2020-04-13
ALT-BU-2020-3758-2
Branch sisyphus update bulletin.
Package python3-module-django2.2 updated to version 2.2.12-alt1 for branch sisyphus in task 249815.
Closed vulnerabilities
Published: 2020-04-14
Modified: 2021-02-10
Modified: 2021-02-10
BDU:2020-01459
Уязвимость фреймворка для веб-приложений Django, связанная с ошибкой в работе механизма восстановления паролей, позволяющая нарушителю оказать воздействие на целостность данных
Severity: HIGH (7.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity: HIGH (7.8)Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N
References:
Published: 2020-12-18
Modified: 2023-11-13
Modified: 2023-11-13
BDU:2020-05726
Уязвимость библиотеки Django для языка программирования Python, позволяющая нарушителю выполнить произвольный код
Severity: HIGH (8.8)Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (9.0)Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
References:
Published: 2021-07-20
Modified: 2021-11-26
Modified: 2021-11-26
BDU:2021-03743
Уязвимость компонента contrib.postgres.aggregates.StringAgg программной платформы для веб-приложений Django, связанная с непринятием мер по защите структуры SQL-запроса, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Severity: CRITICAL (9.8)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH (7.5)Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
References:
Published: 2019-12-02
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-19118
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)
Severity: MEDIUM (4.0)Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N
Severity: MEDIUM (6.5)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
References:
- http://www.openwall.com/lists/oss-security/2019/12/02/1
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#%21topic/django-announce/GjGqDvtNmWQ
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5/
- https://security.gentoo.org/glsa/202004-17
- https://security.netapp.com/advisory/ntap-20191217-0003/
- https://www.djangoproject.com/weblog/2019/dec/02/security-releases/
- http://www.openwall.com/lists/oss-security/2019/12/02/1
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#%21topic/django-announce/GjGqDvtNmWQ
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5/
- https://security.gentoo.org/glsa/202004-17
- https://security.netapp.com/advisory/ntap-20191217-0003/
- https://www.djangoproject.com/weblog/2019/dec/02/security-releases/
Published: 2019-12-18
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-19844
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Severity: CRITICAL (9.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#%21topic/django-announce/3oaB2rVH3a0
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/
- https://seclists.org/bugtraq/2020/Jan/9
- https://security.gentoo.org/glsa/202004-17
- https://security.netapp.com/advisory/ntap-20200110-0003/
- https://usn.ubuntu.com/4224-1/
- https://www.debian.org/security/2020/dsa-4598
- https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
- http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#%21topic/django-announce/3oaB2rVH3a0
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/
- https://seclists.org/bugtraq/2020/Jan/9
- https://security.gentoo.org/glsa/202004-17
- https://security.netapp.com/advisory/ntap-20200110-0003/
- https://usn.ubuntu.com/4224-1/
- https://www.debian.org/security/2020/dsa-4598
- https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
Published: 2020-02-03
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2020-7471
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
Severity: HIGH (7.5)Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Severity: CRITICAL (9.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://www.openwall.com/lists/oss-security/2020/02/03/1
- https://docs.djangoproject.com/en/3.0/releases/security/
- https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136
- https://groups.google.com/forum/#%21topic/django-announce/X45S86X5bZI
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
- https://seclists.org/bugtraq/2020/Feb/30
- https://security.gentoo.org/glsa/202004-17
- https://security.netapp.com/advisory/ntap-20200221-0006/
- https://usn.ubuntu.com/4264-1/
- https://www.debian.org/security/2020/dsa-4629
