Bug#922027: marked as done (CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format())

Mon, 08 Jul 2019 12:57:28 -0700 

Your message dated Mon, 08 Jul 2019 19:54:53 +0000
with message-id <e1hkziv-00024i...@fasolo.debian.org>
and subject line Bug#922027: fixed in python-django 1:1.10.7-2+deb9u5
has caused the Debian Bug report #922027,
regarding CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
922027: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922027
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: python-django
Version: Django 2.2, 1.11
Severity: normal


CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()

If django.utils.numberformat.format() -- used by contrib.admin as well as the 
the floatformat, filesizeformat, and intcomma templates filters -- received a 
Decimal with a large number of digits or a large exponent, it could lead to 
significant memory usage due to a call to '{:f}'.format().

To avoid this, decimals with more than 200 digits are now formatted using 
scientific notation.

Thanks Sjoerd Job Postmus for reporting this issue.
Affected supported versions

    Django master branch
    Django 2.2 (which will be released in a separate blog post later today)
    Django 2.1
    Django 2.0
    Django 1.11

Per our supported versions policy, Django 1.10 and older are no longer 
supported.

https://www.djangoproject.com/weblog/2019/feb/11/security-releases/




Regards,

Herbert

--- End Message ---
--- Begin Message --- 
Source: python-django
Source-Version: 1:1.10.7-2+deb9u5

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 922...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <la...@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 02 Jul 2019 23:07:21 -0300
Source: python-django
Binary: python-django python3-django python-django-common python-django-doc
Architecture: source all
Version: 1:1.10.7-2+deb9u5
Distribution: stretch-security
Urgency: high
Maintainer: Debian Python Modules Team 
<python-modules-t...@lists.alioth.debian.org>
Changed-By: Chris Lamb <la...@debian.org>
Description:
 python-django - High-level Python web development framework (Python 2 version)
 python-django-common - High-level Python web development framework (common)
 python-django-doc - High-level Python web development framework (documentation)
 python3-django - High-level Python web development framework (Python 3 version)
Closes: 922027 929927 931316
Changes:
 python-django (1:1.10.7-2+deb9u5) stretch-security; urgency=high
 .
   * CVE-2019-6975: Fix memory exhaustion in utils.numberformat.format.
     (Closes: #922027)
   * CVE-2019-12308: Prevent a XSS vulnerability in the Django admin via the
     AdminURLFieldWidget. (Closes: #929927)
   * CVE-2019-12781: Prevent incorrect HTTPS detection with reverse-proxies
     connecting via HTTPS. (Closes: #931316)
Checksums-Sha1:
 9cf46ff6b53e327287a635d7947504bab66f5e5b 2804 python-django_1.10.7-2+deb9u5.dsc
 4b9acc86beb3e79ac0fcfc3339fb7cad9cb7b286 39828 
python-django_1.10.7-2+deb9u5.debian.tar.xz
 1383e694395bc1db1985a303a387592011dcb2d8 1513850 
python-django-common_1.10.7-2+deb9u5_all.deb
 fbe06f7c2ed9995875601de4fbf915219332b420 2535508 
python-django-doc_1.10.7-2+deb9u5_all.deb
 0783192722e7846642837d8000e4ee0ea5e99034 904054 
python-django_1.10.7-2+deb9u5_all.deb
 e3f0210d8f6f2158f63b8a3ef46b7ab19792334e 9329 
python-django_1.10.7-2+deb9u5_amd64.buildinfo
 40303e6ec9bc24c3a99cee145f1297d8d2373097 885816 
python3-django_1.10.7-2+deb9u5_all.deb
Checksums-Sha256:
 5634a1d5ce9a9426076abb87945d7af24b9eab0115f6db039646f6f20437b2b8 2804 
python-django_1.10.7-2+deb9u5.dsc
 f794310b8048bf962425ea1c23ad447cda236d04bba02f518cabab027b988cff 39828 
python-django_1.10.7-2+deb9u5.debian.tar.xz
 5bc2c68ac9797eba7b2fa3beeae7ee5fa08954ce9fa2b078d2fc6c93fd44207b 1513850 
python-django-common_1.10.7-2+deb9u5_all.deb
 e2cc407ab765e5e0068509471880f0b53c2776d1bb76a847ad33bf56d831dc30 2535508 
python-django-doc_1.10.7-2+deb9u5_all.deb
 c62e37da6e5fe58bfff7fbdb7547a59fd8456ac0825777d86ecc84eafc2b8004 904054 
python-django_1.10.7-2+deb9u5_all.deb
 25f8ec5325f48dba984300b3393e4ea73b75da5789722dae4981e7b6dcf1968c 9329 
python-django_1.10.7-2+deb9u5_amd64.buildinfo
 e445e5695962a7a120206e4dc16022d670b253e0f275968d4b54776961b27c66 885816 
python3-django_1.10.7-2+deb9u5_all.deb
Files:
 52ccdf5159351ca16a1f676901ae31ae 2804 python optional 
python-django_1.10.7-2+deb9u5.dsc
 eb488426deda61b3ba6811ffe1009c3d 39828 python optional 
python-django_1.10.7-2+deb9u5.debian.tar.xz
 fa0695738a8ba2b94d9ef7331f29bd24 1513850 python optional 
python-django-common_1.10.7-2+deb9u5_all.deb
 0428ccc6fd9f8dae732b5f085e3a3904 2535508 doc optional 
python-django-doc_1.10.7-2+deb9u5_all.deb
 8b9bdd5aee8b7be9d4c3e15c87e44013 904054 python optional 
python-django_1.10.7-2+deb9u5_all.deb
 dd5236564e0e51a91c4fe3d781e6c7d8 9329 python optional 
python-django_1.10.7-2+deb9u5_amd64.buildinfo
 21396fe97a0ec5511abc5c642b494354 885816 python optional 
python3-django_1.10.7-2+deb9u5_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl0cm48ACgkQHpU+J9Qx
Hlh7exAAjFGkoYJ+LSIxq+0TmgIdSlbJixN3QemPsd7w/jWcIPpy8u0MjmjqMWqh
qe1vvYdBDvW8NUHGa7QW5sUKzaYh9Lcj1f4G9VrcBp45vOXT/ao6RiSeyCsvXBRd
WOED9SdOSqOoCS0TGaOVRewkqXxx82MAPXcYeC77mhJvWQ4McvfByHRVw8mvy9uP
Ecw2YZ6rPxBrz2l0OVTRhw+HpYWgNSBFiEEBFSt6hSMcfinJlKW48lrAfhVtaje2
uPpucg4feUNQ8RMMueox0tEaJdNMgZ2GCY+I9MhBGyPkvKM/IZtoiCJr3hB560ck
OPAoP6vQR3iNafXE7jQRposSHwCUIi0SpmpKVCiW9ZcCjsv7J0dp14Z5uSpUR+mY
YVZ7uhCa3NALYsZM/+lj67sTw2H9MV6qZFtNigKvK29f6IuiHeVzMUal3SxWy35m
xUvczA4/SXsWn+ov2OVT0IqZATRNZ4lAOv4vTlBCR9mNVXy1RA8iP0ITn0PkzbRZ
yA/amxZ6a51a+WR0TUTAecgRjRvwe6GKQSXTQ8abD3Z1g3+/v6mXxNyXmNFRm0vf
VvP1892TXDwE69GmW2axmbTnSJ6kl4xHDkHpWhEtoqidraO75Ef0mMvtYyXcGv8g
xq94b2P1enGHcfkTnGc4gbfZKSEhgmSvAltxi9xb+W4TNDaLVnY=
=Awug
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to