Security update for python-Django
Announcement ID: | SUSE-SU-2015:1112-1 |
---|---|
Rating: | moderate |
References: | |
Cross-References: | |
CVSS scores: |
|
Affected Products: |
|
An update that solves five vulnerabilities can now be installed.
Description:
python-django was updated to 1.6.11 to fix security issues and non-security bugs.
The following vulnerabilities were fixed:
- Made is_safe_url() reject URLs that start with control characters to mitigate possible XSS attack via user-supplied redirect URLs (bnc#923176, CVE-2015-2317)
- Fixed an infinite loop possibility in strip_tags() (bnc#923172, CVE-2015-2316)
- WSGI header spoofing via underscore/dash conflation (bnc#913053, CVE-2015-0219)
- Mitigated possible XSS attack via user-supplied redirect URLs
- Denial-of-service attack against
django.views.static.serve
(bnc#913056, CVE-2015-0221) - Database denial-of-service with
ModelMultipleChoiceField
(bnc#913055, CVE-2015-0222)
The update also contains fixes for non-security bugs, functional and stability issues.
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Enterprise Storage 1.0 1
zypper in -t patch SUSE-Storage-1.0-2015-271=1
Package List:
-
SUSE Enterprise Storage 1.0 1 (noarch)
- python-Django-1.6.11-4.1
References:
- https://www.suse.com/security/cve/CVE-2015-0219.html
- https://www.suse.com/security/cve/CVE-2015-0221.html
- https://www.suse.com/security/cve/CVE-2015-0222.html
- https://www.suse.com/security/cve/CVE-2015-2316.html
- https://www.suse.com/security/cve/CVE-2015-2317.html
- https://bugzilla.suse.com/show_bug.cgi?id=913053
- https://bugzilla.suse.com/show_bug.cgi?id=913055
- https://bugzilla.suse.com/show_bug.cgi?id=913056
- https://bugzilla.suse.com/show_bug.cgi?id=923172
- https://bugzilla.suse.com/show_bug.cgi?id=923176