Upstream has issued an advisory on March 4: https://www.djangoproject.com/weblog/2024/mar/04/security-releases/ The issue is fixed upstream in 4.2.11. Ubuntu has issued an advisory for this on March 4: https://ubuntu.com/security/notices/USN-6674-1
Package: python3-django SRPM: python-django-4.1.13-1.mga9.src.rpm Stig has just updated Cauldron to version 4.2.11, so assigning this to you for Mageia 9 also. It will of course need an Advisory...
Assignee: bugsquad => smelrorStatus comment: (none) => fixed upstream in 4.2.11Source RPM: (none) => python-django-4.1.13-1.mga9.src.rpm
Suggested advisory: ======================== The updated package fixes a security vulnerability: In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. (CVE-2024-27351) References: https://www.djangoproject.com/weblog/2024/mar/04/security-releases/ https://ubuntu.com/security/notices/USN-6674-1 ======================== Updated package in core/updates_testing: ======================== python3-django-4.1.13-1.1.mga9 from SRPM: python-django-4.1.13-1.1.mga9.src.rpm
Assignee: smelror => qa-bugsStatus: NEW => ASSIGNEDCVE: (none) => CVE-2024-27351Status comment: fixed upstream in 4.2.11 => (none)
Mageia9, x64 Before the update django-admin worked fine. $ tree mysite mysite ├── manage.py └── mysite ├── asgi.py ├── __init__.py ├── settings.py ├── urls.py └── wsgi.py Removed mysite and updated, then: $ django-admin startproject mysite $ tree mysite mysite ├── manage.py └── mysite ├── asgi.py ├── __init__.py ├── settings.py ├── urls.py └── wsgi.py $ python manage.py migrate Operations to perform: Apply all migrations: admin, auth, contenttypes, sessions Running migrations: Applying contenttypes.0001_initial... OK Applying auth.0001_initial... OK [...] Applying auth.0012_alter_user_first_name_max_length... OK Applying sessions.0001_initial... OK $ python manage.py runserver Watching for file changes with StatReloader Performing system checks... System check identified no issues (0 silenced). March 19, 2024 - 16:20:36 Django version 4.1.13, using settings 'mysite.settings' Starting development server at http://127.0.0.1:8000/ Quit the server with CONTROL-C. Visited port 8000 in a browser to see the introductory with its rocketship emblem and confirmation of a successfull installation. There were links to release-notes, documentation, startup tutorial and the community. Giving this a pass.
Whiteboard: (none) => MGA9-64-OKCC: (none) => tarazed25
Keywords: (none) => advisory
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0075.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED