A flaw was found in Django in a way that GIS functions and aggregates on Oracle were subject to SQL injection, using a suitably crafted tolerance. Reference: https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
Created django:1.6/python-django tracking bugs for this issue: Affects: fedora-all [bug 1810097] Created python-django tracking bugs for this issue: Affects: epel-all [bug 1810094] Affects: fedora-all [bug 1810093] Affects: openstack-rdo [bug 1810096] Created python-django16 tracking bugs for this issue: Affects: epel-7 [bug 1810095]
External References: https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
Upstream commits: 3.0.: https://github.com/django/django/commit/26a5cf834526e291db00385dd33d319b8271fc4c 2.2 : https://github.com/django/django/commit/fe886a3b58a93cfbe8864b485f93cb6d426cd1f2 1.1 : https://github.com/django/django/commit/02d97f3c9a88adc890047996e5606180bd1c6166
Mitigation: There is no known mitigation for this issue, the flaw can only be resolved by applying updates.
Statement: Although the following products ship the flawed code, they do not use or support its functionality and therefore will not be updated: * Red Hat OpenStack Platform * Red Hat Update Infrastructure 3 * Red Hat Ceph Storage The following products will be updated. However, because both products do not use the functionality, their Impact has been reduced to 'Low': * Red Hat Gluster Storage * Red Hat Satellite 6
This issue has been addressed in the following products: Red Hat Satellite 6.8 for RHEL 7 Via RHSA-2021:1313 https://access.redhat.com/errata/RHSA-2021:1313
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-9402