Ubuntu has issued an advisory for this today (February 14):
https://ubuntu.com/security/notices/USN-5868-1

Assigning to the Python stack group; otherwise would be globally.

Assignee: bugsquad => python

Fedora has issued an advisory for this on March 5:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/

Upstream has issued an advisory on May 3:
https://www.djangoproject.com/weblog/2023/may/03/security-releases/

The issue is fixed upstream in 3.2.19 and 4.1.9.

Mageia 8 is also affected.

Status comment: Fixed upstream in 3.2.18 and 4.1.7 => Fixed upstream in 3.2.19 and 4.1.9
Summary: python-django new security issue CVE-2023-24580 => python-django new security issues CVE-2023-24580 and CVE-2023-31047

python3-django-4.1.9-1.mga9.noarch.rpm is built in cauldron updates/testing. It needs to be checked  for installation.

CC: (none) => yves.brungard_mageia

Installation in cauldron is OK.
Built:
python3-django-3.2.18-1.mga8.noarch.rpm
from source:
python-django-3.2.18-1.mga8.src.rpm

Version: Cauldron => 8
Status comment: Fixed upstream in 3.2.19 and 4.1.9 => (none)
Assignee: python => qa-bugs
Whiteboard: MGA8TOO => (none)

MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Followed procedure from bug 30940 (bug 29737):
$ django-admin startproject mysite
/usr/bin/django-admin:17: RemovedInDjango40Warning: django-admin.py is deprecated in favor of django-admin.
  warnings.warn(
$ ls mysite
manage.py*  mysite/
$ cd mysite/
$ python manage.py migrate
Operations to perform:
  Apply all migrations: admin, auth, contenttypes, sessions
Running migrations:
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
  Applying admin.0001_initial... OK
  Applying admin.0002_logentry_remove_auto_add... OK
  Applying admin.0003_logentry_add_action_flag_choices... OK
  Applying contenttypes.0002_remove_content_type_name... OK
  Applying auth.0002_alter_permission_name_max_length... OK
  Applying auth.0003_alter_user_email_max_length... OK
  Applying auth.0004_alter_user_username_opts... OK
  Applying auth.0005_alter_user_last_login_null... OK
  Applying auth.0006_require_contenttypes_0002... OK
  Applying auth.0007_alter_validators_add_error_messages... OK
  Applying auth.0008_alter_user_username_max_length... OK
  Applying auth.0009_alter_user_last_name_max_length... OK
  Applying auth.0010_alter_group_name_max_length... OK
  Applying auth.0011_update_proxy_permissions... OK
  Applying auth.0012_alter_user_first_name_max_length... OK
  Applying sessions.0001_initial... OK
$ ls
db.sqlite3  manage.py*  mysite/
$ python manage.py runserver
Watching for file changes with StatReloader
Performing system checks...

System check identified no issues (0 silenced).
May 06, 2023 - 09:05:30
Django version 3.2.18, using settings 'mysite.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

Point the browser at http://localhost:8000/ and get "The install worked successfully! Congratulations!"
Then on another tab in Konsole:
$ python manage.py startapp polls
$ ls polls
admin.py  apps.py  __init__.py  migrations/  models.py  tests.py  views.py

All OK as in refered previous updates.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

(In reply to David Walser from comment #4)
> Upstream has issued an advisory on May 3:
> https://www.djangoproject.com/weblog/2023/may/03/security-releases/
> 
> The issue is fixed upstream in 3.2.19 and 4.1.9.
> 
> Mageia 8 is also affected.

Ubuntu has issued an advisory for this on May 3:
https://ubuntu.com/security/notices/USN-6054-1

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0165.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED