Package: python-django Version: 1.7.11-1+deb8u6 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for python-django. CVE-2019-14232[0]: | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before | 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's | chars() and words() methods were passed the html=True argument, they | were extremely slow to evaluate certain inputs due to a catastrophic | backtracking vulnerability in a regular expression. The chars() and | words() methods are used to implement the truncatechars_html and | truncatewords_html template filters, which were thus vulnerable. CVE-2019-14233[1]: | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before | 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying | HTMLParser, django.utils.html.strip_tags would be extremely slow to | evaluate certain inputs containing large sequences of nested | incomplete HTML entities. CVE-2019-14234[2]: SQL injection possibility in key and index lookups for JSONField/HStoreField CVE-2019-14235[3]: | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before | 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, | django.utils.encoding.uri_to_iri could lead to significant memory | usage due to a recursion when repercent-encoding invalid UTF-8 octet | sequences. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-14232 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232 [1] https://security-tracker.debian.org/tracker/CVE-2019-14233 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14233 [2] https://security-tracker.debian.org/tracker/CVE-2019-14234 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14234 [3] https://security-tracker.debian.org/tracker/CVE-2019-14235 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14235 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-