openSUSE-SU-2023:0005-1

This update for python-Django fixes the following issues:

• CVE-2022-41323: Fixed potential denial-of-service vulnerability in internationalized URLs (boo#1203793)

• CVE-2022-36359: Fixed a potential reflected file download vulnerability in FileResponse (boo#1201923)

• Update from 2.2.12 to 2.2.28 (boo#1198297)

  • Many CVEs fixes (check https://github.com/django/django/blob/main/docs/releases/)

  2.2.28:

  • CVE-2022-28346: Fixed potential SQL injection in QuerySet.annotate(), aggregate(), and extra() (bsc#1198398)
  • CVE-2022-28347: Fixed potential SQL injection via QuerySet.explain(**options) (bsc#1198399)

  2.2.27:

  • CVE-2022-22818: Fixed possible XSS via {% debug %} template tag (bsc#1195086)
  • CVE-2022-23833: Fixed denial-of-service possibility in file uploads (bsc#1195088)

  2.2.26:

  • CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator (bsc#1194115)
  • CVE-2021-45116: Potential information disclosure in dictsort template filter (bsc#1194117)
  • CVE-2021-45452: Potential directory-traversal via Storage.save() (bsc#)

  2.2.25:

  • CVE-2021-44420: Potential bypass of an upstream access control based on URL paths (bsc#1193240)

  2.2.24:

  • CVE-2021-33203: Potential directory traversal via admindocs
  • CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses

  2.2.23:

  • regression fix

  2.2.22:

  • CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+