Bug#1076069: python-django: CVE-2024-38875 CVE-2024-39329 CVE-2024-39330 CVE-2024-39614

Chris Lamb Wed, 10 Jul 2024 01:51:17 -0700

Package: python-django
Version: 1:1.11.29-1+deb10u11
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security


Hi,

Django upstream have reported the following four vulnerabilities:

    https://www.djangoproject.com/weblog/2024/jul/09/security-releases/

I have not yet investigated which, if any, of these vulnerabilities
apply to which versions of src:python-django.

However, an upload to unstable will follow the reporting of this bug,
and an upload to experimental will take place once a new 5.1 beta is
released.


CVE-2024-38875[0]:
| An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before
| 5.0.7. urlize and urlizetrunc were subject to a potential denial of
| service attack via certain inputs with a very large number of
| brackets.


CVE-2024-39329[1]:
| An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before
| 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate()
| method allows remote attackers to enumerate users via a timing
| attack involving login requests for users with an unusable password.


CVE-2024-39330[2]:
| An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before
| 4.2.14. Derived classes of the django.core.files.storage.Storage
| base class, when they override generate_filename() without
| replicating the file-path validations from the parent class,
| potentially allow directory traversal via certain inputs during a
| save() call. (Built-in Storage sub-classes are unaffected.)


CVE-2024-39614[3]:
| An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before
| 4.2.14. get_supported_language_variant() was subject to a potential
| denial-of-service attack when used with very long strings containing
| specific characters.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-38875
    https://www.cve.org/CVERecord?id=CVE-2024-38875
[1] https://security-tracker.debian.org/tracker/CVE-2024-39329
    https://www.cve.org/CVERecord?id=CVE-2024-39329
[2] https://security-tracker.debian.org/tracker/CVE-2024-39330
    https://www.cve.org/CVERecord?id=CVE-2024-39330
[3] https://security-tracker.debian.org/tracker/CVE-2024-39614
    https://www.cve.org/CVERecord?id=CVE-2024-39614


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      la...@debian.org / chris-lamb.co.uk
       `-

Bug#1076069: python-django: CVE-2024-38875 CVE-2024-39329 CVE-2024-39330 CVE-2024-39614

Reply via email to