{ "Definition": [ { "ID": "oval:org.altlinux.errata:def:20201708", "Version": "oval:org.altlinux.errata:def:20201708", "Class": "patch", "Metadata": { "Title": "ALT-PU-2020-1708: package `python3-module-django2.2` update to version 2.2.12-alt1", "AffectedList": [ { "Family": "unix", "Platforms": [ "ALT Linux branch p10" ], "Products": [ "ALT Server", "ALT Virtualization Server", "ALT Workstation", "ALT Workstation K", "ALT Education", "Simply Linux", "Starterkit" ] } ], "References": [ { "RefID": "ALT-PU-2020-1708", "RefURL": "https://errata.altlinux.org/ALT-PU-2020-1708", "Source": "ALTPU" }, { "RefID": "BDU:2020-01459", "RefURL": "https://bdu.fstec.ru/vul/2020-01459", "Source": "BDU" }, { "RefID": "BDU:2020-05726", "RefURL": "https://bdu.fstec.ru/vul/2020-05726", "Source": "BDU" }, { "RefID": "BDU:2021-03743", "RefURL": "https://bdu.fstec.ru/vul/2021-03743", "Source": "BDU" }, { "RefID": "CVE-2019-19118", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-19118", "Source": "CVE" }, { "RefID": "CVE-2019-19844", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-19844", "Source": "CVE" }, { "RefID": "CVE-2020-7471", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-7471", "Source": "CVE" }, { "RefID": "CVE-2020-9402", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-9402", "Source": "CVE" } ], "Description": "This update upgrades python3-module-django2.2 to version 2.2.12-alt1. \nSecurity Fix(es):\n\n * BDU:2020-01459: Уязвимость фреймворка для веб-приложений Django, связанная с ошибкой в работе механизма восстановления паролей, позволяющая нарушителю оказать воздействие на целостность данных\n\n * BDU:2020-05726: Уязвимость библиотеки Django для языка программирования Python, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2021-03743: Уязвимость компонента contrib.postgres.aggregates.StringAgg программной платформы для веб-приложений Django, связанная с непринятием мер по защите структуры SQL-запроса, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * CVE-2019-19118: Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)\n\n * CVE-2019-19844: Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)\n\n * CVE-2020-7471: Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.\n\n * CVE-2020-9402: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.", "Advisory": { "From": "errata.altlinux.org", "Severity": "Critical", "Rights": "Copyright 2024 BaseALT Ltd.", "Issued": { "Date": "2020-04-12" }, "Updated": { "Date": "2020-04-12" }, "BDUs": [ { "ID": "BDU:2020-01459", "CVSS": "AV:N/AC:L/Au:N/C:N/I:C/A:N", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "CWE": "CWE-640", "Href": "https://bdu.fstec.ru/vul/2020-01459", "Impact": "High", "Public": "20191215" }, { "ID": "BDU:2020-05726", "CVSS": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "CVSS3": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "CWE": "CWE-89", "Href": "https://bdu.fstec.ru/vul/2020-05726", "Impact": "High", "Public": "20200305" }, { "ID": "BDU:2021-03743", "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CWE": "CWE-89", "Href": "https://bdu.fstec.ru/vul/2021-03743", "Impact": "Critical", "Public": "20200203" } ], "CVEs": [ { "ID": "CVE-2019-19118", "CVSS": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "CWE": "CWE-276", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-19118", "Impact": "Low", "Public": "20191202" }, { "ID": "CVE-2019-19844", "CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CWE": "CWE-640", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-19844", "Impact": "Critical", "Public": "20191218" }, { "ID": "CVE-2020-7471", "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CWE": "CWE-89", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-7471", "Impact": "Critical", "Public": "20200203" }, { "ID": "CVE-2020-9402", "CVSS": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "CWE": "CWE-89", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-9402", "Impact": "High", "Public": "20200305" } ], "AffectedCPEs": { "CPEs": [ "cpe:/o:alt:kworkstation:10", "cpe:/o:alt:workstation:10", "cpe:/o:alt:server:10", "cpe:/o:alt:server-v:10", "cpe:/o:alt:education:10", "cpe:/o:alt:slinux:10", "cpe:/o:alt:starterkit:p10", "cpe:/o:alt:kworkstation:10.1", "cpe:/o:alt:workstation:10.1", "cpe:/o:alt:server:10.1", "cpe:/o:alt:server-v:10.1", "cpe:/o:alt:education:10.1", "cpe:/o:alt:slinux:10.1", "cpe:/o:alt:starterkit:10.1", "cpe:/o:alt:kworkstation:10.2", "cpe:/o:alt:workstation:10.2", "cpe:/o:alt:server:10.2", "cpe:/o:alt:server-v:10.2", "cpe:/o:alt:education:10.2", "cpe:/o:alt:slinux:10.2", "cpe:/o:alt:starterkit:10.2" ] } } }, "Criteria": { "Operator": "AND", "Criterions": [ { "TestRef": "oval:org.altlinux.errata:tst:2001", "Comment": "ALT Linux must be installed" } ], "Criterias": [ { "Operator": "OR", "Criterions": [ { "TestRef": "oval:org.altlinux.errata:tst:20201708001", "Comment": "python3-module-django2.2 is earlier than 0:2.2.12-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20201708002", "Comment": "python3-module-django2.2-dbbackend-mysql is earlier than 0:2.2.12-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20201708003", "Comment": "python3-module-django2.2-dbbackend-psycopg2 is earlier than 0:2.2.12-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20201708004", "Comment": "python3-module-django2.2-dbbackend-sqlite3 is earlier than 0:2.2.12-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20201708005", "Comment": "python3-module-django2.2-doc is earlier than 0:2.2.12-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20201708006", "Comment": "python3-module-django2.2-tests is earlier than 0:2.2.12-alt1" } ] } ] } } ] }