Security update for python-Django SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2023:0178-1 Final 1 1 2023-07-13T16:02:11Z current 2023-07-13T16:02:11Z 2023-07-13T16:02:11Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-Django This update for python-Django fixes the following issues: - CVE-2023-36053: Fixed potential regular expression denial of service vulnerability in EmailValidator/URLValidator (boo#1212742) - CVE-2023-24580: Fixed potential denial-of-service vulnerability in file uploads (boo#1208082) - CVE-2023-23969: Fixed potential denial-of-service via Accept-Language headers (boo#1207565) - CVE-2022-41323: Fixed potential denial-of-service vulnerability in internationalized URLs (boo#1203793) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2023-178 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XIBAQZUQ2RHKRUEWEHTVUYM66J3IOWLL/ E-Mail link for openSUSE-SU-2023:0178-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1203793 SUSE Bug 1203793 https://bugzilla.suse.com/1207565 SUSE Bug 1207565 https://bugzilla.suse.com/1208082 SUSE Bug 1208082 https://bugzilla.suse.com/1212742 SUSE Bug 1212742 https://www.suse.com/security/cve/CVE-2022-41323/ SUSE CVE CVE-2022-41323 page https://www.suse.com/security/cve/CVE-2023-23969/ SUSE CVE CVE-2023-23969 page https://www.suse.com/security/cve/CVE-2023-24580/ SUSE CVE CVE-2023-24580 page https://www.suse.com/security/cve/CVE-2023-36053/ SUSE CVE CVE-2023-36053 page SUSE Package Hub 15 SP5 openSUSE Leap 15.5 In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. CVE-2022-41323 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XIBAQZUQ2RHKRUEWEHTVUYM66J3IOWLL/ https://www.suse.com/security/cve/CVE-2022-41323.html CVE-2022-41323 https://bugzilla.suse.com/1203793 SUSE Bug 1203793 In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. CVE-2023-23969 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XIBAQZUQ2RHKRUEWEHTVUYM66J3IOWLL/ https://www.suse.com/security/cve/CVE-2023-23969.html CVE-2023-23969 https://bugzilla.suse.com/1207565 SUSE Bug 1207565 An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack. CVE-2023-24580 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XIBAQZUQ2RHKRUEWEHTVUYM66J3IOWLL/ https://www.suse.com/security/cve/CVE-2023-24580.html CVE-2023-24580 https://bugzilla.suse.com/1208082 SUSE Bug 1208082 In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs. CVE-2023-36053 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XIBAQZUQ2RHKRUEWEHTVUYM66J3IOWLL/ https://www.suse.com/security/cve/CVE-2023-36053.html CVE-2023-36053 https://bugzilla.suse.com/1212742 SUSE Bug 1212742