Arch Linux Security Advisory ASA-202003-5 ========================================= Severity: Medium Date : 2020-03-08 CVE-ID : CVE-2020-9402 Package : python-django Type : sql injection Remote : Yes Link : https://security.archlinux.org/AVG-1111 Summary ======= The package python-django before version 3.0.4-1 is vulnerable to sql injection. Resolution ========== Upgrade to 3.0.4-1. # pacman -Syu "python-django>=3.0.4-1" The problem has been fixed upstream in version 3.0.4. Workaround ========== None. Description =========== A potential SQL injection has been found in Django before 3.0.4, via tolerance parameter in GIS functions and aggregates on Oracle. Impact ====== A remote attacker can alter the database via a SQL injection. References ========== https://docs.djangoproject.com/en/dev/releases/3.0.4/ https://www.openwall.com/lists/oss-security/2020/03/04/1 https://www.djangoproject.com/weblog/2020/mar/04/security-releases/ https://github.com/django/django/commit/26a5cf834526e291db00385dd33d319b8271... https://security.archlinux.org/CVE-2020-9402