Bug 49999 - python-django: Multiple issues (4.4)
python-django: Multiple issues (4.4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
All Linux
: P3 normal (vote)
: UCS 4.4-1-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-13 08:26 CEST by Quality Assurance
Modified: 2019-08-14 16:35 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2019-08-13 08:26:39 CEST
New Debian python-django 1:1.10.7-2+deb9u6 fixes:
This update addresses the following issues:
* backtracking in a regular expression in django.utils.text.Truncator leads  to DoS (CVE-2019-14232)
* the behavior of the underlying HTMLParser leading to DoS (CVE-2019-14233)
* SQL injection possibility in key and index lookups for  JSONField/HStoreField (CVE-2019-14234)
* Potential memory exhaustion in django.utils.encoding.uri_to_iri()  (CVE-2019-14235)
Comment 1 Quality Assurance univentionstaff 2019-08-13 09:00:30 CEST
--- mirror/ftp/4.4/unmaintained/component/4.4-1-errata/source/python-django_1.10.7-2+deb9u5.dsc
+++ apt/ucs_4.4-0-errata4.4-1/source/python-django_1.10.7-2+deb9u6.dsc
@@ -1,6 +1,60 @@
+1:1.10.7-2+deb9u6 [Thu, 08 Aug 2019 10:42:49 +0100] Chris Lamb <lamby@debian.org>:
+
+  * Backport four security patches from upstream. (Closes: #934026)
+    <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/>
+
+    - CVE-2019-14232: Denial-of-service possibility in
+      django.utils.text.Truncator
+
+      If django.utils.text.Truncator's chars() and words() methods were passed
+      the html=True argument, they were extremely slow to evaluate certain
+      inputs due to a catastrophic backtracking vulnerability in a regular
+      expression. The chars() and words() methods are used to implement the
+      truncatechars_html and truncatewords_html template filters, which were
+      thus vulnerable.
+
+      The regular expressions used by Truncator have been simplified in order
+      to avoid potential backtracking issues. As a consequence, trailing
+      punctuation may now at times be included in the truncated output.
+
+    - CVE-2019-14233: Denial-of-service possibility in strip_tags()
+
+      Due to the behavior of the underlying HTMLParser,
+      django.utils.html.strip_tags() would be extremely slow to evaluate
+      certain inputs containing large sequences of nested incomplete HTML
+      entities. The strip_tags() method is used to implement the corresponding
+      striptags template filter, which was thus also vulnerable.
+
+      strip_tags() now avoids recursive calls to HTMLParser when progress
+      removing tags, but necessarily incomplete HTML entities, stops being
+      made.
+
+      Remember that absolutely NO guarantee is provided about the results of
+      strip_tags() being HTML safe. So NEVER mark safe the result of a
+      strip_tags() call without escaping it first, for example with
+      django.utils.html.escape().
+
+    - CVE-2019-14234: SQL injection possibility in key and index lookups for
+      JSONField/HStoreField
+
+      Key and index lookups for django.contrib.postgres.fields.JSONField and
+      key lookups for django.contrib.postgres.fields.HStoreField were subject
+      to SQL injection, using a suitably crafted dictionary, with dictionary
+      expansion, as the **kwargs passed to QuerySet.filter().
+
+    - CVE-2019-14235: Potential memory exhaustion in
+      django.utils.encoding.uri_to_iri()
+
+      If passed certain inputs, django.utils.encoding.uri_to_iri could lead to
+      significant memory usage due to excessive recursion when
+      re-percent-encoding invalid UTF-8 octet sequences.
+
+      uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8
+      octet sequences.
+
 1:1.10.7-2+deb9u5 [Tue, 02 Jul 2019 23:07:21 -0300] Chris Lamb <lamby@debian.org>:
 
-  * CVE-2019-6975: Fix memory exhaustion in utils.numberformat.format.
+  * CVE-2019-6975: Fix memory exhaustion in utils.numberformat.format().
     (Closes: #922027)
   * CVE-2019-12308: Prevent a XSS vulnerability in the Django admin via the
     AdminURLFieldWidget. (Closes: #929927)

<http://10.200.17.11/4.4-1/#6557579374637955412>
Comment 2 Philipp Hahn univentionstaff 2019-08-13 10:08:28 CEST
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-1] a625b8032e Bug #49999: python-django 1:1.10.7-2+deb9u6
 doc/errata/staging/python-django.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

[4.4-1] 2c3e602a17 Bug #49999: python-django 1:1.10.7-2+deb9u6
 doc/errata/staging/python-django.yaml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
Comment 3 Erik Damrose univentionstaff 2019-08-14 16:35:29 CEST
<http://errata.software-univention.de/ucs/4.4/227.html>