ALT Linux Team

Branch sisyphus update on 2022-08-23

2022-08-23

ALT-BU-2022-5815-1

Branch sisyphus update bulletin.

ALT-PU-2022-2476-1

Package python3-module-django updated to version 3.2.15-alt1 for branch sisyphus in task 305624.

Closed vulnerabilities

Published: 2022-04-07

BDU:2022-04199

Уязвимость функции Trunc/Extract фреймворка для веб-разработки Django, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Severity: MEDIUM (6.3) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
References:
Published: 2022-07-04
Modified: 2024-11-21

CVE-2022-34265

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2022-08-03
Modified: 2024-11-21

CVE-2022-36359

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top