Mailinglist Archive: opensuse-updates (61 mails)

< Previous Next >
openSUSE-SU-2015:1813-1: moderate: Security update for python-Django
openSUSE Security Update: Security update for python-Django
______________________________________________________________________________

Announcement ID: openSUSE-SU-2015:1813-1
Rating: moderate
References: #937522 #937523
Cross-References: CVE-2015-5143 CVE-2015-5144
Affected Products:
openSUSE 13.2
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

python-django was updated to fix two security issues.

These security issues were fixed:
- CVE-2015-5144: Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before
1.7.9, and 1.8.x before 1.8.3 used an incorrect regular expression,
which allowed remote attackers to inject arbitrary headers and conduct
HTTP response splitting attacks via a newline character in an (1) email
message to the EmailValidator, a (2) URL to the URLValidator, or
unspecified vectors to the (3) validate_ipv4_address or (4)
validate_slug validator (bsc#937523).
- CVE-2015-5143: The session backends in Django before 1.4.21, 1.5.x
through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allowed remote
attackers to cause a denial of service (session store consumption) via
multiple requests with unique session keys (bsc#937522).


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.2:

zypper in -t patch openSUSE-2015-677=1

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 13.2 (noarch):

python-Django-1.6.11-3.10.1


References:

https://www.suse.com/security/cve/CVE-2015-5143.html
https://www.suse.com/security/cve/CVE-2015-5144.html
https://bugzilla.suse.com/937522
https://bugzilla.suse.com/937523


< Previous Next >
This Thread
  • No further messages