ALT Linux Team

Package python3-module-django update in sisyphus on 2025-10-16

ALT-PU-2025-13042-2

Package python3-module-django updated to version 5.2.7-alt1 for branch sisyphus in task 397168.

Closed vulnerabilities

Published: 2025-10-01

BDU:2025-12461

Уязвимость методов QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() программной платформы для веб-приложений Django, позволяющая нарушителю оказать влияние на конфиденциальность и целостность защищаемой информации

Severity: HIGH (7.1) Vector: AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Severity: MEDIUM (5.6) Vector: AV:N/AC:H/Au:S/C:C/I:P/A:N
References:
Published: 2025-10-01

BDU:2025-12661

Уязвимость функции django.utils.archive.extract() программной платформы для веб-приложений Django, позволяющая нарушителю обойти ограничения безопасности

Severity: LOW (3.1) Vector: AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Severity: LOW (2.1) Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N
References:
Published: 2025-10-01
Modified: 2025-10-07

CVE-2025-59681

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2025-10-01
Modified: 2025-10-02

CVE-2025-59682

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Severity: LOW (3.1) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top