- https://www.djangoproject.com/weblog/2020/feb/03/security-releases/
- https://www.openwall.com/lists/oss-security/2020/02/03/1
- http://www.openwall.com/lists/oss-security/2020/02/03/1
- https://docs.djangoproject.com/en/3.0/releases/security/
- https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136
- https://groups.google.com/forum/#%21topic/django-announce/X45S86X5bZI
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
- https://seclists.org/bugtraq/2020/Feb/30
- https://security.gentoo.org/glsa/202004-17
- https://security.netapp.com/advisory/ntap-20200221-0006/
- https://usn.ubuntu.com/4264-1/
- https://www.debian.org/security/2020/dsa-4629
- https://www.djangoproject.com/weblog/2020/feb/03/security-releases/
- https://www.openwall.com/lists/oss-security/2020/02/03/1
Published: 2020-03-05
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2020-9402
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
Severity: MEDIUM (6.5)Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
- https://docs.djangoproject.com/en/3.0/releases/security/
- https://groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrY
- https://lists.debian.org/debian-lts-announce/2022/05/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY/
- https://security.gentoo.org/glsa/202004-17
- https://security.netapp.com/advisory/ntap-20200327-0004/
- https://usn.ubuntu.com/4296-1/
- https://www.debian.org/security/2020/dsa-4705
- https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
- https://docs.djangoproject.com/en/3.0/releases/security/
- https://groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrY
- https://lists.debian.org/debian-lts-announce/2022/05/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY/
- https://security.gentoo.org/glsa/202004-17
- https://security.netapp.com/advisory/ntap-20200327-0004/
- https://usn.ubuntu.com/4296-1/
- https://www.debian.org/security/2020/dsa-4705
- https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
Published: 2020-06-05
Modified: 2024-09-20
Modified: 2024-09-20
GHSA-3gh2-xw74-jmcw
SQL injection in Django
Severity: HIGH (8.7)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH (8.7)Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-9402
- https://github.com/django/django/commit/6695d29b1c1ce979725816295a26ecc64ae0e927
- https://docs.djangoproject.com/en/3.0/releases/security
- https://github.com/advisories/GHSA-3gh2-xw74-jmcw
- https://github.com/django/django
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2020-36.yaml
- https://groups.google.com/forum/#!topic/django-announce/fLUh_pOaKrY
- https://lists.debian.org/debian-lts-announce/2022/05/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY
- https://security.gentoo.org/glsa/202004-17
- https://security.netapp.com/advisory/ntap-20200327-0004
- https://usn.ubuntu.com/4296-1
- https://www.debian.org/security/2020/dsa-4705
- https://www.djangoproject.com/weblog/2020/mar/04/security-releases
Published: 2020-02-12
Modified: 2024-09-20
Modified: 2024-09-20
GHSA-hmr4-m2h5-33qx
SQL injection in Django
Severity: CRITICAL (9.3)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (9.3)Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-7471
- https://github.com/django/django/commit/001b0634cd309e372edb6d7d95d083d02b8e37bd
- https://github.com/django/django/commit/505826b469b16ab36693360da9e11fd13213421b
- https://github.com/django/django/commit/c67a368c16e4680b324b4f385398d638db4d8147
- https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136
- https://www.openwall.com/lists/oss-security/2020/02/03/1
- https://www.djangoproject.com/weblog/2020/feb/03/security-releases
- https://www.debian.org/security/2020/dsa-4629
- https://usn.ubuntu.com/4264-1
- https://security.netapp.com/advisory/ntap-20200221-0006
- https://security.gentoo.org/glsa/202004-17
- https://seclists.org/bugtraq/2020/Feb/30
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ
- https://groups.google.com/forum/#!topic/django-announce/X45S86X5bZI
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2020-35.yaml
- https://github.com/django/django
- https://github.com/advisories/GHSA-hmr4-m2h5-33qx
- https://docs.djangoproject.com/en/3.0/releases/security
- http://www.openwall.com/lists/oss-security/2020/02/03/1
Published: 2019-12-05
Modified: 2024-11-18
Modified: 2024-11-18
GHSA-hvmf-r92r-27hr
