Security update for python-Django SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:0102-1 Final 1 1 2022-01-18T08:36:07Z current 2022-01-18T08:36:07Z 2022-01-18T08:36:07Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-Django This update for python-Django fixes the following issues: - CVE-2021-45115: Fixed denial-of-service possibility in UserAttributeSimilarityValidator (bsc#1194115). - CVE-2021-45116: Fixed potential information disclosure in dictsort template filter (bsc#1194117). - CVE-2021-45452: Fixed potential directory-traversal via Storage.save() (bsc#1194116). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). HPE-Helion-OpenStack-8-2022-102,SUSE-2022-102,SUSE-OpenStack-Cloud-8-2022-102,SUSE-OpenStack-Cloud-Crowbar-8-2022-102 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20220102-1/ Link for SUSE-SU-2022:0102-1 https://lists.suse.com/pipermail/sle-security-updates/2022-January/010010.html E-Mail link for SUSE-SU-2022:0102-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1194115 SUSE Bug 1194115 https://bugzilla.suse.com/1194116 SUSE Bug 1194116 https://bugzilla.suse.com/1194117 SUSE Bug 1194117 https://www.suse.com/security/cve/CVE-2021-45115/ SUSE CVE CVE-2021-45115 page https://www.suse.com/security/cve/CVE-2021-45116/ SUSE CVE CVE-2021-45116 page https://www.suse.com/security/cve/CVE-2021-45452/ SUSE CVE CVE-2021-45452 page HPE Helion OpenStack 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud Crowbar 8 python-Django-1.11.29-3.33.1 python3-Django-1.11.29-3.33.1 python-Django-1.11.29-3.33.1 as a component of HPE Helion OpenStack 8 python-Django-1.11.29-3.33.1 as a component of SUSE OpenStack Cloud 8 python-Django-1.11.29-3.33.1 as a component of SUSE OpenStack Cloud Crowbar 8 An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack. CVE-2021-45115 HPE Helion OpenStack 8:python-Django-1.11.29-3.33.1 SUSE OpenStack Cloud 8:python-Django-1.11.29-3.33.1 SUSE OpenStack Cloud Crowbar 8:python-Django-1.11.29-3.33.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20220102-1/ https://www.suse.com/security/cve/CVE-2021-45115.html CVE-2021-45115 https://bugzilla.suse.com/1194115 SUSE Bug 1194115 https://bugzilla.suse.com/1194117 SUSE Bug 1194117 An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key. CVE-2021-45116 HPE Helion OpenStack 8:python-Django-1.11.29-3.33.1 SUSE OpenStack Cloud 8:python-Django-1.11.29-3.33.1 SUSE OpenStack Cloud Crowbar 8:python-Django-1.11.29-3.33.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20220102-1/ https://www.suse.com/security/cve/CVE-2021-45116.html CVE-2021-45116 https://bugzilla.suse.com/1194117 SUSE Bug 1194117 Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it. CVE-2021-45452 HPE Helion OpenStack 8:python-Django-1.11.29-3.33.1 SUSE OpenStack Cloud 8:python-Django-1.11.29-3.33.1 SUSE OpenStack Cloud Crowbar 8:python-Django-1.11.29-3.33.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20220102-1/ https://www.suse.com/security/cve/CVE-2021-45452.html CVE-2021-45452 https://bugzilla.suse.com/1194116 SUSE Bug 1194116