Package: python-django Version: 1:1.11.29-1+deb10u11 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for python-django. * CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat() The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. * CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize() The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. * CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. * CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list() QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. For further information see [0][1][2][3][4]. [0] https://security-tracker.debian.org/tracker/CVE-2024-41989 https://www.cve.org/CVERecord?id=CVE-2024-41989 [1] https://security-tracker.debian.org/tracker/CVE-2024-41990 https://www.cve.org/CVERecord?id=CVE-2024-41990 [2] https://security-tracker.debian.org/tracker/CVE-2024-41991 https://www.cve.org/CVERecord?id=CVE-2024-41991 [3] https://security-tracker.debian.org/tracker/CVE-2024-42005 https://www.cve.org/CVERecord?id=CVE-2024-42005 [4] https://www.djangoproject.com/weblog/2024/aug/06/security-releases/ Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
