Your message dated Sat, 24 Aug 2024 14:32:09 +0000
with message-id <[email protected]>
and subject line Bug#1078074: fixed in python-django 3:3.2.19-1+deb12u2
has caused the Debian Bug report #1078074,
regarding python-django: CVE-2024-41989 CVE-2024-41990 CVE-2024-41991
CVE-2024-42005
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1078074: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078074
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-django
Version: 1:1.11.29-1+deb10u11
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for python-django.
* CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat()
The floatformat template filter is subject to significant memory
consumption when given a string representation of a number in
scientific notation with a large exponent.
* CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize()
The urlize() and urlizetrunc() template filters are subject to a
potential denial-of-service attack via very large inputs with a
specific sequence of characters.
* CVE-2024-41991: Potential denial-of-service vulnerability in
django.utils.html.urlize() and AdminURLFieldWidget
The urlize and urlizetrunc template filters, and the
AdminURLFieldWidget widget, are subject to a potential
denial-of-service attack via certain inputs with a very large number
of Unicode characters.
* CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()
QuerySet.values() and values_list() methods on models with a
JSONField are subject to SQL injection in column aliases via a
crafted JSON object key as a passed *arg.
For further information see [0][1][2][3][4].
[0] https://security-tracker.debian.org/tracker/CVE-2024-41989
https://www.cve.org/CVERecord?id=CVE-2024-41989
[1] https://security-tracker.debian.org/tracker/CVE-2024-41990
https://www.cve.org/CVERecord?id=CVE-2024-41990
[2] https://security-tracker.debian.org/tracker/CVE-2024-41991
https://www.cve.org/CVERecord?id=CVE-2024-41991
[3] https://security-tracker.debian.org/tracker/CVE-2024-42005
https://www.cve.org/CVERecord?id=CVE-2024-42005
[4] https://www.djangoproject.com/weblog/2024/aug/06/security-releases/
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 3:3.2.19-1+deb12u2
Done: Steve McIntyre <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve McIntyre <[email protected]> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 21 Aug 2024 12:08:24 +0100
Source: python-django
Architecture: source
Version: 3:3.2.19-1+deb12u2
Distribution: bookworm
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Steve McIntyre <[email protected]>
Closes: 1076069 1078074
Changes:
python-django (3:3.2.19-1+deb12u2) bookworm; urgency=high
.
* Rename CVE-2023-36053.patch to 0014-CVE-2023-36053.patch
* Backport upstream fixes in 3:4.2.14-1:
* Closes: #1076069
* CVE-2024-39329: Standardize timing of verify_password() when
checking unusable passwords.
* CVE-2024-39330: Add extra file name validation in Storage's save
method.
* CVE-2024-39614: Mitigate potential DoS in
get_supported_language_variant.
* The patch for CVE-2024-38875 won't sensibly backport.
* Backport upstream fixes in 3:4.2.15-1:
* Closes: #1078074
* CVE-2024-41989: Prevent excessive memory consumption in floatformat.
* CVE-2024-41991: Prevente potential ReDoS in django.utils.html.urlize()
and AdminURLFieldWidget.
* CVE-2024-42005: Mitigate QuerySet.values() SQL injection attacks against
JSON fields
Backport and tweak the upstream fix series to fit into 3.2.
* The patch for CVE-2024-41990 won't sensibly backport.
Checksums-Sha1:
df8a6b32878dc0bfad9dbb2c01848fed26b51af9 2864
python-django_3.2.19-1+deb12u2.dsc
c172c32184f8dd1e3fa9d5373fd2d3d93181bc5e 48884
python-django_3.2.19-1+deb12u2.debian.tar.xz
80c61eae4d36cdc38999c6ac345d3626dfe7b201 14089
python-django_3.2.19-1+deb12u2_source.buildinfo
Checksums-Sha256:
6965317a38ababa6ecac1d731c5c5eb7c186e59906da4013300a8a0bf3cc7809 2864
python-django_3.2.19-1+deb12u2.dsc
6bc87771c69baa09c64b2ca7918470f55a12f4fcbab0f30b004a8b383bc2e11b 48884
python-django_3.2.19-1+deb12u2.debian.tar.xz
34f194b448ee46fcf03e7db7cd3c47dd04ce8a632fb90dd72def44eb6b601e63 14089
python-django_3.2.19-1+deb12u2_source.buildinfo
Files:
8cd1dd7e7b430b871d74936f4bc51a3f 2864 python optional
python-django_3.2.19-1+deb12u2.dsc
7877957da3f282b1dce79bbdc1b90df7 48884 python optional
python-django_3.2.19-1+deb12u2.debian.tar.xz
b63403ce4e5576491f3d3e61ba688a63 14089 python optional
python-django_3.2.19-1+deb12u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAmbIb6MRHDkzc2FtQGRl
Ymlhbi5vcmcACgkQWHl5VzRCaE7yBg//SixN+DRgxb/0QUTcav3HLwp/g75VlFWp
FR4brrdjgMozLXNRUsRqn7zsH0MiN7UvllvW5c0F+du547bFZG2OlvtrO/y/q3j4
Nf3OsMCgakkNHCuaZ2kvZXy6vV5FSAhlhD8dPC5ndt5GrbmtK4oWTogSOXkHa9N3
HbFc8SdVMubrfOFCAY17xyTDoKSKM5+rssHbLtKCS7bFtccWgZqBQ5ZKTsSZn4si
hSkJBM7ku/OscnLzf8lHX/15NSx+25ZrI4lOiqSqIS/T9DKp4AbX7KRXZqnRR8fm
ZhiyzkBI4CkJK6HmBPIP7zMtxHTQ+Smz5C2ubfZ0JnHThkawOGSsg/lowFjeezSx
Ldylj5QST3R8Zyc/91P7X2MVbmUVM8CKWLBHMxu40wE97bT2EehSjuLmlvf5ey7O
8vFz5IBqZgu7QOzWUxQ/1ytR/K4/xKNy0e3e2uoplN8Pe/oFDlkP2JBkhh8UMJnY
iSPPVR3Z6VUww3gc/TJlWX3y8TrYAqAyuuZUgCiVXbQuOPCqzZDS0SNwOszhi6cN
G+msHZPwjQTF/HauSBV8VB/PNufIYsBlB3uWseqrnbhs08+lVDsaQKtCDuGrr6/I
AEA0IoPWd4GtIMQTv/Vfxnfd88b5N1dZwsr1p0RCik4qjcasKyub50JGthJ7MKhL
L8QdZX/0ISY=
=Khoa
-----END PGP SIGNATURE-----
pgpG3motDKXjA.pgp
Description: PGP signature
--- End Message ---