Re: git: 7cd59a7b0d9c - main - security/vuxml: Document Django multiple vulnerabilities

From: Dan Langille <dan_at_langille.org>
Date: Tue, 14 Feb 2023 13:49:11 UTC
On Tue, Feb 14, 2023, at 7:04 AM, Wen Heping wrote:
> The branch main has been updated by wen:
>
> URL: 
> https://cgit.FreeBSD.org/ports/commit/?id=7cd59a7b0d9c15b24dae177e6feafea107670ff5
>
> commit 7cd59a7b0d9c15b24dae177e6feafea107670ff5
> Author:     Wen Heping <wen@FreeBSD.org>
> AuthorDate: 2023-02-14 12:03:26 +0000
> Commit:     Wen Heping <wen@FreeBSD.org>
> CommitDate: 2023-02-14 12:03:59 +0000
>
>     security/vuxml: Document Django multiple vulnerabilities
> ---
>  security/vuxml/vuln/2023.xml | 41 +++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 41 insertions(+)
>
> diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
> index a3feb1c2e6d7..9cc6385ce320 100644
> --- a/security/vuxml/vuln/2023.xml
> +++ b/security/vuxml/vuln/2023.xml
> @@ -1,3 +1,44 @@
> +  <vuln vid="9c9ee9a6-ac5e-11ed-9323-080027d3a315">
> +    <topic>Django -- multiple vulnerabilities</topic>
> +    <affects>
> +      <package>
> +	<name>py37-django32</name>
> +	<name>py38-django32</name>
> +	<name>py39-django32</name>
> +	<name>py310-django32</name>
> +	<range><lt>3.2.18</lt></range>
> +      </package>
> +      <package>
> +	<name>py38-django40</name>
> +	<name>py39-django40</name>
> +	<name>py310-django40</name>
> +	<range><lt>4.0.10</lt></range>
> +      </package>
> +      <package>
> +	<name>py38-django41</name>
> +	<name>py39-django41</name>
> +	<name>py310-django41</name>
> +	<range><lt>4.1.7/range>

The above has incorrect tags.I think it might be:

	<range><lt>4.1.7</lt></range>

But I'm not sure.


> +      </package>
> +    </affects>
> +    <description>
> +      <body xmlns="http://www.w3.org/1999/xhtml">
> +	<p>Django reports:</p>
> +	<blockquote 
> cite="https://www.djangoproject.com/weblog/2023/feb/14/security-releases/">
> +	  <p>CVE-2023-24580: Potential denial-of-service vulnerability in 
> file uploads.</p>
> +	</blockquote>
> +      </body>
> +    </description>
> +    <references>
> +      <cvename>CVE-2023-24580</cvename>
> +      
> <url>https://www.djangoproject.com/weblog/2023/feb/14/security-releases/</url>
> +    </references>
> +    <dates>
> +      <discovery>2023-02-01</discovery>
> +      <entry>2023-02-14</entry>
> +    </dates>
> +  </vuln>
> +
>    <vuln vid="0a7a5dfb-aba4-11ed-be2c-001cc0382b2f">
>      <topic>GnuTLS -- timing sidechannel in RSA decryption</topic>
>      <affects>

-- 
  Dan Langille
  dan@langille.org