Bug 1223373 (CVE-2024-32879)

Summary: VUL-0: CVE-2024-32879: python-social-auth: Improper Handling of Case Sensitivity in social-auth-app-django
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Dirk Mueller <dmueller>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: stoyan.manolov
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/403106/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-25 05:56:18 UTC 
Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match. This issue has been addressed by a fix released in version 5.4.1. An immediate workaround would be to change collation of the affected field.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-32879
https://www.cve.org/CVERecord?id=CVE-2024-32879
https://github.com/python-social-auth/social-app-django/commit/31c3e0c7edb187004d8abbde7e9c4f7ef9098138
https://github.com/python-social-auth/social-app-django/pull/566
https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3
https://bugzilla.redhat.com/show_bug.cgi?id=2277035
Comment 1 Dirk Mueller 2024-06-10 09:12:09 UTC 
only tumbleweed is affected which is fixed.
Comment 2 OBSbugzilla Bot 2024-06-10 09:45:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1223373) was mentioned in
https://build.opensuse.org/request/show/1179662 Factory / python-social-auth-app-django