Updated python-django packages fix security vulnerability
Publication date: 16 May 2023Modification date: 16 May 2023
Type: security
Affected Mageia releases : 8
CVE: CVE-2023-24580 , CVE-2023-31047
Description
Passing certain inputs (e.g., an excessive number of parts) to multipart
forms could result in too many open files or memory exhaustion, and
provided a potential vector for a denial-of-service attack.
(CVE-2023-24580)
Bypass of validation when using one form field to upload multiple files.
This multiple upload has never been supported by forms.FileField or
forms.ImageField (only the last uploaded file was validated). However,
Django's "Uploading multiple files" documentation suggested otherwise.
(CVE-2023-31047)
References
- https://bugs.mageia.org/show_bug.cgi?id=31548
- https://www.djangoproject.com/weblog/2023/feb/14/security-releases/
- https://ubuntu.com/security/notices/USN-5868-1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/
- https://www.djangoproject.com/weblog/2023/may/03/security-releases/
- https://ubuntu.com/security/notices/USN-6054-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24580
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31047
SRPMS
8/core
- python-django-3.2.18-1.mga8