Debian Bug report logs -
#1030251
python-django: CVE-2023-23969 Potential denial-of-service via Accept-Language headers
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Wed, 1 Feb 2023 15:57:02 UTC
Severity: grave
Tags: security, upstream
Found in versions 1:1.11.29-1+deb10u5, 3:3.2.16-2
Fixed in version python-django/3:3.2.17-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>
:
Bug#1030251
; Package python-django
.
(Wed, 01 Feb 2023 15:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>
.
(Wed, 01 Feb 2023 15:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-django
Version: 1:1.11.29-1+deb10u5
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-django.
CVE-2023-23969: Potential denial-of-service via Accept-Language headers
The parsed values of Accept-Language headers are cached in
order to avoid repetitive parsing. This leads to a potential
denial-of-service vector via excessive memory usage if large header
values are sent.
In order to avoid this vulnerability, the Accept-Language header is
now parsed up to a maximum length.
Thanks to Mithril for the report.
This issue has severity "moderate" according to the Django security
policy.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-23969
https://www.cve.org/CVERecord?id=CVE-2023-23969
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Message sent on
to "Chris Lamb" <lamby@debian.org>
:
Bug#1030251.
(Wed, 01 Feb 2023 16:09:04 GMT) (full text, mbox, link).
Message #8 received at 1030251-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1030251 in python-django reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/python-team/packages/python-django/-/commit/58abeb151957d5a6009686b6828ed0fb09506ce9
------------------------------------------------------------------------
New upstream release. (Closes: #1030251)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1030251
Added tag(s) pending.
Request was from Chris Lamb <lamby@debian.org>
to 1030251-submitter@bugs.debian.org
.
(Wed, 01 Feb 2023 16:09:04 GMT) (full text, mbox, link).
Reply sent
to Chris Lamb <lamby@debian.org>
:
You have taken responsibility.
(Wed, 01 Feb 2023 16:24:07 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>
:
Bug acknowledged by developer.
(Wed, 01 Feb 2023 16:24:07 GMT) (full text, mbox, link).
Message #15 received at 1030251-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 3:3.2.17-1
Done: Chris Lamb <lamby@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1030251@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 01 Feb 2023 08:01:01 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:3.2.17-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1030251
Changes:
python-django (3:3.2.17-1) unstable; urgency=medium
.
* New security upstream release.
<https://www.djangoproject.com/weblog/2023/feb/01/security-releases/>
.
- CVE-2023-23969: Potential denial-of-service via Accept-Language headers
.
The parsed values of Accept-Language headers are cached in order to avoid
repetitive parsing. This leads to a potential denial-of-service vector
via excessive memory usage if large header values are sent.
.
In order to avoid this vulnerability, the Accept-Language header is now
parsed up to a maximum length. (Closes: #1030251)
.
* Drop 0010-Fixed-inspectdb.tests.InspectDBTestCase.test_custom_.patch;
applied upstream.
* Refresh all patches.
Checksums-Sha1:
739c26799224c7e0f5c81271aa9ac9440ba9e75a 2807 python-django_3.2.17-1.dsc
41fbde88d69f8f4e2daa9c8edc64864d7a42e5c4 9830188 python-django_3.2.17.orig.tar.gz
c6305d24b4b8a271a3f4b99a43bab30aeea47a3b 37648 python-django_3.2.17-1.debian.tar.xz
d175a5be405595f0869f54e63e7e55bb66bfe621 7937 python-django_3.2.17-1_amd64.buildinfo
Checksums-Sha256:
26caea9753ba9a01a43b14b31ecb655940e3c2bf691dc0e351a0d7149b868482 2807 python-django_3.2.17-1.dsc
644288341f06ebe4938eec6801b6bd59a6534a78e4aedde2a153075d11143894 9830188 python-django_3.2.17.orig.tar.gz
b38875467b7216b323f464b0f116b32342c1c42c9051d13e1852add245c6164d 37648 python-django_3.2.17-1.debian.tar.xz
eda8f2d8334dd8264821b9ddab033c57a59f8ec8b59cd5c72d86a4acd445712a 7937 python-django_3.2.17-1_amd64.buildinfo
Files:
02586cd0235d549d793ba4348f38505e 2807 python optional python-django_3.2.17-1.dsc
ef4c165db99f7f6e32b62846b9f7a36e 9830188 python optional python-django_3.2.17.orig.tar.gz
aa4efe0b62f4bff27b0f8065be1a7212 37648 python optional python-django_3.2.17-1.debian.tar.xz
893a2797e6057caa5416030603e1041b 7937 python optional python-django_3.2.17-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmPajiYACgkQHpU+J9Qx
HlhqFBAAue6O+0ZqYQ2frd2gARoqkZVhJoZ2o5pE+7iEyc34jrrUWBURrKAiz/z0
NnNsr7O20evXW1gJ87EnM0Yj0Se8QlXVHqI480+ACYil/LoiPWcihzIDM4LeQO1q
tDxgvJ4jA08bwpgrJQuQApkeS4TkESsV6W2dH6b5Gq/OiddL95eeiNiwYh/9y9e6
NIp5l8poyYCkQ44gt9nR/4Dus4PzLet5gIiH5Eq7t/T5aa/GNYOvJX+elJHghh54
Qx/piEtpQjyRCF5KYQqK6RkjFuaJnEJMvkFETzDkKpELpkEG6h4KfQjP9uIdvGlt
oaF6Yt2MLZTB/7rEUHUl1xv53R+RJsny64ZmfcD4i0aP8HDrBTpistmXhVPAz3hh
FWV0odIIUSiR/ZbMGE8Opa6L9V9rHvKkq6O6dFzqhkZ6qaAnnpbRkvob8S4YhcOT
WRq0YYURS3Z0Kt+il+abz4amQX1XGUnkK1ziOM8chavMot98Lucdet9uEsM+t7Vw
n/Qzq7sfhYP3CAs8adtHchXwEFmGqHq1CTkpegcT+1MXt/689q3yhbPXGd4inscx
G0JXNEgZOjnLq/zDf1IMGpcmH9why4talRBjR8mW1jqRnlllKMebPp/HGxm3rIrg
meBfJjp/Bv/dDI4/BreCZ/LCKeidruGl0Tle/PeDJ6N6DoLwn2Q=
=xPJl
-----END PGP SIGNATURE-----
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 01 Feb 2023 17:06:03 GMT) (full text, mbox, link).
Marked as found in versions 3:3.2.16-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 01 Feb 2023 17:06:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Feb 2 13:05:51 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.