An update for python-django is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-2539 Final 1.0 1.0 2024-12-13 Initial 2024-12-13 2024-12-13 openEuler SA Tool V1.0 2024-12-13 python-django security update An update for python-django is now available for openEuler-24.03-LTS A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fix(es): A vulnerability was found in the Django Web Framework. The strip_tags() and stripbtags template filter may be vulnerable to a potential denial of service (DoS) in cases of a large sequence of nested incomplete HTML entities.(CVE-2024-53907) A vulnerability was found in the Django Web Framework. The direct usage of django.db.models.fields.json.HasKey may be vulnerable to SQL injection if untrusted data is used to perform queries.(CVE-2024-53908) An update for python-django is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical python-django https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2539 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-53907 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-53908 https://nvd.nist.gov/vuln/detail/CVE-2024-53907 https://nvd.nist.gov/vuln/detail/CVE-2024-53908 openEuler-24.03-LTS python-django-4.2.15-3.oe2403.src.rpm python-django-help-4.2.15-3.oe2403.noarch.rpm python3-Django-4.2.15-3.oe2403.noarch.rpm An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. 2024-12-13 CVE-2024-53907 openEuler-24.03-LTS High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H python-django security update 2024-12-13 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2539 An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.) 2024-12-13 CVE-2024-53908 openEuler-24.03-LTS Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H python-django security update 2024-12-13 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2539