Your message dated Sat, 05 Aug 2023 20:36:33 +0000
with message-id <e1qso0n-006cjv...@fasolo.debian.org>
and subject line Bug#1035467: fixed in python-django 2:2.2.28-1~deb11u2
has caused the Debian Bug report #1035467,
regarding python-django: CVE-2023-31047
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1035467: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035467
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python-django
Version: 1:1.11.29-1+deb10u7
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-django:
CVE-2023-31047: Potential bypass of validation when uploading
multiple files using one form field
Uploading multiple files using one form field has never been
supported by forms.FileField or forms.ImageField as only the last
uploaded file was validated. Unfortunately, Uploading multiple files
topic suggested otherwise.
In order to avoid the vulnerability, ClearableFileInput and
FileInput` form widgets now raise ValueError when the multiple HTML
attribute is set on them. To prevent the exception and keep the old
behavior, set allow_multiple_selected to True.
For more details on using the new attribute and handling of multiple
files through a single field, see Uploading multiple files.
— <https://www.djangoproject.com/weblog/2023/may/03/security-releases/>
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 2:2.2.28-1~deb11u2
Done: Chris Lamb <la...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1035...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <la...@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 28 Jul 2023 14:19:58 +0100
Source: python-django
Binary: python-django-doc python3-django
Built-For-Profiles: nocheck
Architecture: source all
Version: 2:2.2.28-1~deb11u2
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Chris Lamb <la...@debian.org>
Description:
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework
Closes: 1030251 1031290 1035467 1040225
Changes:
python-django (2:2.2.28-1~deb11u2) bullseye-security; urgency=high
.
* CVE-2023-23969: Potential denial-of-service via Accept-Language headers.
.
The parsed values of Accept-Language headers are cached in order to avoid
repetitive parsing. This leads to a potential denial-of-service vector via
excessive memory usage if large header values are sent.
.
In order to avoid this vulnerability, the Accept-Language header is now
parsed up to a maximum length. (Closes: #1030251)
.
* CVE-2023-36053: Potential regular expression denial of service
vulnerability in EmailValidator/URLValidator.
.
EmailValidator and URLValidator were subject to potential regular
expression denial of service attack via a very large number of domain name
labels of emails and URLs. (Closes: #1040225)
.
* CVE-2023-31047: Prevent a potential bypass of validation when uploading
multiple files using one form field.
.
Uploading multiple files using one form field has never been supported by
forms.FileField or forms.ImageField as only the last uploaded file was
validated. Unfortunately, Uploading multiple files topic suggested
otherwise. In order to avoid the vulnerability, the ClearableFileInput and
FileInput form widgets now raise ValueError when the multiple HTML
attribute is set on them. To prevent the exception and keep the old
behavior, set the allow_multiple_selected attribute to True.
(Closes: #1035467)
.
* CVE-2023-24580: Potential denial-of-service vulnerability in file uploads
.
Passing certain inputs to multipart forms could result in too many open
files or memory exhaustion, and provided a potential vector for a
denial-of-service attack. The number of files parts parsed is now limited
via the new DATA_UPLOAD_MAX_NUMBER_FILES setting. (Closes: #1031290)
.
* Add/apply the URLValidator patch from sid.
Checksums-Sha1:
9faae80750a039b4cee415498f5651116b277f49 2811
python-django_2.2.28-1~deb11u2.dsc
1aa4deee428cf10e68b3af8933ca430a0e25c622 41720
python-django_2.2.28-1~deb11u2.debian.tar.xz
c96310767dcb6eb289299f5b195297ed417646c3 3122152
python-django-doc_2.2.28-1~deb11u2_all.deb
d2cf01cfdbc5d4c86e65f5dab4d6b3ce5f9dcc5b 8216
python-django_2.2.28-1~deb11u2_amd64.buildinfo
afaaef9e8e925ee6166e1a112d8b104b6e10df62 2685988
python3-django_2.2.28-1~deb11u2_all.deb
Checksums-Sha256:
73c8be4319e6d37bcd715fb5bf32ff2899b4381e924e611ad3cd70fa3b26b85a 2811
python-django_2.2.28-1~deb11u2.dsc
f3cd4875b523ffdb5254cbe49dc10059b2b321372847b1cea14c5e442a5d9535 41720
python-django_2.2.28-1~deb11u2.debian.tar.xz
9767ecb0919247d102aa5dbe47288162be7d9bfcb36ef3c23593c04b779f0236 3122152
python-django-doc_2.2.28-1~deb11u2_all.deb
6a5515d419e6e70fd9254155809b7f22dce164598e420735961f9028a7f56e98 8216
python-django_2.2.28-1~deb11u2_amd64.buildinfo
4c9654c014765f94f7b85c28ef9c1d6d93368be7c3d39227058e7a0fef0593be 2685988
python3-django_2.2.28-1~deb11u2_all.deb
Files:
b668564958ca9b5490f2d2b552d57f5b 2811 python optional
python-django_2.2.28-1~deb11u2.dsc
a43d5ae15927d611760653560069d210 41720 python optional
python-django_2.2.28-1~deb11u2.debian.tar.xz
431959df117303bbf9d1a28db1f98f86 3122152 doc optional
python-django-doc_2.2.28-1~deb11u2_all.deb
1d172d7df8f2c761ce2b1f9df171659a 8216 python optional
python-django_2.2.28-1~deb11u2_amd64.buildinfo
9ca00bdc99d3267306943a51b7f92b85 2685988 python optional
python3-django_2.2.28-1~deb11u2_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmTIz7MACgkQHpU+J9Qx
Hlj+Yw//TIEjZlX4V4pPw+RABoGc9DMctUh37f8hTK8MN60dyLxMIQlUJwRCkuwW
EADe2BWxtIp3goV5ruPlbsYoiTzc8sKZotWQOt7wcEdsZZlTBLn/4CG1iMgZymVt
Q8PnRaDv52SFOXi/GFbg4piUQGMJaONstocRJ51jXJ0OijneKHq0noah7/70A2r9
a56qhJLPrqCjbyiY/lATSSEejMBJI4pRLWfgu5yOkHQ/Lp2slq3JoCFyo3d3pXjG
xGVf3ltKJutq0z2k36d1Jp9LgAa8V2pRWa8+V2SKMgPQTY6WE6vEhvnvuorEInrK
yakkxhY7eNBK2pmD20pUuLPlhtnr5xtWPnxg1qsHrz4TgUpO00X4tYyB5qcZugkT
c0IG1Bre4cDD+EF8rvk89WdJVk6eTC3e7NvHWGfoYluczOJpjKbZSTurrFhUnBZE
Ym9MmK/nJCWA+RZtucJPAgJ94HUAGCMEMmAiZRfdir6ALDvdo88ezKPuEA8iCKn/
mYpX/4jIMAbr/Ndfpo/sF3K/gd+KkKIhf73u51xfsRSHJEBsdbKXDiKLHGO4UlvV
2HtJHgbHrJmp1/EMPhx1hlnBmTqyx377C4hGj4TygcfjFYaG81AQkmtzS9B9BHtu
S3r0mKw2yMCBGuuIaEUnRMUE3dtOGPML02Kx0Jiw6Y0vkUZ1zWc=
=T1P3
-----END PGP SIGNATURE-----
--- End Message ---
