SUSE_ALP_Standard/patchinfo.20241028101042307006.269002615871826/_patchinfo

<patchinfo incident="97">
  <!-- generated from request(s) 338871, 336981, 335795 -->
  <issue tracker="bnc" id="1225070">VUL-0: CVE-2024-36039: python-PyMySQL: SQL injection if used with untrusted JSON input</issue>
  <issue tracker="bnc" id="1226660">VUL-0: CVE-2024-28397: python-Js2Py: an issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.</issue>
  <issue tracker="bnc" id="1227590">VUL-0: CVE-2024-38875: python-Django: potential denial-of-service through django.utils.html.urlize()</issue>
  <issue tracker="bnc" id="1227593">VUL-0: CVE-2024-39329: python-Django: username enumeration through timing difference for users with unusable passwords</issue>
  <issue tracker="bnc" id="1227594">VUL-0: CVE-2024-39330: python-Django: potential directory traversal in django.core.files.storage.Storage.save()</issue>
  <issue tracker="bnc" id="1227595">VUL-0: CVE-2024-39614: python-Django: potential denial-of-service through django.utils.translation.get_supported_language_variant()</issue>
  <issue tracker="cve" id="2024-28397"/>
  <issue tracker="cve" id="2024-36039"/>
  <issue tracker="cve" id="2024-38875"/>
  <issue tracker="cve" id="2024-39329"/>
  <issue tracker="cve" id="2024-39330"/>
  <issue tracker="cve" id="2024-39614"/>
  <issue tracker="gh" id="PiotrDabkowski/Js2Py#323"/>
  <packager>nkrapp</packager>
  <rating>critical</rating>
  <category>security</category>
  <summary>Security update for python-PyMySQL, python-Js2Py, python-Django</summary>
  <description>This update for python-PyMySQL, python-Js2Py, python-Django fixes the following issues:

python-Django:
  - CVE-2024-38875: Potential denial-of-service attack via 
      certain inputs with a very large number of brackets (bsc#1227590)
  - CVE-2024-39329: Username enumeration through timing difference
      for users with unusable passwords (bsc#1227593)
  - CVE-2024-39330: Potential directory traversal in
      django.core.files.storage.Storage.save() (bsc#1227594)
  - CVE-2024-39614: Potential denial-of-service through
      django.utils.translation.get_supported_language_variant() (bsc#1227595)

python-Js2Py:
  - CVE-2024-28397 (bsc#1226660, gh#PiotrDabkowski/Js2Py#323)

python-PyMySQL:
  - CVE-2024-36039 (bsc#1225070, gh#PyMySQL/PyMySQL@521e40050cb3)

</description>
  <package>python-Django</package>
  <package>python-Js2Py</package>
  <package>python-PyMySQL</package>
  <seperate_build_arch/>
</patchinfo>
Update incident numbers 2024-11-15 13:31:08 +01:00			`<patchinfo incident="97">`
Adding patchinfo patchinfo.20241028101042307006.269002615871826 2024-11-15 12:51:30 +01:00			`<!-- generated from request(s) 338871, 336981, 335795 -->`
			`<issue tracker="bnc" id="1225070">VUL-0: CVE-2024-36039: python-PyMySQL: SQL injection if used with untrusted JSON input</issue>`
			`<issue tracker="bnc" id="1226660">VUL-0: CVE-2024-28397: python-Js2Py: an issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.</issue>`
			`<issue tracker="bnc" id="1227590">VUL-0: CVE-2024-38875: python-Django: potential denial-of-service through django.utils.html.urlize()</issue>`
			`<issue tracker="bnc" id="1227593">VUL-0: CVE-2024-39329: python-Django: username enumeration through timing difference for users with unusable passwords</issue>`
			`<issue tracker="bnc" id="1227594">VUL-0: CVE-2024-39330: python-Django: potential directory traversal in django.core.files.storage.Storage.save()</issue>`
			`<issue tracker="bnc" id="1227595">VUL-0: CVE-2024-39614: python-Django: potential denial-of-service through django.utils.translation.get_supported_language_variant()</issue>`
			`<issue tracker="cve" id="2024-28397"/>`
			`<issue tracker="cve" id="2024-36039"/>`
			`<issue tracker="cve" id="2024-38875"/>`
			`<issue tracker="cve" id="2024-39329"/>`
			`<issue tracker="cve" id="2024-39330"/>`
			`<issue tracker="cve" id="2024-39614"/>`
			`<issue tracker="gh" id="PiotrDabkowski/Js2Py#323"/>`
			`<packager>nkrapp</packager>`
			`<rating>critical</rating>`
			`<category>security</category>`
			`<summary>Security update for python-PyMySQL, python-Js2Py, python-Django</summary>`
			`<description>This update for python-PyMySQL, python-Js2Py, python-Django fixes the following issues:`

			`python-Django:`
			`- CVE-2024-38875: Potential denial-of-service attack via`
			`certain inputs with a very large number of brackets (bsc#1227590)`
			`- CVE-2024-39329: Username enumeration through timing difference`
			`for users with unusable passwords (bsc#1227593)`
			`- CVE-2024-39330: Potential directory traversal in`
			`django.core.files.storage.Storage.save() (bsc#1227594)`
			`- CVE-2024-39614: Potential denial-of-service through`
			`django.utils.translation.get_supported_language_variant() (bsc#1227595)`

			`python-Js2Py:`
			`- CVE-2024-28397 (bsc#1226660, gh#PiotrDabkowski/Js2Py#323)`

			`python-PyMySQL:`
			`- CVE-2024-36039 (bsc#1225070, gh#PyMySQL/PyMySQL@521e40050cb3)`

			`</description>`
			`<package>python-Django</package>`
			`<package>python-Js2Py</package>`
			`<package>python-PyMySQL</package>`
			`<seperate_build_arch/>`
Update incident numbers 2024-11-15 13:31:08 +01:00			`</patchinfo>`