SUSE-SU-2015:1109-1
Vulnerability Summary
Timeline
Description
Security update for python-Django python-django was updated to 1.6.11 to fix security issues and non-security bugs. The following vulnerabilities were fixed: * Made is_safe_url() reject URLs that start with control characters to mitigate possible XSS attack via user-supplied redirect URLs (bnc#923176, CVE-2015-2317) * Fixed an infinite loop possibility in strip_tags() (bnc#923172, CVE-2015-2316) * WSGI header spoofing via underscore/dash conflation (bnc#913053, CVE-2015-0219) * Mitigated possible XSS attack via user-supplied redirect URLs * Denial-of-service attack against ``django.views.static.serve`` (bnc#913056, CVE-2015-0221) * Database denial-of-service with ``ModelMultipleChoiceField`` (bnc#913055, CVE-2015-0222) The update also contains fixes for non-security bugs, functional and stability issues.
Affected Systems
- suse•python-Django&distro=SUSE Enterprise Storage 1.0
< 1.6.11-4.1
References (11)
- https://www.suse.com/support/update/announcement/2015/suse-su-20151109-1/
- https://bugzilla.suse.com/913053
- https://bugzilla.suse.com/913055
- https://bugzilla.suse.com/913056
- https://bugzilla.suse.com/923172
- https://bugzilla.suse.com/923176
- https://www.suse.com/security/cve/CVE-2015-0219
- https://www.suse.com/security/cve/CVE-2015-0221
- https://www.suse.com/security/cve/CVE-2015-0222
- https://www.suse.com/security/cve/CVE-2015-2316
- https://www.suse.com/security/cve/CVE-2015-2317