Security update for python-django-registration SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0597-1 Final 1 1 2021-04-22T22:05:42Z current 2021-04-22T22:05:42Z 2021-04-22T22:05:42Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-django-registration This update for python-django-registration fixes the following issues: Update to 3.1.2 (boo#1184427, CVE-2021-21416) * Filter sensitive POST parameters in error reports * Fix RemovedInDjango40Warning from Signal arguments This update was imported from the openSUSE:Leap:15.2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-597 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NL4XGVJ2AN5KEZDKGXRP3QKFGI24ETYA/ E-Mail link for openSUSE-SU-2021:0597-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1184427 SUSE Bug 1184427 https://www.suse.com/security/cve/CVE-2021-21416/ SUSE CVE CVE-2021-21416 page SUSE Package Hub 15 SP2 python3-django-registration-3.1.2-bp152.3.3.1 python3-django-registration-3.1.2-bp152.3.3.1 as a component of SUSE Package Hub 15 SP2 django-registration is a user registration package for Django. The django-registration package provides tools for implementing user-account registration flows in the Django web framework. In django-registration prior to 3.1.2, the base user-account registration view did not properly apply filters to sensitive data, with the result that sensitive data could be included in error reports rather than removed automatically by Django. Triggering this requires: A site is using django-registration < 3.1.2, The site has detailed error reports (such as Django's emailed error reports to site staff/developers) enabled and a server-side error (HTTP 5xx) occurs during an attempt by a user to register an account. Under these conditions, recipients of the detailed error report will see all submitted data from the account-registration attempt, which may include the user's proposed credentials (such as a password). CVE-2021-21416 SUSE Package Hub 15 SP2:python3-django-registration-3.1.2-bp152.3.3.1 low 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NL4XGVJ2AN5KEZDKGXRP3QKFGI24ETYA/ https://www.suse.com/security/cve/CVE-2021-21416.html CVE-2021-21416 https://bugzilla.suse.com/1184427 SUSE Bug 1184427