Security update for python-djangorestframework SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0338-1 Final 1 1 2021-02-25T09:05:18Z current 2021-02-25T09:05:18Z 2021-02-25T09:05:18Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-djangorestframework This update for python-djangorestframework fixes the following issues: Update to 3.11.2 * Security: Drop urlize_quoted_links template tag in favour of Django's built-in urlize. Removes a XSS vulnerability for some kinds of content in the browsable API. (boo#1177205, CVE-2020-25626) * update Django for APIs book to 3.0 edition * decode base64 credentials as utf8; adjust tests * Remove compat urls for Django < 2.0 This update was imported from the openSUSE:Leap:15.2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-338 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7NYNAEPY3UVCIEUTPMQBXFJ42XJG7RVG/ E-Mail link for openSUSE-SU-2021:0338-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1177205 SUSE Bug 1177205 https://www.suse.com/security/cve/CVE-2020-25626/ SUSE CVE CVE-2020-25626 page SUSE Package Hub 15 SP2 python3-djangorestframework-3.11.2-bp152.2.3.1 python3-djangorestframework-3.11.2-bp152.2.3.1 as a component of SUSE Package Hub 15 SP2 A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability. CVE-2020-25626 SUSE Package Hub 15 SP2:python3-djangorestframework-3.11.2-bp152.2.3.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7NYNAEPY3UVCIEUTPMQBXFJ42XJG7RVG/ https://www.suse.com/security/cve/CVE-2020-25626.html CVE-2020-25626 https://bugzilla.suse.com/1177205 SUSE Bug 1177205