openSUSE Security Update: Security update for python-django ______________________________________________________________________________ Announcement ID: openSUSE-SU-2015:1802-1 Rating: moderate References: #937522 #937523 Cross-References: CVE-2015-5143 CVE-2015-5144 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: python-django was updated to fix two security issues. These security issues were fixed: - CVE-2015-5144: Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 used an incorrect regular expression, which allowed remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator (bsc#937523). - CVE-2015-5143: The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allowed remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys (bsc#937522). Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2015-674=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (noarch): python-django-1.5.12-0.2.14.1 References: https://www.suse.com/security/cve/CVE-2015-5143.html https://www.suse.com/security/cve/CVE-2015-5144.html https://bugzilla.suse.com/937522 https://bugzilla.suse.com/937523