Login
Newsletter
Werbung
Sicherheit: Mangelnde Rechteprüfung in djoser
Aktuelle Meldungen Distributionen
Name: Mangelnde Rechteprüfung in djoser
ID: USN-7354-1
Distribution: Ubuntu
Plattformen: Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 24.10
Datum: Mi, 19. März 2025, 17:58
Referenzen: https://www.cve.org/CVERecord?id=CVE-2024-21543
Applikationen: djoser

Originalnachricht

 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============4967434962729369369==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="------------3Ux0WffzFvEFkB0h9vsNdRT0"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------3Ux0WffzFvEFkB0h9vsNdRT0
Content-Type: multipart/mixed;
 boundary="------------3VK66dtGbP2TdUj8tkueTuCt";
 protected-headers="v1"
From: Elise Hlady <elise.hlady@canonical.com>
Reply-To: security@ubuntu.com
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <f167d8f3-bfa8-450d-a839-002098646199@canonical.com>
Subject: [USN-7354-1] djoser vulnerability

--------------3VK66dtGbP2TdUj8tkueTuCt
Content-Type: multipart/mixed;
 boundary="------------QtQHZbQtIeqPpBWXUMCYP3MB"

--------------QtQHZbQtIeqPpBWXUMCYP3MB
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================
Ubuntu Security Notice USN-7354-1
March 17, 2025

djoser vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

djoser could be made to bypass authentication checks during login.

Software Description:
- djoser: REST implementation of Django authentication system

Details:

Diego Cebrián discovered that djoser did not properly handle user
authentication. An attacker with valid credentials could possibly
use this to bypass authentication checks, such as two-factor
authentication, to gain unintended access.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
   python3-djoser                  2.1.0-1ubuntu0.24.10.1

Ubuntu 24.04 LTS
   python3-djoser                  2.1.0-1ubuntu0.24.04.1

Ubuntu 22.04 LTS
   python3-djoser                  2.1.0-1ubuntu0.22.04.1

Ubuntu 20.04 LTS
   python3-djoser                  2.0.3-1ubuntu0.1~esm1
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-7354-1
   CVE-2024-21543

Package Information:
   https://launchpad.net/ubuntu/+source/djoser/2.1.0-1ubuntu0.24.10.1
   https://launchpad.net/ubuntu/+source/djoser/2.1.0-1ubuntu0.24.04.1
   https://launchpad.net/ubuntu/+source/djoser/2.1.0-1ubuntu0.22.04.1

