Your message dated Wed, 01 Feb 2023 16:21:19 +0000 with message-id <e1pnfrl-007wkg...@fasolo.debian.org> and subject line Bug#1030251: fixed in python-django 3:3.2.17-1 has caused the Debian Bug report #1030251, regarding python-django: CVE-2023-23969 Potential denial-of-service via Accept-Language headers to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1030251: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030251 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-django Version: 1:1.11.29-1+deb10u5 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-django. CVE-2023-23969: Potential denial-of-service via Accept-Language headers The parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if large header values are sent. In order to avoid this vulnerability, the Accept-Language header is now parsed up to a maximum length. Thanks to Mithril for the report. This issue has severity "moderate" according to the Django security policy. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-23969 https://www.cve.org/CVERecord?id=CVE-2023-23969 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 3:3.2.17-1 Done: Chris Lamb <la...@debian.org> We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1030...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 01 Feb 2023 08:01:01 -0800 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 3:3.2.17-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Chris Lamb <la...@debian.org> Closes: 1030251 Changes: python-django (3:3.2.17-1) unstable; urgency=medium . * New security upstream release. <https://www.djangoproject.com/weblog/2023/feb/01/security-releases/> . - CVE-2023-23969: Potential denial-of-service via Accept-Language headers . The parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if large header values are sent. . In order to avoid this vulnerability, the Accept-Language header is now parsed up to a maximum length. (Closes: #1030251) . * Drop 0010-Fixed-inspectdb.tests.InspectDBTestCase.test_custom_.patch; applied upstream. * Refresh all patches. Checksums-Sha1: 739c26799224c7e0f5c81271aa9ac9440ba9e75a 2807 python-django_3.2.17-1.dsc 41fbde88d69f8f4e2daa9c8edc64864d7a42e5c4 9830188 python-django_3.2.17.orig.tar.gz c6305d24b4b8a271a3f4b99a43bab30aeea47a3b 37648 python-django_3.2.17-1.debian.tar.xz d175a5be405595f0869f54e63e7e55bb66bfe621 7937 python-django_3.2.17-1_amd64.buildinfo Checksums-Sha256: 26caea9753ba9a01a43b14b31ecb655940e3c2bf691dc0e351a0d7149b868482 2807 python-django_3.2.17-1.dsc 644288341f06ebe4938eec6801b6bd59a6534a78e4aedde2a153075d11143894 9830188 python-django_3.2.17.orig.tar.gz b38875467b7216b323f464b0f116b32342c1c42c9051d13e1852add245c6164d 37648 python-django_3.2.17-1.debian.tar.xz eda8f2d8334dd8264821b9ddab033c57a59f8ec8b59cd5c72d86a4acd445712a 7937 python-django_3.2.17-1_amd64.buildinfo Files: 02586cd0235d549d793ba4348f38505e 2807 python optional python-django_3.2.17-1.dsc ef4c165db99f7f6e32b62846b9f7a36e 9830188 python optional python-django_3.2.17.orig.tar.gz aa4efe0b62f4bff27b0f8065be1a7212 37648 python optional python-django_3.2.17-1.debian.tar.xz 893a2797e6057caa5416030603e1041b 7937 python optional python-django_3.2.17-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmPajiYACgkQHpU+J9Qx HlhqFBAAue6O+0ZqYQ2frd2gARoqkZVhJoZ2o5pE+7iEyc34jrrUWBURrKAiz/z0 NnNsr7O20evXW1gJ87EnM0Yj0Se8QlXVHqI480+ACYil/LoiPWcihzIDM4LeQO1q tDxgvJ4jA08bwpgrJQuQApkeS4TkESsV6W2dH6b5Gq/OiddL95eeiNiwYh/9y9e6 NIp5l8poyYCkQ44gt9nR/4Dus4PzLet5gIiH5Eq7t/T5aa/GNYOvJX+elJHghh54 Qx/piEtpQjyRCF5KYQqK6RkjFuaJnEJMvkFETzDkKpELpkEG6h3KfQjP9uIdvGlt oaF6Yt2MLZTB/7rEUHUl1xv53R+RJsny64ZmfcD4i0aP8HDrBTpistmXhVPAz3hh FWV0odIIUSiR/ZbMGE8Opa6L9V9rHvKkq6O6dFzqhkZ6qaAnnpbRkvob8S4YhcOT WRq0YYURS3Z0Kt+il+abz4amQX1XGUnkK1ziOM8chavMot98Lucdet9uEsM+t7Vw n/Qzq7sfhYP3CAs8adtHchXwEFmGqHq1CTkpegcT+1MXt/689q3yhbPXGd4inscx G0JXNEgZOjnLq/zDf1IMGpcmH9why4talRBjR8mW1jqRnlllKMebPp/HGxm3rIrg meBfJjp/Bv/dDI4/BreCZ/LCKeidruGl0Tle/PeDJ6N6DoLwn2Q= =xPJl -----END PGP SIGNATURE-----
--- End Message ---
