SB20260509150 - openEuler 24.03 LTS SP1 update for python-django

Description

This security bulletin contains information about 8 vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2026-33033)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in django.http.multipartparser.MultiPartParser when processing multipart uploads with base64-encoded files containing excessive whitespace. A remote attacker can send a specially crafted multipart upload to cause a denial of service.

The issue may trigger repeated memory copying and degrade performance.

2) Improper input validation (CVE-ID: CVE-2026-33034)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in ASGI request handling when reading HttpRequest.body from requests with a missing or understated Content-Length header. A remote attacker can send a specially crafted request to cause a denial of service.

The issue can bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit and load an unbounded request body into memory.

3) Session Fixation (CVE-ID: CVE-2026-35192)

The vulnerability allows a remote attacker to steal a user's session.

The vulnerability exists due to improper session handling in cached public pages when a session is not modified and SESSION_SAVE_EVERY_REQUEST is True. A remote attacker can leverage a cached public page visit by the victim to steal a user's session.

User interaction is required because the victim must visit a cached public page.

4) Improper input validation (CVE-ID: CVE-2026-3902)

The vulnerability allows a remote attacker to spoof security-sensitive headers.

The vulnerability exists due to improper input validation in ASGIRequest when processing request headers. A remote attacker can supply a header name with underscores to spoof security-sensitive headers.

This issue affects ASGI deployments where hyphenated and underscored header names may be treated ambiguously.

5) Improper access control (CVE-ID: CVE-2026-4277)

The vulnerability allows a remote user to create inline model instances without proper add permissions.

The vulnerability exists due to improper access control in GenericInlineModelAdmin when processing forged POST data. A remote user can submit forged POST data to create inline model instances without proper add permissions.

6) Improper access control (CVE-ID: CVE-2026-4292)

The vulnerability allows a remote user to create new instances through admin changelist forms.

The vulnerability exists due to improper access control in ModelAdmin.list_editable when processing forged POST data. A remote user can submit forged POST data to create new instances through admin changelist forms.

7) Input validation error (CVE-ID: CVE-2026-5766)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in ASGI request handling when processing file uploads with a missing or understated Content-Length header. A remote attacker can send a specially crafted request to cause a denial of service.

Large uploaded files may be loaded into memory, causing service degradation.

8) Use of Web Browser Cache Containing Sensitive Information (CVE-ID: CVE-2026-6907)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper cache handling in django.middleware.cache.UpdateCacheMiddleware when processing responses whose Vary header contains an asterisk ('*'). A remote attacker can trigger caching of private data to disclose sensitive information.

Private data may be stored in the cache and later served to other users.

Remediation

Install update from vendor's website.

References

• https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2219