From: ftpmaster@ftp-master.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 27 Jan 2026 11:16:59 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:3.2.25-0+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Python Team
Changed-By: Chris Lamb
Closes: 1051226 1099682 1113865
Changes:
python-django (3:3.2.25-0+deb12u1) bookworm-security; urgency=high
.
* Update to upstream's last 3.2 series release:
.
- CVE-2023-41164: Potential denial of service vulnerability in
django.utils.encoding.uri_to_iri().
.
This method was subject to potential denial of service attack via
certain
inputs with a very large number of Unicode characters. This fix was
released in Django 3.2.21. (Closes: #1051226)
.
- CVE-2023-43665: Address a denial-of-service possibility in
django.utils.text.Truncator.
.
Following the fix for CVE-2019-14232, the regular expressions used in
the
implementation of django.utils.text.Truncator’s chars() and words()
methods (with html=True) were revised and improved. However, these
regular expressions still exhibited linear backtracking complexity, so
when given a very long, potentially malformed HTML input, the evaluation
would still be slow, leading to a potential denial of service
vulnerability.
.
The chars() and words() methods are used to implement the
truncatechars_html and truncatewords_html template filters, which were
thus also vulnerable.
.
The input processed by Truncator, when operating in HTML mode, has been
limited to the first five million characters in order to avoid potential
performance and memory issues. This fix was included in Django 3.2.22.
.
- CVE-2024-24680: Potential denial-of-service in intcomma template filter.
The intcomma template filter was subject to a potential d
nial-of-service
attack when used with very long strings. This fix was included in Django
3.2.24.
.
- CVE-2024-27351: Fix a potential regular expression denial-of-service
(ReDoS) attack in django.utils.text.Truncator.words. This method
(with html=True) and the truncatewords_html template filter were subject
to a potential regular expression denial-of-service attack via a
suitably
crafted string. This is, in part, a follow up to CVE-2019-14232 and
CVE-2023-43665, and was included in Django 3.2.25.
.
* Drop debian/patches/CVE-2023-36053.patch now that we include the fix
directly via 3.2.20.
.
* CVE-2024-39329: Avoid a username enumeration vulnerability through timing
difference for users with unusable password. The authenticate method of
django.contrib.auth.backends.ModelBackend method allowed remote attackers
to enumerate users via a timing attack involving login requests for users
with unusable passwords.
.
* CVE-2024-39330: Address a potential directory-traversal in
django.core.files.storage.Storage.save. Derived classes of this method's
base class which override generate_filename without replicating the file
path validations existing in the parent class allowed for potential
directory-traversal via certain inputs when calling save(). Built-in
Storage sub-classes were not affected by this vulnerability.
.
* CVE-2024-39614: Fix a potential denial-of-service in
django.utils.translation.get_supported_language_variant. This method was
subject to a potential DoS attack when used with very long strings
containing specific characters. To mitigate this vulnerability, the
language code provided to get_supported_language_variant is now parsed up
to a maximum length of 500 characters.
.
* CVE-2024-41989: Memory exhaustion in django.utils.numberformat. The
floatformat template filter is subject to significant memory consumption
when given a string representation of a number in scientific notation with
a large exponent.
.
* CVE-2024-41991: Potential denial-of-service vulnerability in
django.utils.html.urlize() and AdminURLFieldWidget. The urlize and
urlizetrunc template filters, and the AdminURLFieldWidget widget, are
subject to a potential denial-of-service attack via certain inputs with a
very large number of Unicode characters.
.
* CVE-2024-42005: Potential SQL injection in QuerySet.values() and
values_list(). QuerySet.values() and values_list() methods on models with
a
JSONField are subject to SQL injection in column aliases via a crafted
JSON
object key as a passed *arg.
.
* CVE-2024-45231: Potential user email enumeration via response status on
password reset. Due to unhandled email sending failures, the
django.contrib.auth.forms.PasswordResetForm class allowed remote attackers
to enumerate user emails by issuing password reset requests and observing
the outcomes. To mitigate this risk, exceptions occurring during password
reset email sending are now handled and logged using the
django.contrib.auth logger.
.
* CVE-2024-53907: Potential DoS in django.utils.html.strip_tags.
The strip_tags() method and striptags template filter were subject to a
potential denial-of-service attack via certain inputs containing large
sequences of nested incomplete HTML entities.
.
* CVE-2024-56374: Potential denial-of-service vulnerability in IPv6
validation. A lack of upper bound limit enforcement in strings passed when
performing IPv6 validation could have led to a potential denial-of-service
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