--------------QtQHZbQtIeqPpBWXUMCYP3MB
Content-Type: application/pgp-keys;
 name="OpenPGP_0xB6F2490E12CCDC93.asc"
Content-Disposition: attachment;
 filename="OpenPGP_0xB6F2490E12CCDC93.asc"
Content-Description: OpenPGP public key
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBGeBatcBEADjeQnyxPSr7H1YUPEsajiaOvZWs8PDHdaNFnE/tc9VxO6VcKYi
QkhLrsjmWhho7/lZ4JhtRD1btqRisXdvo9y+1gcDUxzBERjgACKJbKtS0kdxnq5q
DSePEos7IrcSo1XQBuRIdgWX3NEcdlEVzq5wKrmB+DdULg1SpY6k7gXvImUGPAR5
KMAuy/5opJxB9BWhJMgcO3SJiz5nkKBMUb1sUHL/vvBeYrg4PGHgmK7ueHjMz5em
ezMLlA8LribR7QC1LfQSMIgIG5iD/J2HQoEvTxxUxU9LguyAiXnCSnnvnHtfiipp
w7dQBPok49ivobZKCjZtq/GaSi7DX2aZlLIinykA7vyUdJ0bZjvlxfvWxgpaiyvH
7YcApMbJXXjGw+e1/jYMu/fmG7MfABLGOvVoCjUAfYBLRO+dQjOh5X/sZK7jZ2PI
3vK3YQTc0UGMapnMRgUvxCZxgSFZDcJ2kqm4GQtK7d7prf/F3vLR/gtPS5i8jd25
tNi0ZC+kFCBn08UFq0UFFWvnmh7ppFPHRr38Xx8eODwDPOcJWE0I3rQMk6LDHi+q
m+pc7CWar7DGhINp4aRFYdbRH6zjSI61ykUc0nwsONfnc0Np6T1OMOU3DyXgHHFz
WFXux0mrzAq/5gjA6mv2JJY1fOhuFnsIzNG7WCe9huJRJEiIfOCVo7IlJQARAQAB
zSdFbGlzZSBIbGFkeSA8ZWxpc2UuaGxhZHlAY2Fub25pY2FsLmNvbT7CwZEEEwEK
ADsWIQQH+DF/t3wJ3Y4qGom28kkOEszckwUCZ4Fq1wIbAwULCQgHAgIiAgYVCgkI
CwIEFgIDAQIeBwIXgAAKCRC28kkOEszck2lkD/9y+cQNytnBgIwCmHSGn1f2XYNc
sgWAwtdAAlgo/50SE/ayGJKKER4vUlN/PQg1tyGfQJFrvqd9e+pkWpnPYYdBuJpo
Dy2ipQPbmJ3CZsS1q+9CMPNmokYVORWg55YHRsgB8PdypA3lu59Zg6jdoZAYjjXl
3CVo8CoYvp0YxHFiMgGfCRIMkm4sHltFrKbmHdi3L7yxf7C8TTbl1uMAfs22zzqo
SRaG/q/G6782wvTurlM8Nr+uJqm4WFKMy2pWsVWrRusa4bilc8a0Kosk/a+E/4cH
7lfLIeK7pGOpEyEDRm7jzuzaxuMI2Y8dAT2xa7YVPMXKgH0qsb0HiQpPMgrI1CXn
UxHCfcrZd68cN6eNKU9JH2Hz2w6Owfgysci/nqDr0/3qajY2+NY92+lsEWqtgMWQ
R6ycYtpE4WRshDPHm658aaG6V2jgC4Z5LlPa2uY6Zqjm7b0mBMKs1eLfq7uiGQhu
YJ8eQBArsYmavQAyIMxdAvhqaGYvQPFIv+TPJxCXGsKP9/Lykv3fq18oQFjoRiDy
XMBs7saHrJGfWr8MvTPPMOEqThNmdxEEQW7DdcjIrhEoTXlASCdYzMQMluIoxlSV
yDPzXUh50lkFFcEe0G09FDzfNQWdkDohBPjPMcxBZjWducKcrhVNK98ftbW4nZyB
VW9NwihohGOwhir0XM7BTQRngWrXARAAwjuOxPaESvIAi+SUDluDZK5ClLXIZRTe
nV93C+eOZQEgLw1UxEpwRJjr8odzfDkzuoyVP+tzruTPJqzcyGrMDZUtJuk/Ljc1
vy3zISlNI0EKk5G3KRzhuDu+CKVDsSqjnOdXRsRahpTof8kfdJeRzxVQMT/MrMls
FF96163kreVWCMSmS8x20Y0fmDm0ei0aCmE6bKwDrEElesAl0O646YckVeDXsylj
TBLJ/pezHgfBxegO/AweuMHqpHeUuC3AuqZTbFCFTET/M1LNI9lJFTgfEAsJ6Bvh
5b9dF87D/s1TDBuMU0XiX69idFE2O5DeaN6mv44xO49ovpNEVeIJOYTxXMXCoLEy
FLe9UJMnu/5jxmdXavJm3/CgzdV4aj7F1zcTWdndFtklWr2sfFG2+Udelwxtx+sR
qvdlfFu/BncceLIklMeXv0cNxvpSkZlEobpfJFPhAhpce8L3Kkay66Acx7/LB3L1
Yo1fihePbPoAowRjUR8LIuXuAUT82sD3Gd61P9Xi3yMG7Q9Y/xUyL260y+JDh9tt
MvnyADbALeiwb5tL6YxEiSScoWLXCi7A+UODDa50mNsmV6a5Dt6/ejzL/nkfQYFj
l3uydBLfCXGAcT9vwwwJ9KWKSoJwZwMn5P1EDJh7e+khb39dSiSr9EYgj2fDs07Y
Ug8+4m/CnS8AEQEAAcLBdgQYAQoAIBYhBAf4MX+3fAndjioaibbySQ4SzNyTBQJn
gWrXAhsMAAoJELbySQ4SzNyTr1MQAMFipPvbsiASQt0bsaNiPDJ6csqrBKKjDmUU
hnWhwvhbJvH6f7RCJbWKTYBYeqh7p9mBmoQhB3R4de3RtKM7AXzZS2AtVZA7e8Z/
O6wsYfKzbpGqgwDe3PChvMFhwsOTajU+yKbtM49TBABD2deUiRcPRMR3uqj9kh+i
4L0JmpIajoQNV2shF8G9GWQ4GSyah/R04kfXepMNlS0CLLIQ869DGPvddog+qjDk
OenqYW+KlKLu0iYPMYMUxllsv/mllc5VD8suXxSxXKu7I1ABj2Ulw0Jfg62KXqG+
1T3cMyM1U5Wx2vdp7kQ6Jee5flsp9xbR/fXfQLw5T4oXjyaBgUcP8Uwvvb9t7BuY
r79gCFIPf85/QddpnT7F/k05XrC39uqVfcBEg78ZKCET+ldDN9cimWVorh9WpOCt
O8AjoQeZC8nFxQpHtgOCuG833SQQFehizKJqscJ3JoKNGawNGXg29yNuzABMCBuZ
Vr4oKe6dNaxe/NtLruPEfT/HPlENJtD2B0PF/Mj02tOyOz81U4rvXBPasjCBXbXJ
u6akPZaj9ptb0IxEdUMX04doHIQ2aB+GBtknIfvRnDW2fLK17aFc3sOGego/6lBs
uC1kYsrAGMrnj4duMV8K078T06bqPdaKoyMrtjn1UmoDoy4vA0K2NazW1wqki9+t
pBm+TEdF
=3DEqVE
-----END PGP PUBLIC KEY BLOCK-----

