python310-Django-5.0.7-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:14203-1 Final 1 1 2024-07-18T00:00:00Z current 2024-07-18T00:00:00Z 2024-07-18T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python310-Django-5.0.7-2.1 on GA media These are all security issues fixed in the python310-Django-5.0.7-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-14203 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-38875/ SUSE CVE CVE-2024-38875 page https://www.suse.com/security/cve/CVE-2024-39329/ SUSE CVE CVE-2024-39329 page https://www.suse.com/security/cve/CVE-2024-39330/ SUSE CVE CVE-2024-39330 page https://www.suse.com/security/cve/CVE-2024-39614/ SUSE CVE CVE-2024-39614 page openSUSE Tumbleweed python310-Django-5.0.7-2.1 python311-Django-5.0.7-2.1 python312-Django-5.0.7-2.1 python310-Django-5.0.7-2.1 as a component of openSUSE Tumbleweed python311-Django-5.0.7-2.1 as a component of openSUSE Tumbleweed python312-Django-5.0.7-2.1 as a component of openSUSE Tumbleweed An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets. CVE-2024-38875 openSUSE Tumbleweed:python310-Django-5.0.7-2.1 openSUSE Tumbleweed:python311-Django-5.0.7-2.1 openSUSE Tumbleweed:python312-Django-5.0.7-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-38875.html CVE-2024-38875 https://bugzilla.suse.com/1227590 SUSE Bug 1227590 An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password. CVE-2024-39329 openSUSE Tumbleweed:python310-Django-5.0.7-2.1 openSUSE Tumbleweed:python311-Django-5.0.7-2.1 openSUSE Tumbleweed:python312-Django-5.0.7-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-39329.html CVE-2024-39329 https://bugzilla.suse.com/1227590 SUSE Bug 1227590 https://bugzilla.suse.com/1227593 SUSE Bug 1227593 An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.) CVE-2024-39330 openSUSE Tumbleweed:python310-Django-5.0.7-2.1 openSUSE Tumbleweed:python311-Django-5.0.7-2.1 openSUSE Tumbleweed:python312-Django-5.0.7-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-39330.html CVE-2024-39330 https://bugzilla.suse.com/1227590 SUSE Bug 1227590 https://bugzilla.suse.com/1227594 SUSE Bug 1227594 An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. CVE-2024-39614 openSUSE Tumbleweed:python310-Django-5.0.7-2.1 openSUSE Tumbleweed:python311-Django-5.0.7-2.1 openSUSE Tumbleweed:python312-Django-5.0.7-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-39614.html CVE-2024-39614 https://bugzilla.suse.com/1227590 SUSE Bug 1227590 https://bugzilla.suse.com/1227595 SUSE Bug 1227595