Bug#1078074: marked as done (python-django: CVE-2024-41989 CVE-2024-41990 CVE-2024-41991 CVE-2024-42005)

Tue, 06 Aug 2024 09:24:19 -0700 

Your message dated Tue, 06 Aug 2024 16:19:51 +0000
with message-id <[email protected]>
and subject line Bug#1078074: fixed in python-django 3:4.2.15-1
has caused the Debian Bug report #1078074,
regarding python-django: CVE-2024-41989 CVE-2024-41990 CVE-2024-41991 
CVE-2024-42005
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1078074: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078074
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: python-django
Version: 1:1.11.29-1+deb10u11
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for python-django.

* CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat()

  The floatformat template filter is subject to significant memory
  consumption when given a string representation of a number in
  scientific notation with a large exponent.

* CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize()

  The urlize() and urlizetrunc() template filters are subject to a
  potential denial-of-service attack via very large inputs with a
  specific sequence of characters.

* CVE-2024-41991: Potential denial-of-service vulnerability in 
django.utils.html.urlize() and AdminURLFieldWidget

  The urlize and urlizetrunc template filters, and the
  AdminURLFieldWidget widget, are subject to a potential
  denial-of-service attack via certain inputs with a very large number
  of Unicode characters.

* CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()

  QuerySet.values() and values_list() methods on models with a
  JSONField are subject to SQL injection in column aliases via a
  crafted JSON object key as a passed *arg.


For further information see [0][1][2][3][4].


[0] https://security-tracker.debian.org/tracker/CVE-2024-41989
    https://www.cve.org/CVERecord?id=CVE-2024-41989
[1] https://security-tracker.debian.org/tracker/CVE-2024-41990
    https://www.cve.org/CVERecord?id=CVE-2024-41990
[2] https://security-tracker.debian.org/tracker/CVE-2024-41991
    https://www.cve.org/CVERecord?id=CVE-2024-41991
[3] https://security-tracker.debian.org/tracker/CVE-2024-42005
    https://www.cve.org/CVERecord?id=CVE-2024-42005
[4] https://www.djangoproject.com/weblog/2024/aug/06/security-releases/


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      [email protected] / chris-lamb.co.uk
       `-

--- End Message ---
--- Begin Message --- 
Source: python-django
Source-Version: 3:4.2.15-1
Done: Chris Lamb <[email protected]>

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 06 Aug 2024 16:59:24 +0100
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:4.2.15-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1078074
Changes:
 python-django (3:4.2.15-1) unstable; urgency=high
 .
   * New upstream security release. (Closes: #1078074)
 .
     - CVE-2024-41989: Memory exhaustion in django.utils.numberformat.
 .
       The floatformat template filter is subject to significant memory
       consumption when given a string representation of a number in
       scientific notation with a large exponent.
 .
     - CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize.
 .
       The urlize() and urlizetrunc() template filters are subject to a
       potential denial-of-service attack via very large inputs with a specific
       sequence of characters.
 .
     - CVE-2024-41991: Potential denial-of-service vulnerability in
       django.utils.html.urlize() and AdminURLFieldWidget
 .
       The urlize and urlizetrunc template filters, and the AdminURLFieldWidget
       widget, are subject to a potential denial-of-service attack via certain
       inputs with a very large number of Unicode characters.
 .
     - CVE-2024-42005: Potential SQL injection in QuerySet.values() and
       values_list()
 .
       QuerySet.values() and values_list() methods on models with a JSONField
       are subject to SQL injection in column aliases via a crafted JSON object
       key as a passed *arg.
 .
     <https://www.djangoproject.com/weblog/2024/aug/06/security-releases/>
Checksums-Sha1:
 4bd0cedeed1f979c4f813b23b86ac33d1ef48c25 2764 python-django_4.2.15-1.dsc
 82d4afdf4c3210cf399eaebe287d4012a49444ff 10418066 
python-django_4.2.15.orig.tar.gz
 e5aa8c698f26a9082c23ca6e0ca4ab9eeaae3a18 31908 
python-django_4.2.15-1.debian.tar.xz
 3229700ef66c4163b1d7d798fc747b52aae8e4da 7594 
python-django_4.2.15-1_amd64.buildinfo
Checksums-Sha256:
 d327f132aba6f910c023ac7882ae5bbe20c88fb533934f1d268a02ffc7444ae7 2764 
python-django_4.2.15-1.dsc
 c77f926b81129493961e19c0e02188f8d07c112a1162df69bfab178ae447f94a 10418066 
python-django_4.2.15.orig.tar.gz
 0117013cc1a87c09666f4ad03800a4a4ce0a7dcc18358137b26d1e0dc1d1b8ae 31908 
python-django_4.2.15-1.debian.tar.xz
 4a80d44ea7f6b1fb67178b4e5d353500d07796e360e3d3d884ff054b8553cabd 7594 
python-django_4.2.15-1_amd64.buildinfo
Files:
 8bdf32267a0dec045b7c27926cfdcafc 2764 python optional 
python-django_4.2.15-1.dsc
 a828465eb577e2b4c9a34b9839b33bef 10418066 python optional 
python-django_4.2.15.orig.tar.gz
 8532ac9623aab487d0c3b6ed21481427 31908 python optional 
python-django_4.2.15-1.debian.tar.xz
 4fd991f4a24303449e78a8a02f876a18 7594 python optional 
python-django_4.2.15-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmayS1kACgkQHpU+J9Qx
HlggZg/6A08gveSnAamCST+Eb5NrIoCclfpsiRZR54pZ7rOe4j1M1WF7ysMGph6p
MduAqjIGlMkoYAU3un/3a4TdLgBnomOvn7ZvCOrV8ONoF/SwuFHiXpu9zgdVMCYL
iS3CfZ5PJbqP9MZDeTClJ2kcJivSHbjyzd1DMVikmYlg+gvX7b7G3/C1Z2r8Swxn
h0HA7L2LgA3xtVSqHnBNH1tyiJ901Dk0/B/yfD8cjwpvQfJFwHbKAfIEJHRO4ldn
AJTf/4QeHuNiQDTjst0v6UIe/wokeS2iO/Xa2T8jvDfUpthSP1geL+8ZoaDxOLtI
OhaOERjeK32hB/Sl0vHSSYYnwFtxX6rGAjDcMpY2u+lKEYQmZol7994uYsT5efV4
FImoWCidZWR2PocEnLO/e3KR6nCyNsuXFxVKJl8a1qysC+UpewlFBA7KQ6s1a83m
xA60HZkmwN0JPzTEzrp9ImCt2lBhbSeCtorPkeCjVaLIyHzHt1PJxtyDDVdRHa9H
8vkraIjq9UxYfHo2Z/yIpH9ZLGKnor8nWYZpqzrbWFaaUPzrCpCK2CK23hbfaqoD
Tp6VlxxbYPl2ZsfHFzOSOpbxGMUncYJkFhSe/QikFT1sF42myAzCXVXu62Wd0+7y
IxvzbD1Om9jgLwD+gKd/8qwe3s6EuccakV2hFS2X9Oat1BbuxTM=
=0WK5
-----END PGP SIGNATURE-----

Attachment: pgpX8AQW2MxeZ.pgp
Description: PGP signature


--- End Message ---

Reply via email to