Your message dated Fri, 30 May 2025 18:21:31 +0000
with message-id <e1ul4mf-00aszd...@fasolo.debian.org>
and subject line Bug#1104872: fixed in python-django 3:5.2.1-1
has caused the Debian Bug report #1104872,
regarding python-django: CVE-2025-32873 -- Denial-of-service possibility in
strip_tags()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1104872: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104872
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python-django
Version: 2:2.2.28-1~deb11u6
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-django.
CVE-2025-32873[0]:
Denial-of-service possibility in strip_tags()
django.utils.html.strip_tags() would be slow to evaluate certain
inputs containing large sequences of incomplete HTML tags. This
function is used to implement the striptags template filter, which
was thus also vulnerable. django.utils.html.strip_tags() now
raises a SuspiciousOperation exception if it encounters an
unusually large number of unclosed opening tags.
<https://www.djangoproject.com/weblog/2025/may/07/security-releases/>
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-32873
https://www.cve.org/CVERecord?id=CVE-2025-32873
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 3:5.2.1-1
Done: Chris Lamb <la...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1104...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <la...@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 07 May 2025 09:27:26 -0700
Source: python-django
Architecture: source
Version: 3:5.2.1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Chris Lamb <la...@debian.org>
Closes: 1104872
Changes:
python-django (3:5.2.1-1) experimental; urgency=medium
.
* New upstream security release:
.
- CVE-2025-32873: Denial-of-service possibility in strip_tags()
.
django.utils.html.strip_tags() would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is used
to implement the striptags template filter, which was therefore also
vulnerable. strip_tags() now raises a SuspiciousOperation exception if it
encounters an unusually large number of unclosed opening tags.
.
(Closes: #1104872)
.
<https://www.djangoproject.com/weblog/2025/may/07/security-releases/>
Checksums-Sha1:
bb09ed045a745017911b8301027d124ff080a9e8 2783 python-django_5.2.1-1.dsc
c8c6571401bede943be6b1ca4babe93cf2612e16 10818735
python-django_5.2.1.orig.tar.gz
feb12576e7ffa0f41ff351dc76a0cbcd10ae7d37 30096
python-django_5.2.1-1.debian.tar.xz
48edea50e99170342a8f2ed80db5d589676954cc 9397
python-django_5.2.1-1_source.buildinfo
Checksums-Sha256:
3a916198824710e9ceac054feec156bbc69c8ac432863a41b3c3cdfa6c7665ce 2783
python-django_5.2.1-1.dsc
57fe1f1b59462caed092c80b3dd324fd92161b620d59a9ba9181c34746c97284 10818735
python-django_5.2.1.orig.tar.gz
289c4fa05e3fa1e8c79a76be388142ef987d153dc70a5958eff9c754a2f14743 30096
python-django_5.2.1-1.debian.tar.xz
e2e841b9e966d8eca1be91b5f0976d285eb2bc40d0c48b80a3ae8d353bf7bd40 9397
python-django_5.2.1-1_source.buildinfo
Files:
64ae950d20e25f1f9bc5e9afb5c1d01e 2783 python optional python-django_5.2.1-1.dsc
317174c6e0593c40e58ec1bd428b1091 10818735 python optional
python-django_5.2.1.orig.tar.gz
bf80257ae4ad41ad98d313b4e5d1a42f 30096 python optional
python-django_5.2.1-1.debian.tar.xz
9b177edac3cfbb765638e088bd11d74f 9397 python optional
python-django_5.2.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmg58zYACgkQHpU+J9Qx
HlhGqA//SwcLo/f8aWLLyWBshzgkOiX9w/eXTymoLheNdj3dsEwynXc9rf/pThtw
/JlyWGo6/a0xBBaHW8vqr9ML0bdkAJwYmy9yXziyQpwuKZPjXpKQP7IRi1Pjif+J
fa4B7npD6qs7Q7QRNe5HqwD09GznvHCX43lcHbznersCj0V+g/8SqizrecDRRU2P
0VMmeCCcA4DE7tRggRpx5vHxsoMRkD06lRZmj2taVMJufFDsSkYVHf3gIYH9dEZd
+f8HKZABSLpTXQyf7NktNTc5f7Ve8J3rAnKZx2siJgKMosKjsmIuU2akn7RMb852
Wa7pk4rt5TRlTtku0JFlZLE45wZ1vHA/DjCNC072qLt5U27ToGizmajxvKjA5d7E
JmwNAc/gNPZcq51V7QIE2gzpD50SmQTTG8h6I3dMGQF+u+YmdCqAAjVD6kkViPYQ
/XACsARVYCunAOu71PpLyuUHCDUS9zsI7QjElXxTq70PTTVr+62/79BBFOyf1Elw
A5AC2UdGsRSXTuzloolOuOuLUd5wgiWaQRD11wJAguQthj9W2KcP7jwNv0iCbFfP
5pP7O88txTu7OZlpVJgYcP75UqIqMyo0XIfVDCsDdv8zWnbPdBIWkktHEtu/5LFR
xBwxOJK1YSFYWwsXqbhKvgEIOhvLmDbavt5rvJagYWpG87BWGTQ=
=L4d9
-----END PGP SIGNATURE-----
pgp_ZmsVtVg5_.pgp
Description: PGP signature
--- End Message ---
