Headline
Ubuntu Security Notice USN-5549-1
Ubuntu Security Notice 5549-1 - It was discovered that Django incorrectly handled certain FileResponse. An attacker could possibly use this issue to expose sensitive information or gain access over user machine.
=========================================================================Ubuntu Security Notice USN-5549-1August 04, 2022python-django vulnerability=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Django could be made to expose sensitive information if it receivedan specially crafted input.Software Description:- python-django: High-level Python web development frameworkDetails:It was discovered that Django incorrectly handled certain FileResponse.An attacker could possibly use this issue to expose sensitive informationor gain access over user machine.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS: python3-django 2:3.2.12-2ubuntu1.2Ubuntu 20.04 LTS: python3-django 2:2.2.12-1ubuntu0.13In general, a standard system update will make all the necessary changes.References: https://ubuntu.com/security/notices/USN-5549-1 CVE-2022-36359Package Information: https://launchpad.net/ubuntu/+source/python-django/2:3.2.12-2ubuntu1.2 https://launchpad.net/ubuntu/+source/python-django/2:2.2.12-1ubuntu0.13Related news
Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue.
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.