ALT-BU-2022-5887-1
Branch p10 update bulletin.
Package perl-Image-ExifTool updated to version 12.42-alt1 for branch p10 in task 305503.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2022-23935
lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check, leading to command injection.
- https://gist.github.com/ert-plus/1414276e4cb5d56dd431c2f0429e4429
- https://gist.github.com/ert-plus/1414276e4cb5d56dd431c2f0429e4429
- https://github.com/exiftool/exiftool/commit/74dbab1d2766d6422bb05b033ac6634bf8d1f582
- https://github.com/exiftool/exiftool/commit/74dbab1d2766d6422bb05b033ac6634bf8d1f582
Package perl-App-cpanminus updated to version 1.9019-alt1 for branch p10 in task 305450.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2020-16154
The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.
Package python3-module-django updated to version 3.2.15-alt1 for branch p10 in task 305627.
Closed vulnerabilities
BDU:2022-04199
Уязвимость функции Trunc/Extract фреймворка для веб-разработки Django, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
Modified: 2024-11-21
CVE-2022-34265
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://groups.google.com/forum/#%21forum/django-announce
- FEDORA-2023-8fed428c5e
- FEDORA-2023-8fed428c5e
- FEDORA-2023-a53ab7c969
- FEDORA-2023-a53ab7c969
- https://security.netapp.com/advisory/ntap-20220818-0006/
- https://security.netapp.com/advisory/ntap-20220818-0006/
- DSA-5254
- DSA-5254
- https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
- https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
Modified: 2024-11-21
CVE-2022-36359
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
- [oss-security] 20220803 Django: CVE-2022-36359: Potential reflected file download vulnerability in FileResponse.
- https://docs.djangoproject.com/en/4.0/releases/security/
- https://groups.google.com/g/django-announce/c/8cz--gvaJr4
- FEDORA-2023-8fed428c5e
- FEDORA-2023-a53ab7c969
- https://security.netapp.com/advisory/ntap-20220915-0008/
- DSA-5254
- https://www.djangoproject.com/weblog/2022/aug/03/security-releases/
- [oss-security] 20220803 Django: CVE-2022-36359: Potential reflected file download vulnerability in FileResponse.
- https://www.djangoproject.com/weblog/2022/aug/03/security-releases/
- DSA-5254
- https://security.netapp.com/advisory/ntap-20220915-0008/
- FEDORA-2023-a53ab7c969
- FEDORA-2023-8fed428c5e
- https://groups.google.com/g/django-announce/c/8cz--gvaJr4
- https://docs.djangoproject.com/en/4.0/releases/security/