Univention Bugzilla – Bug 49999
python-django: Multiple issues (4.4)
Last modified: 2019-08-14 16:35:29 CEST
New Debian python-django 1:1.10.7-2+deb9u6 fixes: This update addresses the following issues: * backtracking in a regular expression in django.utils.text.Truncator leads to DoS (CVE-2019-14232) * the behavior of the underlying HTMLParser leading to DoS (CVE-2019-14233) * SQL injection possibility in key and index lookups for JSONField/HStoreField (CVE-2019-14234) * Potential memory exhaustion in django.utils.encoding.uri_to_iri() (CVE-2019-14235)
--- mirror/ftp/4.4/unmaintained/component/4.4-1-errata/source/python-django_1.10.7-2+deb9u5.dsc +++ apt/ucs_4.4-0-errata4.4-1/source/python-django_1.10.7-2+deb9u6.dsc @@ -1,6 +1,60 @@ +1:1.10.7-2+deb9u6 [Thu, 08 Aug 2019 10:42:49 +0100] Chris Lamb <lamby@debian.org>: + + * Backport four security patches from upstream. (Closes: #934026) + <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/> + + - CVE-2019-14232: Denial-of-service possibility in + django.utils.text.Truncator + + If django.utils.text.Truncator's chars() and words() methods were passed + the html=True argument, they were extremely slow to evaluate certain + inputs due to a catastrophic backtracking vulnerability in a regular + expression. The chars() and words() methods are used to implement the + truncatechars_html and truncatewords_html template filters, which were + thus vulnerable. + + The regular expressions used by Truncator have been simplified in order + to avoid potential backtracking issues. As a consequence, trailing + punctuation may now at times be included in the truncated output. + + - CVE-2019-14233: Denial-of-service possibility in strip_tags() + + Due to the behavior of the underlying HTMLParser, + django.utils.html.strip_tags() would be extremely slow to evaluate + certain inputs containing large sequences of nested incomplete HTML + entities. The strip_tags() method is used to implement the corresponding + striptags template filter, which was thus also vulnerable. + + strip_tags() now avoids recursive calls to HTMLParser when progress + removing tags, but necessarily incomplete HTML entities, stops being + made. + + Remember that absolutely NO guarantee is provided about the results of + strip_tags() being HTML safe. So NEVER mark safe the result of a + strip_tags() call without escaping it first, for example with + django.utils.html.escape(). + + - CVE-2019-14234: SQL injection possibility in key and index lookups for + JSONField/HStoreField + + Key and index lookups for django.contrib.postgres.fields.JSONField and + key lookups for django.contrib.postgres.fields.HStoreField were subject + to SQL injection, using a suitably crafted dictionary, with dictionary + expansion, as the **kwargs passed to QuerySet.filter(). + + - CVE-2019-14235: Potential memory exhaustion in + django.utils.encoding.uri_to_iri() + + If passed certain inputs, django.utils.encoding.uri_to_iri could lead to + significant memory usage due to excessive recursion when + re-percent-encoding invalid UTF-8 octet sequences. + + uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8 + octet sequences. + 1:1.10.7-2+deb9u5 [Tue, 02 Jul 2019 23:07:21 -0300] Chris Lamb <lamby@debian.org>: - * CVE-2019-6975: Fix memory exhaustion in utils.numberformat.format. + * CVE-2019-6975: Fix memory exhaustion in utils.numberformat.format(). (Closes: #922027) * CVE-2019-12308: Prevent a XSS vulnerability in the Django admin via the AdminURLFieldWidget. (Closes: #929927) <http://10.200.17.11/4.4-1/#6557579374637955412>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-1] a625b8032e Bug #49999: python-django 1:1.10.7-2+deb9u6 doc/errata/staging/python-django.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) [4.4-1] 2c3e602a17 Bug #49999: python-django 1:1.10.7-2+deb9u6 doc/errata/staging/python-django.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+)
<http://errata.software-univention.de/ucs/4.4/227.html>