Your message dated Mon, 11 Feb 2019 18:37:57 +0000 with message-id <[email protected]> and subject line Bug#922027: fixed in python-django 1:1.11.20-1 has caused the Debian Bug report #922027, regarding CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format() to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 922027: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922027 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: python-django Version: Django 2.2, 1.11 Severity: normal CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format() If django.utils.numberformat.format() -- used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters -- received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format(). To avoid this, decimals with more than 200 digits are now formatted using scientific notation. Thanks Sjoerd Job Postmus for reporting this issue. Affected supported versions Django master branch Django 2.2 (which will be released in a separate blog post later today) Django 2.1 Django 2.0 Django 1.11 Per our supported versions policy, Django 1.10 and older are no longer supported. https://www.djangoproject.com/weblog/2019/feb/11/security-releases/ Regards, Herbert
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 1:1.11.20-1 We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <[email protected]> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 11 Feb 2019 19:08:53 +0100 Source: python-django Binary: python-django python-django-common python-django-doc python3-django Built-For-Profiles: nocheck Architecture: source all Version: 1:1.11.20-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Modules Team <[email protected]> Changed-By: Chris Lamb <[email protected]> Description: python-django - High-level Python web development framework (Python 2 version) python-django-common - High-level Python web development framework (common) python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework (Python 3 version) Closes: 922027 Changes: python-django (1:1.11.20-1) unstable; urgency=medium . * New upstream security release. - CVE-2019-6975: Fix memory exhaustion in utils.numberformat.format(). (Closes: #922027) Checksums-Sha1: c28fbbd1777b9b41a3abd13188c465b76ced6d74 3235 python-django_1.11.20-1.dsc bad59a5672e6abe394ed03b9fd6d592d874bd750 7846576 python-django_1.11.20.orig.tar.gz bdecb314ac9a7158f02d9483109f23b683c27457 26124 python-django_1.11.20-1.debian.tar.xz 4a54c6f643b23edb4a7fbdde57a655ffe0cc2430 1536636 python-django-common_1.11.20-1_all.deb f55166c4e41231ad48f1da4034083343cff11d14 2638800 python-django-doc_1.11.20-1_all.deb 98ddeb211ce9b804ef1b7dff5a76e041a92c80cc 915720 python-django_1.11.20-1_all.deb 0018a5250785e5c1a31ff24a06a279d49776f9f5 8301 python-django_1.11.20-1_amd64.buildinfo d940423fd8c9962638715a06efdcb29d8c82a81b 915620 python3-django_1.11.20-1_all.deb Checksums-Sha256: cb567aef6ea25c01df129882f575eeaf2601433a20106befc67ecf245706d422 3235 python-django_1.11.20-1.dsc 43a99da08fee329480d27860d68279945b7d8bf7b537388ee2c8938c709b2041 7846576 python-django_1.11.20.orig.tar.gz ab6b5cf165f0a43d64f2226c8e4be59d39a0f605fb93576b56d675ba1bad8be0 26124 python-django_1.11.20-1.debian.tar.xz fc997d4e9d5e0ac1ea494b7544c01db3ff3a24164ac5a73e299d2b88091d33b7 1536636 python-django-common_1.11.20-1_all.deb 6f00f30fa9288a0ebe311708ad34925dd98d988de0bee31fcd67a8d3709e456f 2638800 python-django-doc_1.11.20-1_all.deb 8017261596ee1627af2b415810a2cd7c3512390db9c946b53571903843ec5aef 915720 python-django_1.11.20-1_all.deb edb74bcf418fb849601311ddff716713f04d141c934e75a0c455656fedd64b53 8301 python-django_1.11.20-1_amd64.buildinfo ef046903e5a3dfcc5de826e57ef21fdd603ab1e38ff76d944c4d07298b22a1b7 915620 python3-django_1.11.20-1_all.deb Files: eb38dd3db3af35c42f64626e59bf204d 3235 python optional python-django_1.11.20-1.dsc 096091c29c00f36cce4356054119b702 7846576 python optional python-django_1.11.20.orig.tar.gz ff707896938ad32c5a0aa6d1715b9ea6 26124 python optional python-django_1.11.20-1.debian.tar.xz a57ad1a871b4fd53ee899d8b0ba5b697 1536636 python optional python-django-common_1.11.20-1_all.deb 1bc7dbfe81f4ee2a72d676552db00936 2638800 doc optional python-django-doc_1.11.20-1_all.deb e1628a562c5bca9d2260a9976344e980 915720 python optional python-django_1.11.20-1_all.deb c0acfe64419cc0580edf90e71041203c 8301 python optional python-django_1.11.20-1_amd64.buildinfo 067d0c8ee171f8cc330193a420b3004b 915620 python optional python3-django_1.11.20-1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlxhu6EACgkQHpU+J9Qx Hli11g/8CYAOKadB7NccE/FjpidnD1VKcbArkbxhsIgz+VyWgJeAv9xfPI74Fiiu JKSXqeG1gXDlXBjoiJIRgq5j6jOwmWVsftz/Fpf1TtN+EWIvB8jeUcJuRKNpxI16 gjE3rBj7mLTa105j+45mZWk+6TdInA1XKM7TJ1czYXFc7Z9wiJwzG1n05sOlHuMj GPiLXZDcLREEQjAlslI6kd6UNnwlmUqxD5Ih0v6Z9JGb+e24F8CYhNAVL92RFkr6 O/AjLCAkeZnl7k3Va8U9PiwJo30AojzatAI72BP22rHU11MKs/elvdStxn4LRImN LNOm7VPkh/IuH4rwvwVBkt8DfqPirfM5uVkU7A8aG8u2hfs/kDQir5pjSF241M7P Eu9LH1Wdl38x5m48lYbAr1/hUHo9pGIp0+2qXkR20JTyR4Mfg7jokwhidKj45GBD f7uz9mK9Zk7xc3iQi4o617sCs6IBmE8QzM/JQgi5y3dRvsLraxYrbEI9LamcQ7qv HQa7YS1T5cx9Eu7b2Vev7UeCEGBNktqJhadOTnBn1XeaqlqbgnVnSZBo1w88ERGV lwcmjCnuIOdTM8aFbjBs2xqCqYO0DYOUD+lFDfdas/L73p1UFOwYs113HRNMAfOA xRCLhBxIaNPfnJiu5LhuncjVnztY6K16G5Ez9yQnh5/vKQan8is= =ksh2 -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Python-modules-team mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
