Your message dated Wed, 10 Jul 2024 09:08:02 +0000 with message-id <e1srtiw-00egxi...@fasolo.debian.org> and subject line Bug#1076069: fixed in python-django 3:4.2.14-1 has caused the Debian Bug report #1076069, regarding python-django: CVE-2024-38875 CVE-2024-39329 CVE-2024-39330 CVE-2024-39614 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1076069: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076069 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-django Version: 1:1.11.29-1+deb10u11 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, Django upstream have reported the following four vulnerabilities: https://www.djangoproject.com/weblog/2024/jul/09/security-releases/ I have not yet investigated which, if any, of these vulnerabilities apply to which versions of src:python-django. However, an upload to unstable will follow the reporting of this bug, and an upload to experimental will take place once a new 5.1 beta is released. CVE-2024-38875[0]: | An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before | 5.0.7. urlize and urlizetrunc were subject to a potential denial of | service attack via certain inputs with a very large number of | brackets. CVE-2024-39329[1]: | An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before | 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() | method allows remote attackers to enumerate users via a timing | attack involving login requests for users with an unusable password. CVE-2024-39330[2]: | An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before | 4.2.14. Derived classes of the django.core.files.storage.Storage | base class, when they override generate_filename() without | replicating the file-path validations from the parent class, | potentially allow directory traversal via certain inputs during a | save() call. (Built-in Storage sub-classes are unaffected.) CVE-2024-39614[3]: | An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before | 4.2.14. get_supported_language_variant() was subject to a potential | denial-of-service attack when used with very long strings containing | specific characters. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-38875 https://www.cve.org/CVERecord?id=CVE-2024-38875 [1] https://security-tracker.debian.org/tracker/CVE-2024-39329 https://www.cve.org/CVERecord?id=CVE-2024-39329 [2] https://security-tracker.debian.org/tracker/CVE-2024-39330 https://www.cve.org/CVERecord?id=CVE-2024-39330 [3] https://security-tracker.debian.org/tracker/CVE-2024-39614 https://www.cve.org/CVERecord?id=CVE-2024-39614 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 3:4.2.14-1 Done: Chris Lamb <la...@debian.org> We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1076...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 10 Jul 2024 09:50:49 +0100 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 3:4.2.14-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Chris Lamb <la...@debian.org> Closes: 1076069 Changes: python-django (3:4.2.14-1) unstable; urgency=medium . * New upstream security release. (Closes: #1076069) . - CVE-2024-38875: Prevent a potential denial-of-service in django.utils.html.urlize. This method (and urlizetrunc) were subject to a potential DoS attack via specially-crafted inputs with a very large number of brackets. . - CVE-2024-39329: Avoid a username enumeration vulnerability through timing difference for users with unusable password. The authenticate method of django.contrib.auth.backends.ModelBackend method allowed remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords. . - CVE-2024-39330: Address a potential directory-traversal in django.core.files.storage.Storage.save. Derived classes of this method's base class which override generate_filename without replicating the file path validations existing in the parent class allowed for potential directory-traversal via certain inputs when calling save(). Built-in Storage sub-classes were not affected by this vulnerability. . - CVE-2024-39614: Fix a potential denial-of-service in django.utils.translation.get_supported_language_variant. This method was subject to a potential DoS attack when used with very long strings containing specific characters. To mitigate this vulnerability, the language code provided to get_supported_language_variant is now parsed up to a maximum length of 500 characters. . <https://www.djangoproject.com/weblog/2024/jul/09/security-releases/> Checksums-Sha1: 54849f70429154923684eb1a0bccc177054ed13b 2764 python-django_4.2.14-1.dsc 62b423064e3b75f038bd19729f3252135d399a8e 10432993 python-django_4.2.14.orig.tar.gz 94bba81e15567b37f8444f29297adbe869a8b2c7 31684 python-django_4.2.14-1.debian.tar.xz 9c05576ad5e36418dd1a0f6a2364b58c3a6b6f04 7609 python-django_4.2.14-1_amd64.buildinfo Checksums-Sha256: b04170e1839c204ab68a81bca6502818c02c834b4dd5cb190f4a02afbfe0f7c5 2764 python-django_4.2.14-1.dsc fc6919875a6226c7ffcae1a7d51e0f2ceaf6f160393180818f6c95f51b1e7b96 10432993 python-django_4.2.14.orig.tar.gz 961890b3c800e2bb7a91a458f0431d0fc2d3108adaf9f5783c62d2528c050b1e 31684 python-django_4.2.14-1.debian.tar.xz 26470407949819179ff78a1929d43095e3efe3476bc77ae9f7d9ea0a6d4f2eb4 7609 python-django_4.2.14-1_amd64.buildinfo Files: dfacce4ca122e73ced58e790fd98b488 2764 python optional python-django_4.2.14-1.dsc 34e53943311a2603dd54c46f284136db 10432993 python optional python-django_4.2.14.orig.tar.gz 9c21425a07fe15298b9044242bc3e81f 31684 python optional python-django_4.2.14-1.debian.tar.xz ce86d58018c7d9fd838bdf16e6634978 7609 python optional python-django_4.2.14-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmaOTa0ACgkQHpU+J9Qx HljZ3A//fg0BCuHk3ZvxWM53wx/zfpba6CtQg1nKn80xzdeoMr0glAKF7+6yyQaK WrHsP7S2PL0dfW8JIo0ABHG11GEdubmAKMi95Ne8vQdxPnwBF0AMqZifkE0uB3ub oxl5TzcEoPa7m7JQEUb7pphzf0fLw1Hn850abhjqxbHG9ClQ9EdRSCSD5A/M8IEn 0rJvlVt5eA6+KvM4WrJePhpt3bRBA+iA5IqHe1GcI6hsgYniz4mMhIQO8iEaT1vh FIRG6hmQ6G3/Ie97QsSesE/Q3S1exbZv31fdsUf0DZemNlZvDg5YCOfqV1U29ReK TWCNAxI/2FDDxpZOMx0mEAkjS1Lxgbd7ryN40y0JcuuzcBxWV0W5k46BHHlduOZ5 23rcosa/8/WUMGp8shQm3QDQVi1UfHe9ZtnBHLa3esS93pxzCQnJFhZCfVcJb5+O EYdBdsWj6naFGqX6OZ+iwDFhYn72DcPw2XSxTT87MgJHihYh+e91M3e9R2ntS5KH x9pSN7detF6OIi4iQb7QnhJ7hsIA8ZorI32kirARkujVCYuVMsMN0UvFfr6iSoJW oEKDaVximjWt3Grn314QHGxxDrhBLPQF0HCl4uq3zBsDjateMDPH4Qc4eaUIwzRb osmCXbKVF5q6oPr6BO3rorfl2GvcYabAvjyD9ZvmnZDypTwGXNA= =tkVV -----END PGP SIGNATURE-----
pgp8wdwsfRqaG.pgp
Description: PGP signature
--- End Message ---
