Created attachment 855561 [details]
Attached patch 2.2.x

Created attachment 855562 [details]
Attached patch 3.2.x

Created attachment 855563 [details]
Attached patch 4.0.x

Created attachment 855565 [details]
Attached patch main branch

(In reply to Carlos López from comment #5)
> Created attachment 855563 [details]
> Attached patch 4.0.x

Hi Carlos, is OK for Factory (Django 4.0.X) to wait until the new release?

(In reply to Alberto Planas Dominguez from comment #7)
> (In reply to Carlos López from comment #5)
> > Created attachment 855563 [details]
> > Attached patch 4.0.x
> 
> Hi Carlos, is OK for Factory (Django 4.0.X) to wait until the new release?

Hi Alberto, unless you mean waiting for a bigger update, this is expected. The next 4.0.x version (4.0.2) releases the same date as the CRD [0], and commits to OBS codestreams should wait until the embargo is over no matter what.

[0] https://docs.djangoproject.com/en/4.0/releases/4.0.2/

(In reply to Carlos López from comment #8)

> The next 4.0.x version (4.0.2) releases the same date as the CRD [0], and
> commits to OBS codestreams should wait until the embargo is over no matter
> what.

Excellent, I will submit on the same day of release for both CVEs.

Affected:
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Django
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Django1

Affected on openSUSE:
 - openSUSE:Backports:SLE-15-SP3/python-Django
 - openSUSE:Backports:SLE-15-SP4/python-Django
 - openSUSE:Factory/python-Django
 - openSUSE:Backports:SLE-15-SP3/python-Django1
 - openSUSE:Backports:SLE-15-SP4/python-Django1

SUSE:SLE-12-SP3:Update:Products:Cloud8:Update / python-Django:
  * https://build.suse.de/request/show/263089

SUSE:SLE-12-SP4:Update:Products:Cloud9:Update / python-Django1
  * https://build.suse.de/request/show/263090

via oss-security

https://www.djangoproject.com/weblog/2022/feb/01/security-releases/

In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the 
Django team
is issuing
`Django 4.0.2 <https://docs.djangoproject.com/en/dev/releases/4.0.2/>`_,
`Django 3.2.12 
<https://docs.djangoproject.com/en/dev/releases/3.2.12/>`_, and
`Django 2.2.27 <https://docs.djangoproject.com/en/dev/releases/2.2.27/>`_.
These release addresses the security issues detailed below. We encourage all
users of Django to upgrade as soon as possible.

CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
=============================================================

The ``{% debug %}`` template tag didn't properly encode the current context,
posing an XSS attack vector.

In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
information when the ``DEBUG`` setting is ``False``, and it ensures all 
context
variables are correctly escaped when the ``DEBUG`` setting is ``True``.

Thanks Keryn Knight for the report.

This issue has severity "medium" according to the Django security policy.

Affected supported versions
===========================

* Django main branch
* Django 4.0
* Django 3.2
* Django 2.2

Resolution
==========

Patches to resolve the issue have been applied to Django's main branch 
and to
the 4.0, 3.2, and 2.2 release branches. The patches may be obtained from the
following changesets.

SUSE-SU-2022:0285-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1195086,1195088
CVE References: CVE-2022-22818,CVE-2022-23833
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python-Django1-1.11.29-3.37.1
SUSE OpenStack Cloud 9 (src):    python-Django1-1.11.29-3.37.1, venv-openstack-barbican-7.0.1~dev24-3.30.1, venv-openstack-cinder-13.0.10~dev23-3.33.1, venv-openstack-designate-7.0.2~dev2-3.30.1, venv-openstack-glance-17.0.1~dev30-3.28.1, venv-openstack-heat-11.0.4~dev4-3.30.1, venv-openstack-horizon-14.1.1~dev11-4.34.2, venv-openstack-ironic-11.1.5~dev17-4.28.1, venv-openstack-keystone-14.2.1~dev7-3.31.1, venv-openstack-magnum-7.2.1~dev1-4.30.1, venv-openstack-manila-7.4.2~dev60-3.36.1, venv-openstack-monasca-2.7.1~dev10-3.32.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.30.1, venv-openstack-neutron-13.0.8~dev164-6.34.1, venv-openstack-nova-18.3.1~dev91-3.34.1, venv-openstack-octavia-3.2.3~dev7-4.30.1, venv-openstack-sahara-9.0.2~dev15-3.30.1, venv-openstack-swift-2.19.2~dev48-2.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2022:0286-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194116,1195086,1195088
CVE References: CVE-2021-45452,CVE-2022-22818,CVE-2022-23833
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python-Django-1.11.29-3.39.1
SUSE OpenStack Cloud 8 (src):    python-Django-1.11.29-3.39.1, venv-openstack-aodh-5.1.1~dev7-12.37.1, venv-openstack-barbican-5.0.2~dev3-12.38.1, venv-openstack-ceilometer-9.0.8~dev7-12.35.1, venv-openstack-cinder-11.2.3~dev29-14.39.1, venv-openstack-designate-5.0.3~dev7-12.36.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.33.1, venv-openstack-glance-15.0.3~dev3-12.36.1, venv-openstack-heat-9.0.8~dev22-12.40.1, venv-openstack-horizon-12.0.5~dev6-14.43.2, venv-openstack-ironic-9.1.8~dev8-12.38.1, venv-openstack-keystone-12.0.4~dev11-11.40.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.37.1, venv-openstack-manila-5.1.1~dev5-12.42.1, venv-openstack-monasca-2.2.2~dev1-11.40.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.33.1, venv-openstack-murano-4.0.2~dev2-12.33.1, venv-openstack-neutron-11.0.9~dev69-13.43.1, venv-openstack-nova-16.1.9~dev92-11.41.1, venv-openstack-octavia-1.0.6~dev3-12.38.1, venv-openstack-sahara-7.0.5~dev4-11.37.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.28.1, venv-openstack-trove-8.0.2~dev2-11.37.1
HPE Helion Openstack 8 (src):    python-Django-1.11.29-3.39.1, venv-openstack-aodh-5.1.1~dev7-12.37.1, venv-openstack-barbican-5.0.2~dev3-12.38.1, venv-openstack-ceilometer-9.0.8~dev7-12.35.1, venv-openstack-cinder-11.2.3~dev29-14.39.1, venv-openstack-designate-5.0.3~dev7-12.36.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.33.1, venv-openstack-glance-15.0.3~dev3-12.36.1, venv-openstack-heat-9.0.8~dev22-12.40.1, venv-openstack-horizon-hpe-12.0.5~dev6-14.43.2, venv-openstack-ironic-9.1.8~dev8-12.38.1, venv-openstack-keystone-12.0.4~dev11-11.40.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.37.1, venv-openstack-manila-5.1.1~dev5-12.42.1, venv-openstack-monasca-2.2.2~dev1-11.40.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.33.1, venv-openstack-murano-4.0.2~dev2-12.33.1, venv-openstack-neutron-11.0.9~dev69-13.43.1, venv-openstack-nova-16.1.9~dev92-11.41.1, venv-openstack-octavia-1.0.6~dev3-12.38.1, venv-openstack-sahara-7.0.5~dev4-11.37.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.28.1, venv-openstack-trove-8.0.2~dev2-11.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SOC fixes available, back to security team.

domne

openSUSE-SU-2023:0005-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1185713,1186608,1186611,1193240,1194115,1194116,1194117,1195086,1195088,1198297,1198398,1198399,1201923,1203793
CVE References: CVE-2021-32052,CVE-2021-33203,CVE-2021-33571,CVE-2021-44420,CVE-2021-45115,CVE-2021-45116,CVE-2021-45452,CVE-2022-22818,CVE-2022-23833,CVE-2022-28346,CVE-2022-28347,CVE-2022-36359,CVE-2022-41323
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    python-Django-2.2.28-bp153.2.3.1