Mageia alert MGASA-2025-0243 (python-django)

From:
             
 
Mageia Updates <updates-announce@ml.mageia.org>
To:
             
 
updates-announce@ml.mageia.org
Subject:
             
 
[updates-announce] MGASA-2025-0243: Updated python-django packages fix a security vulnerability
Date:
             
 
Wed, 22 Oct 2025 22:08:14 +0200
Message-ID:
             
 
<20251022200814.454639FDD3@duvel.mageia.org>
Archive-link:
             
 
Article
MGASA-2025-0243 - Updated python-django packages fix a security vulnerability

Publication date: 22 Oct 2025
URL: https://advisories.mageia.org/MGASA-2025-0243.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2025-59681,
     CVE-2025-59682

Description:
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13,
and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(),
QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection
in column aliases, when using a suitably crafted dictionary, with
dictionary expansion, as the **kwargs passed to these methods (on MySQL
and MariaDB). (CVE-2025-59681)
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13,
and 5.2 before 5.2.7. The django.utils.archive.extract() function, used
by the "startapp --template" and "startproject --template" commands,
allows partial directory traversal via an archive with file paths
sharing a common prefix with the target directory. (CVE-2025-59682)

References:
- https://bugs.mageia.org/show_bug.cgi?id=34645
- https://www.openwall.com/lists/oss-security/2025/10/01/3
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5...

SRPMS:
- 9/core/python-django-4.1.13-1.7.mga9