--------------QtQHZbQtIeqPpBWXUMCYP3MB--

--------------3VK66dtGbP2TdUj8tkueTuCt--

--------------3Ux0WffzFvEFkB0h9vsNdRT0
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEB/gxf7d8Cd2OKhqJtvJJDhLM3JMFAmfZs4UFAwAAAAAACgkQtvJJDhLM3JOE
8hAAmC3Q9heC2k3EOGyQx0KcSTuqHgniHDekf/ozlKB5Gl4UCkdCb9vadIa8pMbyI80hMwwKakWo
M1463vALTWqABbC+NvWrNTtZLPbgLFavGZQsBJV65oNwTLQ63PfUlKd+NUohYfXWSdEqDh9W6WXG
IvmIQETxJuyy23MuP7EGts6h4euUuHiohtpXK/CUKw4gKJyryjEuknOiGIZTRo0U6SXborTq9s8n
qOd5+ujWD9IlH0448peJRS2wegDHfgXglpBjwR0jJFrpeizZkqObjtS0QVbfTPsP23Dtmd+ZvgdP
uhsePxYy2MkgyHEiHQY9IZC2A+hZVZ9or5+HykyrSayGZRtYMDQKlodVIf+a2r30R11n7h2vAPVj
tUW0k09BnNhz9PK2cwAOivhdeaLWmiUl+99N3JqiGXoGX6zZskWRAFWulr9BuQIsx77qi7TmjY47
TFTW5Kj2Dp8q3pRdlVt91ZkdfraEgSO3ZE78IYH6P5PuA0PDKtqvGfRkNyzC88RsWXgUi9+/ZGp8
PE1hqKuD3DY+FVwR0R2gnjXwgX2SspQyszfFZoHB0fd6H6johxAqqPjNZRGa3ySJkYDGMMe3zLxf
Q1RLfAH9a0StvBb690H4WBxpX93vgeUVfCfEVJLaSm7SP7mgT6O+Nw64WqvDtbkIpy29NnvATTZA
JBg=
=W3uF
-----END PGP SIGNATURE-----

--------------3Ux0WffzFvEFkB0h9vsNdRT0--


--===============4967434962729369369==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============4967434962729369369==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung