ALT Linux Team

Branch sisyphus_riscv64 update on 2024-12-22

2024-12-22

ALT-BU-2024-17446-1

Branch sisyphus_riscv64 update bulletin.

ALT-PU-2024-17444-1

Package python3-module-django updated to version 5.0.10-alt1 for branch sisyphus_riscv64.

Closed vulnerabilities

Published: 2024-12-09
Modified: 2025-01-30

BDU:2024-10874

Уязвимость класса django.db.models.fields.json.HasKey программной платформы для веб-приложений Django, позволяющая нарушителю выполнить произвольный SQL-код

Severity: CRITICAL (9.1)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity: CRITICAL (9.4)Vector: AV:N/AC:L/Au:N/C:C/I:C/A:N
References:
Published: 2024-12-06
Modified: 2025-06-24

CVE-2024-53907

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.

Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2024-12-06
Modified: 2025-06-09

CVE-2024-53908

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)

Severity: CRITICAL (9.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: 2.1.2
Back to top