Your message dated Wed, 04 Jun 2025 15:51:36 +0000 with message-id <e1umqou-004krb...@fasolo.debian.org> and subject line Bug#1107282: fixed in python-django 3:5.2.2-1 has caused the Debian Bug report #1107282, regarding python-django: CVE-2025-48432 -- Potential log injection via unescaped request path to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1107282: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107282 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-django Version: 2:2.2.28-1~deb11u6 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-django. CVE-2025-48432[0]: Potential log injection via unescaped request path Internal HTTP response logging used `request.path` directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals. Although this does not directly impact Django's security model, it poses risks when logs are consumed or interpreted by other tools. To fix this, the internal `django.utils.log.log_response()` function now escapes all positional formatting arguments using a safe encoding. More info: https://www.djangoproject.com/weblog/2025/jun/04/security-releases/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-48432 https://www.cve.org/CVERecord?id=CVE-2025-48432 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 3:5.2.2-1 Done: Chris Lamb <la...@debian.org> We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1107...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 04 Jun 2025 08:09:36 -0700 Source: python-django Architecture: source Version: 3:5.2.2-1 Distribution: experimental Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Chris Lamb <la...@debian.org> Closes: 1107282 Changes: python-django (3:5.2.2-1) experimental; urgency=medium . * New upstream security release: . - CVE-2025-48432: Potential log injection via unescaped request path. . Django's internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals. . Although this does not directly impact Django's security model, it poses risks when logs are consumed or interpreted by other tools. To fix this, the internal django.utils.log.log_response() function now escapes all positional formatting arguments using a safe encoding. . (Closes: #1107282) . <https://www.djangoproject.com/weblog/2025/jun/04/security-releases/> Checksums-Sha1: 815bf140cea5fa9cd64cc8248deacff479f3f731 2783 python-django_5.2.2-1.dsc 87dff3ef8d00b15491d5bb64b2404caf66d8ae59 10827542 python-django_5.2.2.orig.tar.gz 64540d58bbea28783ffd4d67fef89c9335974c56 30388 python-django_5.2.2-1.debian.tar.xz 7928b4c602277e30ec7e19c5852211057b226efd 9397 python-django_5.2.2-1_source.buildinfo Checksums-Sha256: 09df05276f720000e04b7b48b90a4480af3626a866a7401cbe874ad627ca3fe4 2783 python-django_5.2.2-1.dsc 85852e517f84435e9b13421379cd6c43ef5b48a9c8b391d29a26f7900967e952 10827542 python-django_5.2.2.orig.tar.gz 8582aa7fb7a1b222c7a2c08761b8aa7ea1e67cc4065a428ae240c4b76e8f97ef 30388 python-django_5.2.2-1.debian.tar.xz 0abc1a8c8f8504e91adec763343fc23f6e2f3c2168691fec9fa431b059982934 9397 python-django_5.2.2-1_source.buildinfo Files: 1113b266a44f3c1f29ac17ee58ad3785 2783 python optional python-django_5.2.2-1.dsc 782577f532efab32f8119a7071f55d04 10827542 python optional python-django_5.2.2.orig.tar.gz 31d4346e1799fe6f92083ef22897b2bd 30388 python optional python-django_5.2.2-1.debian.tar.xz 98954cff19eda941bed8eecc2df2d82c 9397 python optional python-django_5.2.2-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmhAZeIACgkQHpU+J9Qx Hlioew/9GDMF7wTM+mXz+nhjrCnNGLzHxhWfrhxr2Hj3i24GxwgwMxAT006d9WYR uvkyE+PZe6sY2yX9+f0M+sjM6S34P1ox4WhORGi69oBH7la6s0I+HuWt4ZO59O95 I/2WochAWuiQzwS+feZxHCgbKhOIj/TRns+s/IoMrb3ffxpKghiuob8C6sFWjJWV lRkeafGZPvBzseEqFB2/HCxVf/VwVlCPebMTWQvYsjykM6wkdMjFNcv/xouX7ocr Tk1vVLQkSKOkFk2xu49hwB3T3MG3wU23qheyx9o2Ngp/+Jp1kVtzE9z0uEPcYYk+ dCQCVIHSVFSra4xFEfNE7uFaV2kI83+JS61Ler9YVrwJ6qd/y0yBFX5x/fytzYbf srE+8C9itk24PmT34rBEWXORsSxE94lNwR5FDaR0GcmNJscrrvJf30sWJJQBs1P1 mFpOYws5gxf8F9YDDQ4Krlj0FdJ+C8psV3HNrwo7cekk7KKCKXSYdRzuUB0z8/VJ dcOUF6XScNxWUvcTrHLy03arCRLqDGnSshCqzV8L5NrOmyovjb44miFfjs+2rN+O W+I8bIHQXGZii4jdPx5WoaU/IfC/0M6iLxn/cH3ecdxzWX0jx4s8U1XMDRyO2b30 XequL+2q/sB+SYC4MjeK5PqcEGz1tSLKwgzrlpONauq5zfhb33I= =pKPO -----END PGP SIGNATURE-----
pgpnv8Ae2GSIX.pgp
Description: PGP signature
--- End Message ---
