SUSE Package Hub - openSUSE-2026-138

Update Info

openSUSE-2026-138

Security update for python-djangorestframework, python-Django

Type: security

Severity: moderate

Issued: 2026-04-19

Description:

This update for python-djangorestframework, python-Django fixes the following issues:

python-djangorestframework:

- CVE-2024-21520: Fixed improper input sanitization before splitting and joining with 'br' tags (boo#1227077)
- Tests can be run only on (newer) python311 stack
- Make it at least installable on python3 stack (no guarantees for it to run)
- Use sle15allpythons to get the Python 3.6 packages too (jsc#PED-8919) 

python-Django:

- CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin (boo#1261731)
- CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable (boo#1261732)
- CVE-2026-33033: Potential denial-of-service vulnerability in
  MultiPartParser via base64-encoded file upload (boo#1261722)
- CVE-2026-25674: Fixed a race condition that could lead to potential
  incorrect permissions on newly created file system objects (boo#1259142)
- Let django-admin be the master alternative
  * django-admin.py was dropped in newer releases of Django
  * uninstall the alternatives in postun as is standard in SUSE

References

Packages

python-Django-2.2.28-bp156.39.1

python-djangorestframework-3.14.0-bp156.2.3.1

python-djangorestframework-test-3.14.0-bp156.2.3.6