Problem:
I couldn’t find any Security-Advisories if the vulnerabilities in Django (reported on the 6th of August and fixed in version 4.2.15) affect Foreman-Katello (which uses Django version 4.2.11).
Django Security Advisory: Django security releases issued: 5.0.8 and 4.2.15 | Weblog | Django
Expected outcome:
Clarification if Foreman-Katello 4.13.1 is affected by the reported vulnerabilities or not.
I created a PR to update the package in nightly: Update python-django to 4.2.15 by dgoetz · Pull Request #1133 · theforeman/pulpcore-packaging · GitHub
After this being reviewed and merge it should be backported to the latest two releases.
it’s actually 4.2.14 which is available in the pulpcore repo for a few days now.
I depends on the Katello version used which Pulp version and so which Django version is used:
Nightly - 3.49 - 4.2.14
4.13 - 3.49 - 4.2.14
4.12 - 3.39 - 4.2.11
Yes. But the question was about Katello 4.13.1 and there 4.2.14 is the latest in the repos and not 4.2.11 as was mentioned in the post.
@Odilhao is probably the best person to look at this.
Hello,
The fix on 3.49 is now published:
https://yum.theforeman.org/pulpcore/3.49/el8/x86_64/python3.11-django-4.2.15-1.el8.noarch.rpm
https://yum.theforeman.org/pulpcore/3.49/el9/x86_64/python3.11-django-4.2.15-1.el9.noarch.rpm
The pipeline for 3.39 is running, and it should be published in one hour.