Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apply Django Security Patch v4.2.19 for Sumac #436

Open
5 of 10 tasks
magajh opened this issue Feb 7, 2025 · 7 comments
Open
5 of 10 tasks

Apply Django Security Patch v4.2.19 for Sumac #436

magajh opened this issue Feb 7, 2025 · 7 comments
Assignees
@magajh
Labels
security Relates to improving to the security posture of the platform

Comments

@magajh
Copy link

magajh commented Feb 7, 2025
edited by farhaanbukhsh
Loading

Apply latest Django patch https://docs.djangoproject.com/en/5.1/releases/4.2.19/
which contains latest security fix https://docs.djangoproject.com/en/5.1/releases/4.2.18/

Django 4.2.18 fixes a security issue with severity “moderate” in 4.2.17.
CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation

Lack of upper bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address were vulnerable, as was the django.forms.GenericIPAddressField form field, which has now been updated to define a max_length of 39 characters.

The django.db.models.GenericIPAddressField model field was not affected.

Open edX services to upgrade (taken from https://openedx.atlassian.net/wiki/spaces/COMM/pages/4558782480/Sumac.master)
@magajh magajh added the security Relates to improving to the security posture of the platform label Feb 7, 2025
@magajh magajh self-assigned this Feb 7, 2025
This was referenced Feb 7, 2025
Open
Merged
Open
Merged
Open
Merged
Merged
Merged
Merged
@magajh
Copy link
Author

magajh commented Feb 10, 2025

@farhaanbukhsh @mariajgrimaldi Just tagging you both to check if it's possible to include these patches for Sumac.2.
For what it's worth, I don’t think this is a release blocker, but it would be nice to have

@farhaanbukhsh
Copy link
Member

@magajh We have pushed the release to Wednesday because we wanted the security patches to get in Sumac.2? cc: @mariajgrimaldi

@mariajgrimaldi
Copy link
Member

Hi there, thanks for the tag! I think it's worth trying to get this for Sumac. 2, even if it's an urgent patch.

@magajh
Copy link
Author

magajh commented Feb 11, 2025

Awesome @mariajgrimaldi @farhaanbukhsh, thanks
It worries me that some of the checks are failing in the edx-platfom PR and I'm not sure why openedx/edx-platform#36234

@mariajgrimaldi
Copy link
Member

@magajh: I don't think the failures are related to the upgrade so I ran them again to see whether they're resolved.

@farhaanbukhsh
Copy link
Member

@mariajgrimaldi @magajh I will review these PRs as well and merge them and prepare for the release cut tomorrow.

@farhaanbukhsh
Copy link
Member

@magajh I am not able to verify the enterprise repo and the tests also don't have a Django CI which makes me uncomfortable to merge them rest I have merged :)

cc: @mariajgrimaldi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@magajh magajh

Labels
security Relates to improving to the security posture of the platform
Projects
Build-Test-Release Working Group
Status: No status
Milestone
No milestone
Development

No branches or pull requests
3 participants
@farhaanbukhsh @magajh @mariajgrimaldi