openSUSE Security Update: Security update for python-django ______________________________________________________________________________
Announcement ID: openSUSE-SU-2015:1802-1 Rating: moderate References: #937522 #937523 Cross-References: CVE-2015-5143 CVE-2015-5144 Affected Products: openSUSE 13.1 ______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
python-django was updated to fix two security issues.
These security issues were fixed: - CVE-2015-5144: Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 used an incorrect regular expression, which allowed remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator (bsc#937523). - CVE-2015-5143: The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allowed remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys (bsc#937522).
To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- openSUSE 13.1:
zypper in -t patch openSUSE-2015-674=1
To bring your system up-to-date, use "zypper patch".
- openSUSE 13.1 (noarch):