Your message dated Wed, 04 Jun 2025 21:19:22 +0000
with message-id <[email protected]>
and subject line Bug#1107282: fixed in python-django 3:4.2.22-1
has caused the Debian Bug report #1107282,
regarding python-django: CVE-2025-48432 -- Potential log injection via
unescaped request path
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1107282: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107282
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-django
Version: 2:2.2.28-1~deb11u6
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-django.
CVE-2025-48432[0]: Potential log injection via unescaped request path
Internal HTTP response logging used `request.path` directly,
allowing control characters (e.g. newlines or ANSI escape
sequences) to be written unescaped into logs. This could enable
log injection or forgery, letting attackers manipulate log
appearance or structure, especially in logs processed by external
systems or viewed in terminals.
Although this does not directly impact Django's security model, it
poses risks when logs are consumed or interpreted by other tools.
To fix this, the internal `django.utils.log.log_response()`
function now escapes all positional formatting arguments using a
safe encoding.
More info:
https://www.djangoproject.com/weblog/2025/jun/04/security-releases/
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-48432
https://www.cve.org/CVERecord?id=CVE-2025-48432
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
--- End Message ---
--- Begin Message ---
Source: python-django
Source-Version: 3:4.2.22-1
Done: Chris Lamb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 04 Jun 2025 08:21:53 -0700
Source: python-django
Architecture: source
Version: 3:4.2.22-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1107282
Changes:
python-django (3:4.2.22-1) unstable; urgency=high
.
* New upstream security release:
.
- CVE-2025-48432: Potential log injection via unescaped request path.
.
Django's internal HTTP response logging used request.path directly,
allowing control characters (e.g. newlines or ANSI escape sequences) to
be written unescaped into logs. This could enable log injection or
forgery, letting attackers manipulate log appearance or structure,
especially in logs processed by external systems or viewed in terminals.
.
Although this does not directly impact Django's security model, it poses
risks when logs are consumed or interpreted by other tools. To fix this,
the internal django.utils.log.log_response() function now escapes all
positional formatting arguments using a safe encoding.
.
(Closes: #1107282)
.
<https://www.djangoproject.com/weblog/2025/jun/04/security-releases/>
Checksums-Sha1:
85373c92455f7b2b11112a3f5b100bded36e9d33 2790 python-django_4.2.22-1.dsc
9311aafa19c03378cbf0d9758b80cb458bccf87f 10427236
python-django_4.2.22.orig.tar.gz
2336441fbf39d74df12e855a931fa0cd6320ef30 33828
python-django_4.2.22-1.debian.tar.xz
e2b83b1f6ef6e70f1e60c55887dfbb479712ddf5 9401
python-django_4.2.22-1_source.buildinfo
Checksums-Sha256:
77bbbe2bafbe4e6c3d36d83602a11bd6f1d807be1612f1d4799b20f98e166d2b 2790
python-django_4.2.22-1.dsc
e726764b094407c313adba5e2e866ab88f00436cad85c540a5bf76dc0a912c9e 10427236
python-django_4.2.22.orig.tar.gz
119116bb321db7db3ab59a7d6356ca35d72d2ff84ad251d9d38d7cf70378c7fc 33828
python-django_4.2.22-1.debian.tar.xz
47c78490860dcaf51c6abefcb703c1ebaf0d711f3b502a1309a1f7f129576a0c 9401
python-django_4.2.22-1_source.buildinfo
Files:
d906238ee314208b7f107498b0998cef 2790 python optional
python-django_4.2.22-1.dsc
129ec31e2b5b48daf6ad33380a2da976 10427236 python optional
python-django_4.2.22.orig.tar.gz
6add58e41a5aad5e62a853de54f3083a 33828 python optional
python-django_4.2.22-1.debian.tar.xz
e2606c7f323052c5465b78185263a0eb 9401 python optional
python-django_4.2.22-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmhAtL4ACgkQHpU+J9Qx
Hlh+4A/8CUBg+ioshGRbT7L38s4lVjzzbxDSWASq8vp3b88FoeQlV/+gAdBdlCAQ
7cWVXQN6DUibOHuLh49/zqIH8yeQ6eXkU3n8zTjqlWDB1oS2mE+f+alx21GXaDoT
II/NST+XpCKkitvnZObK6z2njFiGStpy8PaOPa3nr3zb99Ai3lOr699aJ1eD3BS8
rMP/0+f5a8jqazvgEDQqdz08mP5VAGyVDIenHZZpeqxt401u0lJiEy8ppcKiGFax
i/n1N1tXCEYwgJWV9iOCV0pTrLbd18rIcFyG/PdEcpmOHShDenxMbt9Zg7H5VvsS
2tiw1ISVKTIJqxfdwY9qu3i+svaokfg99ggIRzM9Za15ZHxzMWu1SWziioP+1J/2
HExJ5BSWwzsdoKzUtlZCGQyGtx+JQtheM+hEA8qL/KYlcDDsXr3iug1VTiqmcTD+
dAAa+K/reKJxMZnqH+HdruvPUD/utzN0a0NLfBkQbrKxT9qWNk2DfKLKGBMT1nnU
HXJRxEQ9a9tqYOd6BAoNM4hxmQTu9LgO5MIHbSadWBVa/WH9+JxhAXEdcuXgswSP
xUdqNIVKJwSLb5PJtIdCyxqeLam1BeEbQFmEMe16B7AsCFjOkMRGnJL47umWBkwi
DBj4Hj04WYLZOv6SPFkkDj3RN+BSHWwjsVZonLqf2/Ojmq6xfEQ=
=GY8+
-----END PGP SIGNATURE-----
pgpMDpw2fyW1z.pgp
Description: PGP signature
--- End Message ---
