Your message dated Wed, 14 Aug 2019 18:47:47 +0000 with message-id <e1hxyjh-0005mn...@fasolo.debian.org> and subject line Bug#934026: fixed in python-django 1:1.10.7-2+deb9u6 has caused the Debian Bug report #934026, regarding python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 934026: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934026 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-django Version: 1.7.11-1+deb8u6 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for python-django. CVE-2019-14232[0]: | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before | 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's | chars() and words() methods were passed the html=True argument, they | were extremely slow to evaluate certain inputs due to a catastrophic | backtracking vulnerability in a regular expression. The chars() and | words() methods are used to implement the truncatechars_html and | truncatewords_html template filters, which were thus vulnerable. CVE-2019-14233[1]: | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before | 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying | HTMLParser, django.utils.html.strip_tags would be extremely slow to | evaluate certain inputs containing large sequences of nested | incomplete HTML entities. CVE-2019-14234[2]: SQL injection possibility in key and index lookups for JSONField/HStoreField CVE-2019-14235[3]: | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before | 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, | django.utils.encoding.uri_to_iri could lead to significant memory | usage due to a recursion when repercent-encoding invalid UTF-8 octet | sequences. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-14232 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232 [1] https://security-tracker.debian.org/tracker/CVE-2019-14233 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14233 [2] https://security-tracker.debian.org/tracker/CVE-2019-14234 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14234 [3] https://security-tracker.debian.org/tracker/CVE-2019-14235 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14235 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 1:1.10.7-2+deb9u6 We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 934...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 08 Aug 2019 10:42:49 +0100 Source: python-django Binary: python-django python3-django python-django-common python-django-doc Architecture: source all Version: 1:1.10.7-2+deb9u6 Distribution: stretch-security Urgency: high Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Chris Lamb <la...@debian.org> Description: python-django - High-level Python web development framework (Python 2 version) python-django-common - High-level Python web development framework (common) python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework (Python 3 version) Closes: 934026 Changes: python-django (1:1.10.7-2+deb9u6) stretch-security; urgency=high . * Backport four security patches from upstream. (Closes: #934026) <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/> . - CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator . If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. . The regular expressions used by Truncator have been simplified in order to avoid potential backtracking issues. As a consequence, trailing punctuation may now at times be included in the truncated output. . - CVE-2019-14233: Denial-of-service possibility in strip_tags() . Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable. . strip_tags() now avoids recursive calls to HTMLParser when progress removing tags, but necessarily incomplete HTML entities, stops being made. . Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape(). . - CVE-2019-14234: SQL injection possibility in key and index lookups for JSONField/HStoreField . Key and index lookups for django.contrib.postgres.fields.JSONField and key lookups for django.contrib.postgres.fields.HStoreField were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.filter(). . - CVE-2019-14235: Potential memory exhaustion in django.utils.encoding.uri_to_iri() . If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to excessive recursion when re-percent-encoding invalid UTF-8 octet sequences. . uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8 octet sequences. Checksums-Sha1: e4c794483d1479af946eeea752961d20a12448c2 2804 python-django_1.10.7-2+deb9u6.dsc 5edd13a642460c33cdaf8e8166eccf6b2a2555df 7737654 python-django_1.10.7.orig.tar.gz feab4bd57a62673926a3089667c625ab395c3741 43076 python-django_1.10.7-2+deb9u6.debian.tar.xz 7ebe2c2077bb53cd39df0e45a09b7c0bf7a77944 1514716 python-django-common_1.10.7-2+deb9u6_all.deb 1677744710e8471218b165cc907c93057ba0706a 2536628 python-django-doc_1.10.7-2+deb9u6_all.deb b216433020dd160e046db6b00edd4256eb7e4dd5 904768 python-django_1.10.7-2+deb9u6_all.deb 2058552727dcb0ced961d1ae5f74bef48927ce04 9329 python-django_1.10.7-2+deb9u6_amd64.buildinfo 9142557285e2d19f39e9acd053f066c97fb7b55a 886550 python3-django_1.10.7-2+deb9u6_all.deb Checksums-Sha256: 31b4b068e1d93983fcf41f48c6d03356d180dcd6ae257f6d0e677207c62a90f1 2804 python-django_1.10.7-2+deb9u6.dsc 593d779dbc2350a245c4f76d26bdcad58a39895e87304fe6d725bbdf84b5b0b8 7737654 python-django_1.10.7.orig.tar.gz 61382e22d2c377a3897365f20119d98230289c67973dc512853b2abb41ff88dc 43076 python-django_1.10.7-2+deb9u6.debian.tar.xz 74d0de4efcbc8ac8d0d4ec39aed86f0f843e935a39028d3e0f5b76dd609443c3 1514716 python-django-common_1.10.7-2+deb9u6_all.deb cb1e96c5c3f1b17b89a5df81fbc774c0c1b0abc680100d8d0778e51c035e602f 2536628 python-django-doc_1.10.7-2+deb9u6_all.deb 6bf000c33f8bb17ad8a257bd78952ad6e35658a5d4be806f9ff6f2daf8a1b653 904768 python-django_1.10.7-2+deb9u6_all.deb 0f9c2eaadfb56b187b2aef853329eb6705940399e26c1075b246628bd486fc11 9329 python-django_1.10.7-2+deb9u6_amd64.buildinfo 6122ac69a7e6a6fc896f740273bed3264a8939baca4ef6c34c62dd08c6a41439 886550 python3-django_1.10.7-2+deb9u6_all.deb Files: 28e7abea4ed8cf9aa53950deb52603bd 2804 python optional python-django_1.10.7-2+deb9u6.dsc 693dfeabad62c561cb205900d32c2a98 7737654 python optional python-django_1.10.7.orig.tar.gz 6c63fd07ef43706fd86b67f07e204b86 43076 python optional python-django_1.10.7-2+deb9u6.debian.tar.xz 4ba563d58feed3e7818d1f4c72deb6d9 1514716 python optional python-django-common_1.10.7-2+deb9u6_all.deb 67667859611c2db6c30ad48803fe7a42 2536628 doc optional python-django-doc_1.10.7-2+deb9u6_all.deb fa18d0d0099d0fa68689b16da088c089 904768 python optional python-django_1.10.7-2+deb9u6_all.deb ea3a0e4efb7e475b90b8b0cec832eb2d 9329 python optional python-django_1.10.7-2+deb9u6_amd64.buildinfo e80305618a1b280d09ac4dc0d60dd84b 886550 python optional python3-django_1.10.7-2+deb9u6_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl1OzZ0ACgkQHpU+J9Qx HljGtg//ULQz2jZgue2kaaByCiQCZzH1tDP+nThkea1ZVxsYlkMskJDvNIdtAlKB MzoRfb1yJR81WSmg4OCKlnzitqmvtcKDuIqlzCpSzBqJicY2pu2vT4GkpUNfpwK2 PIrCQrpEp5+ArWTDW6+gRmj1vLCNYg1xpPyMSUWQ9EqQSAoOctwt1FAjfVcOEvDB XEJ3rbwbeezpN/kPRLTSsHXFLFyptJANFaAC7Lg0JAQUmEkCIVZboojo6sizKXpp k+XB8qRJySCrp+gW09vx0+Gzs8wNszuJuzUnbDICgCBRIPkBUlicdna5ZojqzIH7 f0Qvpue5LzcGF2+8TBydaERqg1WX09FiGUHFM0+S2GKXEsPVnARRMD4DGfxPQ0hf cPHK/kxWX1DWCeaW5eimoZK4upft2UZF5pBqEZ07n6CN6qKOM1FW4wcLXfjAEwdB rhTT+/hWjzSO50rxQS8OSu8JspdvtLcgJgu4qV2arzFcIJGUDZWgq8lXMLHJKCLq b3tjREYbl/sUFmGtYTRxbfDotKjKu9lM5wxRL++ffYYGBDzWrRAPXogGE1N3wt/R xo+GrAAvgblalDty79vYPSRIrEDKXniPYxmJIAVUu/FP80s2P5a/b2fAZorCo/HJ wsXt833bBGKfFkg6XsdfuTULK9ntUgsIHR7RfItYRLL0VVyk4m4= =5Zq5 -----END PGP SIGNATURE-----
--- End Message ---
