Upstream has issued an advisory on July 3: https://www.djangoproject.com/weblog/2023/jul/03/security-releases/ The issue is fixed upstream in 3.2.20 and 4.1.10. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 3.2.20 and 4.1.10Whiteboard: (none) => MGA8TOO
Ubuntu has issued an advisory for this today (July 5): https://ubuntu.com/security/notices/USN-6203-1
Different packagers update this, so assigning globally. CC'ing Stig & Yves who are the principle recent comitters.
CC: (none) => smelror, yves.brungard_mageiaAssignee: bugsquad => pkg-bugs
Cauldron updated to 4.2.6
Version: Cauldron => 9
Package updated for Mageia 9 and Mageia 8 Advisory: ======================== Patched python-django package fixes security vulnerability: It was discovered that python-django EmailValidator and URLValidator were subject to potential regular expression denial of service attack via a very large number of domain name labels of emails and URLs (CVE-2023-36053). References: https://www.djangoproject.com/weblog/2023/jul/03/security-releases/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36053 ======================== Updated packages in core/updates_testing: ======================== python3-django-4.1.13-1.mga9.noarch.rpm from python-django-4.1.13-1.mga9.src.rpm python3-django-3.2.23-1.mga8.noarch.rpm from python-django-3.2.23-1.mga8.src.rpm Test procedure https://bugs.mageia.org/show_bug.cgi?id=29737#c3
CC: (none) => mhrambo3501Keywords: (none) => has_procedureAssignee: pkg-bugs => qa-bugs
Advisory from comment 4 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisoryCC: (none) => marja11
Mageia9, x86_64 Noted that the test procedure can be followed back to Claire Robinson in Mageia 2. The migrations test works for the core release version so django-admin was available. Cleared the decks and restarted with the update. $ django-admin startproject mysite $ cd mysite $ ls mysite asgi.py __init__.py settings.py urls.py wsgi.py $ cd mysite $ ls manage.py* mysite/ $ python manage.py migrate Operations to perform: Apply all migrations: admin, auth, contenttypes, sessions Running migrations: Applying contenttypes.0001_initial... OK Applying auth.0001_initial... OK Applying admin.0001_initial... OK [...] Applying auth.0011_update_proxy_permissions... OK Applying auth.0012_alter_user_first_name_max_length... OK Applying sessions.0001_initial... OK $ python manage.py runserver Watching for file changes with StatReloader Performing system checks... System check identified no issues (0 silenced). November 19, 2023 - 00:04:27 Django version 4.1.13, using settings 'mysite.settings' Starting development server at http://127.0.0.1:8000/ Quit the server with CONTROL-C. Visited localhost:8000/ in Firefox and saw the introductory page for django with the rocketship icon and success manage. Links available for Django 4.1 release notes Documentation, Tutorial and Community and they all appear to work. The DEBUG=True link also works. $ python -m django --version 4.1.13
Whiteboard: MGA8TOO => MGA8TOO MGA9-64-OKCC: (none) => tarazed25
s/manage/message/ !
Whiteboard: MGA8TOO MGA9-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0330.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CC: (none) => setid35258
(In reply to Freddie Conley from comment #10) > We've seen version 6.4-20240217 and version 6.4-20240323, but the only 2023 > version I can find in Cauldron is 6.4-20230902, which appears to be more > current than the version with the repair. Is there a catch? I don't understand what you refer to. There has never been 6.4 version of python-django. The successive versions are listed here [1], but in caudron, a new version remove the older. [1] https://svnweb.mageia.org/packages/cauldron/python-django/current/SPECS/python-django.spec?view=log
Ignore it. He's a spammer. He injected a spam link into the middle of the message. Usually these losers copy another message and inject into it. This is the first time I've seen one of these low-lifes write something unique to try to be more tricky. They also spammed another bug in a more typical and obvious manner. Some people just like to waste other people's time and need to get a life.
CC: setid35258 => (none)