b1c3 Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster

python3-django: Fix CVE-2023-23969

2025-01-23T00:20:09+00:00

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. References: https://nvd.nist.gov/vuln/detail/CVE-2023-23969 Upstream-patch: https://github.com/django/django/commit/c7e0151fdf33e1b11d488b6f67b94fdf3a30614a Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster

python3-django: Fix CVE-2024-38875

2025-01-23T00:20:02+00:00

An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets. References: https://nvd.nist.gov/vuln/detail/CVE-2024-38875 https://github.com/advisories/GHSA-qg2p-9jwr-mmqf Upstream-patch: https://github.com/django/django/commit/79f368764295df109a37192f6182fb6f361d85b5 Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster

python3-django: Fix CVE-2024-42005

2024-08-25T22:12:26+00:00

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. References: https://nvd.nist.gov/vuln/detail/CVE-2024-42005 Upstream-patch: https://github.com/django/django/commit/f4af67b9b41e0f4c117a8741da3abbd1c869ab28 Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster