CVE-2022-36359: An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. Please bump to 3.2.15 and 4.0.7.
Thanks for the report! I haven't been able to get around to bumping Python stuff lately, so these reports for important bumps are very helpful.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44f7d299c8c84c0a7086e7581ad2f5b5ddf69911 commit 44f7d299c8c84c0a7086e7581ad2f5b5ddf69911 Author: Arthur Zamarin <arthurzam@gentoo.org> AuthorDate: 2022-08-03 20:38:48 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2022-08-03 20:38:48 +0000 dev-python/django: drop 3.2.14, 4.0.6 Bug: https://bugs.gentoo.org/863398 Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> dev-python/django/Manifest | 4 -- dev-python/django/django-3.2.14.ebuild | 109 -------------------------------- dev-python/django/django-4.0.6.ebuild | 110 --------------------------------- 3 files changed, 223 deletions(-)
Thanks!