-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 06 Aug 2019 10:34:56 +0100 Source: python-django Binary: python-django python3-django python-django-common python-django-doc Built-For-Profiles: nocheck Architecture: source all Version: 1.7.11-1+deb8u7 Distribution: jessie-security Urgency: high Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Chris Lamb <la...@debian.org> Description: python-django - High-level Python web development framework (Python 2 version) python-django-common - High-level Python web development framework (common) python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework (Python 3 version) Closes: 934026 Changes: python-django (1.7.11-1+deb8u7) jessie-security; urgency=high . * Backport two security patches from upstream. (Closes: #934026) <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/> . - CVE-2019-14232: Prevent a possible denial-of-service in django.utils.text.Truncator. . If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. . The regular expressions used by Truncator have been simplified in order to avoid potential backtracking issues. As a consequence, trailing punctuation may now at times be included in the truncated output. . - CVE-2019-14233: Prevent a possible denial-of-service in strip_tags(). . Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable. . strip_tags() now avoids recursive calls to HTMLParser when progress removing tags, but necessarily incomplete HTML entities, stops being made. . Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape(). . * Correct a previous changelog entry to refer to CVE-2019-12781, not CVE-2019-12308. Checksums-Sha1: db39727864864bc8237e2ffcd75efb4cec4bfb18 2721 python-django_1.7.11-1+deb8u7.dsc f9abaf7eacec73bc1c5e6080e2778a7174ebf9d4 7586798 python-django_1.7.11.orig.tar.gz ca70dd4717c1bbf9f70f1a4ac080981f63a36bde 39460 python-django_1.7.11-1+deb8u7.debian.tar.xz bfb2f2214ab06c475ad88d57bd3b06c44499fd6c 992498 python-django_1.7.11-1+deb8u7_all.deb 661b97d163220b3b8e50ab5f280e91c57c45e4d3 975642 python3-django_1.7.11-1+deb8u7_all.deb 00c52c8d9a4675d472b2394fb120ff834d22139e 1499308 python-django-common_1.7.11-1+deb8u7_all.deb bfd33d5510dd02ae0ff42d2377ea2d752ea8a932 2486888 python-django-doc_1.7.11-1+deb8u7_all.deb Checksums-Sha256: df0416d21d204ec0fad7abf0ed8552e10b2834c97b0132984a8bc6de594f4973 2721 python-django_1.7.11-1+deb8u7.dsc 2039144fce8f1b603d03fa5a5643578df1ad007c4ed41a617f02a3943f7059a1 7586798 python-django_1.7.11.orig.tar.gz ce02315bb8577a1b075af54f83da3330a76b5997d9d89710d48ca27c215fcdcb 39460 python-django_1.7.11-1+deb8u7.debian.tar.xz fac4403c64cbd796c4867ab106ff60a782337896541242039872057589373196 992498 python-django_1.7.11-1+deb8u7_all.deb 24c2a93c743e7e0843b062df15cdb4e58c61073dba6df52b05dcf31877cd4722 975642 python3-django_1.7.11-1+deb8u7_all.deb 80b9ff8920a676765d1aed996795cad24191f4be08d353efc1155b19106b965c 1499308 python-django-common_1.7.11-1+deb8u7_all.deb a907686e253f1652a8956c6dd5c0460a8757770dca0054f1d8b78cfab4f7d2cf 2486888 python-django-doc_1.7.11-1+deb8u7_all.deb Files: a3cdcd8949027bbcbf8fbed35d3415cd 2721 python optional python-django_1.7.11-1+deb8u7.dsc 030b2f9c99a6e4e0418eadf7dba9e235 7586798 python optional python-django_1.7.11.orig.tar.gz 0868f9949d46a5b11208c6b865b457eb 39460 python optional python-django_1.7.11-1+deb8u7.debian.tar.xz e2fab59bdd4badf4a77e51fe91f6305d 992498 python optional python-django_1.7.11-1+deb8u7_all.deb 8da5a88692f6c7d838face6bc2ae66c0 975642 python optional python3-django_1.7.11-1+deb8u7_all.deb 23a675259cf8499bbbead48a355098a0 1499308 python optional python-django-common_1.7.11-1+deb8u7_all.deb cb3946720cd7e0097d596c28cf4dcada 2486888 doc optional python-django-doc_1.7.11-1+deb8u7_all.deb
-----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl1Jf2QACgkQHpU+J9Qx Hli1bA/+MUDqzIrQJSt7Rj1FCQVAGOyXkHMM5Ap73TOkN1I87m4AjbAEObP3zmyU NT9HwnzWk7qukxVGpDRjZMxFUdEDeKnIPVz6yw5Nxg1vQmnbRtF7QDoNgSM18Vp5 S9rsdGVcdK0ZHQ5UqfSmDhJqySXvy5lO3WecLiXeL1+YOYo1cXz23/lKH+/Eji/f A6hUX7r/8GNg8+dgQ1HsQxqiwPjLPorHbT6dWIDHPNmr00JY3n+Ur5j1MuqGaiGX kYPMrvRZHx0tjxy9uQo71+d9IPsholMiao19hAzq+5mecl0jqm30ugU2C5zTzNcM iqyVIe2JL/zuuSJpLtVKztxFG58fxgpCbeIkCfXC79klUVaNKWX+StaWEEzgT4c4 wD4ABfFT5WLkzLOpUkUGfl2gog7bCR+rlgiUDcK6Ahgh9dN6CJcrJpB+AGhnc/+L 9uYGo+tOOSkojjGTjTDCFTLNhRB5QONX0zR3N2QHiq5l2KEWPA7COn7t5Q03iiO9 qWlTbyly7qR0VDJO8YHJU+Jo+RnS6h6EJjZY5E73fpx8NqoXBkBt6srVUNZH8bz6 Ax1jUch1OEq7g9di5rULHkt76sdz3CPsO2Ih0yYkYks0Vvd5bOAplHhxX/ZgjpFD 53QlAgNCysvv5T9sDoM12GNU7p+HG5UL1GRFabw5ga8c6HGYnTY= =zZgp -----END PGP SIGNATURE-----