Your message dated Sat, 10 May 2025 21:22:22 +0000
with message-id <e1udrei-00ebzs...@fasolo.debian.org>
and subject line Bug#1104872: fixed in python-django 3:4.2.21-1
has caused the Debian Bug report #1104872,
regarding python-django: CVE-2025-32873 -- Denial-of-service possibility in
strip_tags()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1104872: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104872
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python-django
Version: 2:2.2.28-1~deb11u6
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-django.
CVE-2025-32873[0]:
Denial-of-service possibility in strip_tags()
django.utils.html.strip_tags() would be slow to evaluate certain
inputs containing large sequences of incomplete HTML tags. This
function is used to implement the striptags template filter, which
was thus also vulnerable. django.utils.html.strip_tags() now
raises a SuspiciousOperation exception if it encounters an
unusually large number of unclosed opening tags.
<https://www.djangoproject.com/weblog/2025/may/07/security-releases/>
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-32873
https://www.cve.org/CVERecord?id=CVE-2025-32873
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 3:4.2.21-1
Done: Chris Lamb <la...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1104...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <la...@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 09 May 2025 15:47:11 -0700
Source: python-django
Architecture: source
Version: 3:4.2.21-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Chris Lamb <la...@debian.org>
Closes: 1104872
Changes:
python-django (3:4.2.21-1) unstable; urgency=medium
.
* New upstream security release:
.
- CVE-2025-32873: Denial-of-service possibility in strip_tags()
.
django.utils.html.strip_tags() would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is used
to implement the striptags template filter, which was therefore also
vulnerable. strip_tags() now raises a SuspiciousOperation exception if it
encounters an unusually large number of unclosed opening tags.
.
(Closes: #1104872)
.
<https://www.djangoproject.com/weblog/2025/may/07/security-releases/>
.
* Bump Standards-Version to 4.7.2.
* Add pybuild-plugin-pyproject to Build-Depends.
Checksums-Sha1:
8a909d3abe43ac0cfda7fc19f1eaea7d49be9b38 2790 python-django_4.2.21-1.dsc
755366735da491d8f31871d1f9c44a8f5fb419fe 10424638
python-django_4.2.21.orig.tar.gz
ae70597e8f2e688006dddd0055e35d556a1ef1f1 33544
python-django_4.2.21-1.debian.tar.xz
6832d7a2869160fd4ada681a838036e39f97f8f3 9403
python-django_4.2.21-1_source.buildinfo
Checksums-Sha256:
9d293da31f3b3a030abd9b83e4a346e800428be6ac5f24d9dfde33023cacca27 2790
python-django_4.2.21-1.dsc
b54ac28d6aa964fc7c2f7335138a54d78980232011e0cd2231d04eed393dcb0d 10424638
python-django_4.2.21.orig.tar.gz
8b97258ef7904337a7b0c2771bb5fecd5d42e422e18b45293f75dc4d6639483d 33544
python-django_4.2.21-1.debian.tar.xz
fb97e2105eccb15194ecb5864843c9cf04494f27647d7bc7bd59cb8f5d716dae 9403
python-django_4.2.21-1_source.buildinfo
Files:
f5ac915b7a67f7db9b6ffa3314d58347 2790 python optional
python-django_4.2.21-1.dsc
15c20944ce41db14bf346a2f3362e6bd 10424638 python optional
python-django_4.2.21.orig.tar.gz
a975e1540e2438da2b8b865150825923 33544 python optional
python-django_4.2.21-1.debian.tar.xz
5b891e58967062be8532393df9219e8c 9403 python optional
python-django_4.2.21-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmgfvp0ACgkQHpU+J9Qx
HliruxAAikEQrzZ/4Qt58EwJUNB7lBvePax2fv1vfyD4lywZmed9fFlzMjvoIcCe
mb67vUrXfPiNqf8wCbs66juKtb9+0hE80yq0wq3KZNjksrJLCYawo48U0xVgR7f5
uAvxruC7pDXxicuv6Aj7C2XbuDfcgQJpZfrDK8TQCplySdp6A/MCRWZRwV56vyvE
BtLWYn8igIqWXZ8S/UJP7ti+QO3wR7or3zonLAKxc20TXe1Kolbc77tXKpOJZH41
gqQT0eAaoZjzvWapzazcKW3pV3pUOUc4QHOD4sLsc8YAGyb/nJi7yxU/B0hnhIjp
D69jKgZqYac1W+879yaPAMqPYjIW1ScrRF5sl59hB7CjC0pjzVcCCgxPizK3QvfM
InTg+4lGN1IRy65b+XKp0nfCrPLAdAlAMwfB6ZEk0d/rNvm4JAmbzRZ9DwOujpN2
w0FMW0Sk5E2NK1W5TAACgBACRwgg8GvcKngVIlV6kegAEDccDCMWkJa6W9TX1gLD
dSh5JBmWo60KTG8HpWorIF8yrmIrvVyM2vcY0jJsLBLI7ujEC9FuOcEB1RiyBVV6
s1wjuOobZ1ToLwBF1KsynEcVEyHHzEtmIT7jI+mNQGKa6Qpd2ZC3xIpfFxafCHDx
jqzVcWkTECgRV22CEx+vfBAbhrvL9OALffJckw9ypRCXuf0Qaa4=
=MYQP
-----END PGP SIGNATURE-----
pgp6f2nOY4oBK.pgp
Description: PGP signature
--- End Message ---
