Category Archives: Advisories

USN-7136-2: Django vulnerability

Read Time:30 Second

USN-7136-1 fixed a vulnerability in Django. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

Original advisory details:

jiangniao discovered that Django incorrectly handled the API to strip
tags. A remote attacker could possibly use this issue to cause Django to
consume resources, leading to a denial of service. (CVE-2024-53907)

Seokchan Yoon discovered that Django incorrectly handled HasKey lookups
when using Oracle. A remote attacker could possibly use this issue to
inject arbitrary SQL code. This issue only affected Ubuntu 24.04 LTS and
Ubuntu 24.10. (CVE-2024-53908)

Read More

USN-7136-1: Django vulnerabilities

Read Time:22 Second

jiangniao discovered that Django incorrectly handled the API to strip tags.
A remote attacker could possibly use this issue to cause Django to
consume resources, leading to a denial of service. (CVE-2024-53907)

Seokchan Yoon discovered that Django incorrectly handled HasKey lookups
when using Oracle. A remote attacker could possibly use this issue to
inject arbitrary SQL code. This issue only affected Ubuntu 24.04 LTS and
Ubuntu 24.10. (CVE-2024-53908)

Read More

ZDI-24-1646: Epic Games Launcher Incorrect Default Permissions Local Privilege Escalation Vulnerability

Read Time:17 Second

This vulnerability allows local attackers to escalate privileges on affected installations of Epic Games Launcher. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-11872.

Read More

python3.11-3.11.11-1.fc41

Read Time:23 Second

FEDORA-2024-01d838d947

Packages in this update:

python3.11-3.11.11-1.fc41

Update description:

Python 3.11.11 security release.

Security content in this release

gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the mapped IPv4 address value for deciding properties. Properties which have their behavior fixed are is_multicast, is_reserved, is_link_local, is_global, and is_unspecified.
CVE-2024-9287: gh-124651: Properly quote template strings in venv activation scripts.

Read More

python3.11-3.11.11-1.fc40

Read Time:23 Second

FEDORA-2024-5ea38dfb80

Packages in this update:

python3.11-3.11.11-1.fc40

Update description:

Python 3.11.11 security release.

Security content in this release

gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the mapped IPv4 address value for deciding properties. Properties which have their behavior fixed are is_multicast, is_reserved, is_link_local, is_global, and is_unspecified.
CVE-2024-9287: gh-124651: Properly quote template strings in venv activation scripts.

Read More

python3.9-3.9.21-1.fc40

Read Time:49 Second

FEDORA-2024-607a0047bc

Packages in this update:

python3.9-3.9.21-1.fc40

Update description:

Python 3.9.21 security release.

Security content in this release

gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the mapped IPv4 address value for deciding properties. Properties which have their behavior fixed are is_multicast, is_reserved, is_link_local, is_global, and is_unspecified.
CVE-2024-9287: gh-124651: Properly quote template strings in venv activation scripts.
gh-103848: Added checks to ensure that [ bracketed ] hosts found by urllib.parse.urlsplit() are of IPv6 or IPvFuture format.
gh-95588: Clarified the conflicting advice given in the ast documentation about ast.literal_eval() being “safe” for use on untrusted input while at the same time warning that it can crash the process. The latter statement is true and is deemed unfixable without a large amount of work unsuitable for a bugfix. So we keep the warning and no longer claim that literal_eval is safe.

Read More

python3.9-3.9.21-1.fc41

Read Time:49 Second

FEDORA-2024-47e4624c89

Packages in this update:

python3.9-3.9.21-1.fc41

Update description:

Python 3.9.21 security release.

Security content in this release

gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the mapped IPv4 address value for deciding properties. Properties which have their behavior fixed are is_multicast, is_reserved, is_link_local, is_global, and is_unspecified.
CVE-2024-9287: gh-124651: Properly quote template strings in venv activation scripts.
gh-103848: Added checks to ensure that [ bracketed ] hosts found by urllib.parse.urlsplit() are of IPv6 or IPvFuture format.
gh-95588: Clarified the conflicting advice given in the ast documentation about ast.literal_eval() being “safe” for use on untrusted input while at the same time warning that it can crash the process. The latter statement is true and is deemed unfixable without a large amount of work unsuitable for a bugfix. So we keep the warning and no longer claim that literal_eval is safe.

Read More