Bug 57935 - python-django: Multiple issues (5.0)
Summary: python-django: Multiple issues (5.0)
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: Security updates
Version: UCS 5.0
Hardware: All Linux
: P3 normal
Target Milestone: UCS 5.0-9-errata
Assignee: Quality Assurance
QA Contact: Arvid Requate
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-02-03 12:32 CET by Quality Assurance
Modified: 2025-02-05 14:47 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2025-02-03 12:32:18 CET 
New Debian python-django 1:1.11.29-1+deb10u13 fixes:
This update addresses the following issues:
1:1.11.29-1+deb10u13 (Tue, 28 Jan 2025 10:58:14 +0000)
* Non-maintainer upload by the ELTS security team.
* CVE-2024-53907: Prevent a potential Denial of Service (DoS) attack. The  strip_tags method and striptags template filter were subject to a potential  denial-of-service attack via certain inputs containing large sequences of  nested incomplete HTML entities.
* CVE-2024-56374: Prevent another potential Denial of Service (DoS) attack.  Lack of upper-bound limit enforcement in strings passed when performing  IPv6 validation could have led to a potential denial-of-service attack. The  clean_ipv6_address and is_valid_ipv6_address functions were vulnerable as  was the GenericIPAddressField form field. The GenericIPAddressField model  field was not affected.
Comment 1 Quality Assurance univentionstaff 2025-02-03 13:00:16 CET 
--- mirror/ftp/pool/main/p/python-django/python-django_1.11.29-1+deb10u12.dsc
+++ apt/ucs_5.0-0-errata5.0-9/source/python-django_1.11.29-1+deb10u13.dsc
@@ -1,3 +1,17 @@
+1:1.11.29-1+deb10u13 [Tue, 28 Jan 2025 10:58:14 +0000] Chris Lamb <lamby@debian.org>:
+
+  * Non-maintainer upload by the ELTS security team.
+  * CVE-2024-53907: Prevent a potential Denial of Service (DoS) attack. The
+    strip_tags method and striptags template filter were subject to a
+    potential denial-of-service attack via certain inputs containing large
+    sequences of nested incomplete HTML entities.
+  * CVE-2024-56374: Prevent another potential Denial of Service (DoS) attack.
+    Lack of upper-bound limit enforcement in strings passed when performing
+    IPv6 validation could have led to a potential denial-of-service attack.
+    The clean_ipv6_address and is_valid_ipv6_address functions were vulnerable
+    as was the GenericIPAddressField form field. The GenericIPAddressField
+    model field was not affected. (Closes: #1093049)
+
 1:1.11.29-1+deb10u12 [Tue, 27 Aug 2024 13:41:41 +0100] Chris Lamb <lamby@debian.org>:
 
   * Non-maintainer upload by the ELTS security team.

<http://piuparts.knut.univention.de/5.0-9/#5085369848045678639>
Comment 2 Arvid Requate univentionstaff 2025-02-03 13:33:41 CET 
OK: bug
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[5.0-9] 7fae0da6798 Bug #57935: python-django 1:1.11.29-1+deb10u13
 doc/errata/staging/python-django.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)