Django allows unintended model editing
Severity: HIGH (7.1)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Severity: HIGH (7.1)Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-19118
- https://github.com/django/django/commit/103ebe2b5ff1b2614b85a52c239f471904d26244
- https://github.com/django/django/commit/36f580a17f0b3cb087deadf3b65eea024f479c21
- https://docs.djangoproject.com/en/dev/releases/security
- https://github.com/advisories/GHSA-hvmf-r92r-27hr
- https://github.com/django/django
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-15.yaml
- https://groups.google.com/forum/#!topic/django-announce/GjGqDvtNmWQ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5
- https://security.gentoo.org/glsa/202004-17
- https://security.netapp.com/advisory/ntap-20191217-0003
- https://www.djangoproject.com/weblog/2019/dec/02/security-releases
- http://www.openwall.com/lists/oss-security/2019/12/02/1
Published: 2020-01-17
Modified: 2024-09-20
Modified: 2024-09-20
GHSA-vfq6-hq5r-27r6
Django Potential account hijack via password reset form
Severity: CRITICAL (9.3)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (9.3)Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-19844
- https://github.com/django/django/commit/302a4ff1e8b1c798aab97673909c7a3dfda42c26
- https://github.com/django/django/commit/4d334bea06cac63dc1272abcec545b85136cca0e
- https://github.com/django/django/commit/5b1fbcef7a8bec991ebe7b2a18b5d5a95d72cb70
- https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2
- https://www.djangoproject.com/weblog/2019/dec/18/security-releases
- https://www.debian.org/security/2020/dsa-4598
- https://usn.ubuntu.com/4224-1
- https://security.netapp.com/advisory/ntap-20200110-0003
- https://security.gentoo.org/glsa/202004-17
- https://seclists.org/bugtraq/2020/Jan/9
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD
- https://groups.google.com/forum/#!topic/django-announce/3oaB2rVH3a0
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-16.yaml
- https://github.com/django/django
- https://github.com/advisories/GHSA-vfq6-hq5r-27r6
- https://docs.djangoproject.com/en/dev/releases/security
- http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html
Package python-module-psutil updated to version 5.7.0-alt1 for branch sisyphus in task 249818.
Closed vulnerabilities
Published: 2023-07-20
Modified: 2024-09-16
Modified: 2024-09-16
BDU:2023-03812
Уязвимость библиотеки Python для отслеживания ресурсов компьютера Psutil, связанная с повторным освобождением памяти, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: HIGH (7.8)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
References:
Published: 2019-11-12
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-18874
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- https://github.com/giampaolo/psutil/pull/1616
- https://lists.debian.org/debian-lts-announce/2019/11/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2P7QI7MOTZTFXQYU23CP3RAWXCERMOAS/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLETTJYZL2SMBUI4Q2NGBMGPDPP54SRG/
- https://usn.ubuntu.com/4204-1/
- https://github.com/giampaolo/psutil/pull/1616
- https://lists.debian.org/debian-lts-announce/2019/11/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2P7QI7MOTZTFXQYU23CP3RAWXCERMOAS/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLETTJYZL2SMBUI4Q2NGBMGPDPP54SRG/
- https://usn.ubuntu.com/4204-1/
Published: 2020-03-12
Modified: 2024-10-22
Modified: 2024-10-22
GHSA-qfc5-mcwq-26q8
Double Free in psutil
Severity: HIGH (8.7)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: HIGH (8.7)Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-18874
- https://github.com/giampaolo/psutil/pull/1616
- https://github.com/giampaolo/psutil/commit/7d512c8e4442a896d56505be3e78f1156f443465
- https://github.com/advisories/GHSA-qfc5-mcwq-26q8
- https://github.com/giampaolo/psutil
- https://github.com/giampaolo/psutil/blob/master/HISTORY.rst#566
- https://github.com/pypa/advisory-database/tree/main/vulns/psutil/PYSEC-2019-41.yaml
- https://lists.debian.org/debian-lts-announce/2019/11/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2P7QI7MOTZTFXQYU23CP3RAWXCERMOAS
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OLETTJYZL2SMBUI4Q2NGBMGPDPP54SRG
- https://usn.ubuntu.com/4204-1
Closed bugs
Обновить компонент. CVE-2019-18874