Your message dated Tue, 06 Aug 2019 09:37:44 +0000 with message-id <e1huvua-000crv...@fasolo.debian.org> and subject line Bug#934026: fixed in python-django 2:2.2.4-1 has caused the Debian Bug report #934026, regarding python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 934026: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934026 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-django Version: 1.7.11-1+deb8u6 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for python-django. CVE-2019-14232[0]: | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before | 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's | chars() and words() methods were passed the html=True argument, they | were extremely slow to evaluate certain inputs due to a catastrophic | backtracking vulnerability in a regular expression. The chars() and | words() methods are used to implement the truncatechars_html and | truncatewords_html template filters, which were thus vulnerable. CVE-2019-14233[1]: | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before | 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying | HTMLParser, django.utils.html.strip_tags would be extremely slow to | evaluate certain inputs containing large sequences of nested | incomplete HTML entities. CVE-2019-14234[2]: SQL injection possibility in key and index lookups for JSONField/HStoreField CVE-2019-14235[3]: | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before | 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, | django.utils.encoding.uri_to_iri could lead to significant memory | usage due to a recursion when repercent-encoding invalid UTF-8 octet | sequences. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-14232 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232 [1] https://security-tracker.debian.org/tracker/CVE-2019-14233 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14233 [2] https://security-tracker.debian.org/tracker/CVE-2019-14234 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14234 [3] https://security-tracker.debian.org/tracker/CVE-2019-14235 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14235 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 2:2.2.4-1 We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 934...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 06 Aug 2019 10:08:25 +0100 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 2:2.2.4-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Chris Lamb <la...@debian.org> Closes: 934026 Changes: python-django (2:2.2.4-1) unstable; urgency=medium . * New upstream security release. (Closes: #934026) <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/> Checksums-Sha1: 9d6966a16c1c7dfaee35ad53e2c693304a07c65f 2741 python-django_2.2.4-1.dsc 42640e8381bbf041bb2e09400251cd53694902a8 8856979 python-django_2.2.4.orig.tar.gz 8839c49662e6b91d054c73fb4d1e1d5a06946c02 25712 python-django_2.2.4-1.debian.tar.xz f7d7d7e65236881ccefd11b3935b9c48e1d80e5b 7292 python-django_2.2.4-1_amd64.buildinfo Checksums-Sha256: 50b20c5bdf006bfb0b0a9d952b63c7f0db55d0b2c03089d7a75dadb0636e0018 2741 python-django_2.2.4-1.dsc 16a5d54411599780ac9dfe3b9b38f90f785c51259a584e0b24b6f14a7f69aae8 8856979 python-django_2.2.4.orig.tar.gz 21b9f42277409d27b6469513288a081a86f4a001d637d37ceb25c8a3d80dfff8 25712 python-django_2.2.4-1.debian.tar.xz 4b04b52caaa26ae0fee3d40bad7e8300bca84aab123ac26739455d9235447560 7292 python-django_2.2.4-1_amd64.buildinfo Files: 9a2991889de8f5caf01316353b58cec0 2741 python optional python-django_2.2.4-1.dsc b32e396c354880742d85a7628a0bdd5a 8856979 python optional python-django_2.2.4.orig.tar.gz 41de8c0369b1907583e05cd23cad33c6 25712 python optional python-django_2.2.4-1.debian.tar.xz fae010be4ec9d8a79ca54cd8e232c3ac 7292 python optional python-django_2.2.4-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl1JRVsACgkQHpU+J9Qx HlhEIA//fV9UqNaRYBSTKiBeNvjdi8aWDL2PrcruS9DHcrOwvWMc38l+anBAUXK/ aGIDjh+OKe1PQeZcggcYi4c8TQMB903nO2WCIDneO22qf2VLBjA1bKk7cDQufrFW vzt158IjQL7ayw01KXj6gSkNSsy7rDj4hEx5f6MXQ0m2v7Jf6K2V+iM+oZQ8l9mm guMXa+PJRM6gSvvT+vh/0aEVtpvziVZDm3PGY4wpVENoeVMBJ6akKRJzmGYFsQ+q K/4PI82vIaQFZkZWFGTESB5E+W9FmSSqEFKsWm7UkJ1yUTqrgUI5W4RSeYEpx8uu BFB0hbns+BGf8jzTJ69NfACeoFOaPYuptFYwiQ/1m6w3W3pir8eSdaeVdlsyTIzG cqppWooffBAq8REnsd7MWRqYPRLmbT+vCRNDThjVW1TjfrOSk/+N+n1VwIAL1Kkr vT/zKoDmuCKqUhq6vzVeyOhxeocBymKQZMsc7TXU734GfVXEB459mZNDklDVVSvi sPaFKh9rvy7WVSHyTPw8z0aYcJcksImVN490RHAF7SD+QIYFyxsTx0OzOwX6jmmT U1yNG61SaoJUWqIP4fhiM320WM0Zni5DHpckQW7ogPECt3szKSKp4kanmxb/xNPf frcA5PSnpPdFXQpTb53wBWazxqODqv69ScroYN7CZYLWC3sbbEo= =pzP6 -----END PGP SIGNATURE-----
--- End Message ---
