Mageia alert MGASA-2022-0011 (python-django)

From:
             
 
Mageia Updates <buildsystem-daemon@mageia.org>
To:
             
 
updates-announce@ml.mageia.org
Subject:
             
 
[updates-announce] MGASA-2022-0011: Updated python-django packages fix security vulnerability
Date:
             
 
Tue, 11 Jan 2022 08:13:39 +0100
Message-ID:
             
 
<20220111071339.92818A105F@duvel.mageia.org>
Archive-link:
             
 
Article
MGASA-2022-0011 - Updated python-django packages fix security vulnerability

Publication date: 11 Jan 2022
URL: https://advisories.mageia.org/MGASA-2022-0011.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2021-45115,
     CVE-2021-45116,
     CVE-2021-45452

Description:
UserAttributeSimilarityValidator incurred significant overhead evaluating
submitted password that were artificially large in relative to the
comparison values. On the assumption that access to user registration was
unrestricted this provided a potential vector for a denial-of-service
attack. (CVE-2021-45115)
Due to leveraging the Django Template Language's variable resolution
logic, the dictsort template filter was potentially vulnerable to
information disclosure or unintended method calls, if passed a suitably
crafted key. (CVE-2021-45116)
Storage.save() allowed directory-traversal if directly passed suitably
crafted file names. (CVE-2021-45452)

References:
- https://bugs.mageia.org/show_bug.cgi?id=29843
- https://www.djangoproject.com/weblog/2022/jan/04/security...
- https://ubuntu.com/security/notices/USN-5204-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4...

SRPMS:
- 8/core/python-django-3.1.14-1.1.mga8