python3-django: Fix CVE-2024-45231

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-45231 Upstream-patch: bf4888d317 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-05-06 16:58:24 +00:00 · 2025-01-10 13:18:01 +00:00
parent b4feba446d
commit be168328f8
2 changed files with 121 additions and 0 deletions
--- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -22,6 +22,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
            file://CVE-2024-41990.patch \
            file://CVE-2024-41991.patch \
            file://CVE-2024-45230.patch \
+            file://CVE-2024-45231.patch \
           "

 SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"