Debian Bug report logs -
#922027
CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()
Reported by: Herbert Fortes <terberh@gmail.com>
Date: Mon, 11 Feb 2019 12:18:02 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in versions python-django/1:1.11.18-1, python-django/1:1.10.7-2+deb9u3, python-django/1:1.10.7-2+deb9u4, python-django/1:1.10.7-2
Fixed in version python-django/1:1.11.20-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#922027
; Package python-django
.
(Mon, 11 Feb 2019 12:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Herbert Fortes <terberh@gmail.com>
:
New Bug report received and forwarded. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
Your message had a Version: pseudo-header with an invalid package
version:
Django 2.2, 1.11
please either use found or fixed to the control server with a correct
version, or reply to this report indicating the correct version so the
maintainer (or someone else) can correct it for you.
(Mon, 11 Feb 2019 12:18:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-django
Version: Django 2.2, 1.11
Severity: normal
CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()
If django.utils.numberformat.format() -- used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters -- received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format().
To avoid this, decimals with more than 200 digits are now formatted using scientific notation.
Thanks Sjoerd Job Postmus for reporting this issue.
Affected supported versions
Django master branch
Django 2.2 (which will be released in a separate blog post later today)
Django 2.1
Django 2.0
Django 1.11
Per our supported versions policy, Django 1.10 and older are no longer supported.
https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
Regards,
Herbert
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#922027
; Package python-django
.
(Mon, 11 Feb 2019 12:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Herbert Fortes <terberh@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Mon, 11 Feb 2019 12:42:03 GMT) (full text, mbox, link).
Message #10 received at 922027@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, 11 Feb 2019 10:15:54 -0200 Herbert Fortes <terberh@gmail.com> wrote:
> Package: python-django
> Version: Django 2.2, 1.11
> Severity: normal
>
>
> CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()
>
> If django.utils.numberformat.format() -- used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters -- received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format().
>
> To avoid this, decimals with more than 200 digits are now formatted using scientific notation.
>
> Thanks Sjoerd Job Postmus for reporting this issue.
> Affected supported versions
>
> Django master branch
> Django 2.2 (which will be released in a separate blog post later today)
> Django 2.1
> Django 2.0
> Django 1.11
>
> Per our supported versions policy, Django 1.10 and older are no longer supported.
>
> https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
>
Broken django 1.11.19 release for python2.7
It looks like the distributed django 1.11.19 release does not match the code in 1.11.19 tag.
Component: Uncategorized → Core (Other)
Triage Stage: Unreviewed → Accepted
Type: Uncategorized → Bug
https://code.djangoproject.com/ticket/30175
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#922027
; Package python-django
.
(Mon, 11 Feb 2019 13:15:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Mon, 11 Feb 2019 13:15:07 GMT) (full text, mbox, link).
Message #15 received at 922027@bugs.debian.org (full text, mbox, reply):
retitle 922027 CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()
severity 922027 grave
found 922027 1:1.10.7-2+deb9u3
tags 922027 + security
thanks
Hi,
Noted that upstream might re-release. Will hold off for the time being:
https://code.djangoproject.com/ticket/30175#comment:4
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Changed Bug title to 'CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()' from 'python-django: Django security release'.
Request was from Chris Lamb <lamby@debian.org>
to control@bugs.debian.org
.
(Mon, 11 Feb 2019 13:15:08 GMT) (full text, mbox, link).
Severity set to 'grave' from 'normal'
Request was from Chris Lamb <lamby@debian.org>
to control@bugs.debian.org
.
(Mon, 11 Feb 2019 13:15:09 GMT) (full text, mbox, link).
Marked as found in versions python-django/1:1.10.7-2+deb9u3.
Request was from Chris Lamb <lamby@debian.org>
to control@bugs.debian.org
.
(Mon, 11 Feb 2019 13:15:09 GMT) (full text, mbox, link).
Added tag(s) security.
Request was from Chris Lamb <lamby@debian.org>
to control@bugs.debian.org
.
(Mon, 11 Feb 2019 13:15:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#922027
; Package python-django
.
(Mon, 11 Feb 2019 14:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Mon, 11 Feb 2019 14:09:05 GMT) (full text, mbox, link).
Message #28 received at 922027@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
[Adding team@security.debian.org to CC]
Chris Lamb wrote:
> retitle 922027 CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()
> severity 922027 grave
> found 922027 1:1.10.7-2+deb9u3
> tags 922027 + security
> thanks
Security team, may I upload this to stretch-security? Diff attached.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
[922027.diff.txt (text/plain, attachment)]
Marked as found in versions python-django/1:1.11.18-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 11 Feb 2019 15:03:06 GMT) (full text, mbox, link).
Marked as found in versions python-django/1:1.10.7-2+deb9u4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 11 Feb 2019 15:03:08 GMT) (full text, mbox, link).
Marked as found in versions python-django/1:1.10.7-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 11 Feb 2019 15:03:11 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 11 Feb 2019 15:21:06 GMT) (full text, mbox, link).
Message sent on
to Herbert Fortes <terberh@gmail.com>
:
Bug#922027.
(Mon, 11 Feb 2019 18:18:11 GMT) (full text, mbox, link).
Message #39 received at 922027-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #922027 in python-django reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/python-team/modules/python-django/commit/1d0dc8f3bfa1d7be03a3deec1cff27189ae7519a
------------------------------------------------------------------------
CVE-2019-6975: Fix memory exhaustion in utils.numberformat.format. (Closes: #922027)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/922027
Added tag(s) pending.
Request was from Chris Lamb <lamby@debian.org>
to 922027-submitter@bugs.debian.org
.
(Mon, 11 Feb 2019 18:18:11 GMT) (full text, mbox, link).
Reply sent
to Chris Lamb <lamby@debian.org>
:
You have taken responsibility.
(Mon, 11 Feb 2019 18:39:17 GMT) (full text, mbox, link).
Notification sent
to Herbert Fortes <terberh@gmail.com>
:
Bug acknowledged by developer.
(Mon, 11 Feb 2019 18:39:18 GMT) (full text, mbox, link).
Message #46 received at 922027-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 1:1.11.20-1
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 922027@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 11 Feb 2019 19:08:53 +0100
Source: python-django
Binary: python-django python-django-common python-django-doc python3-django
Built-For-Profiles: nocheck
Architecture: source all
Version: 1:1.11.20-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
python-django - High-level Python web development framework (Python 2 version)
python-django-common - High-level Python web development framework (common)
python-django-doc - High-level Python web development framework (documentation)
python3-django - High-level Python web development framework (Python 3 version)
Closes: 922027
Changes:
python-django (1:1.11.20-1) unstable; urgency=medium
.
* New upstream security release.
- CVE-2019-6975: Fix memory exhaustion in utils.numberformat.format().
(Closes: #922027)
Checksums-Sha1:
c28fbbd1777b9b41a3abd13188c465b76ced6d74 3235 python-django_1.11.20-1.dsc
bad59a5672e6abe394ed03b9fd6d592d874bd750 7846576 python-django_1.11.20.orig.tar.gz
bdecb314ac9a7158f02d9483109f23b683c27457 26124 python-django_1.11.20-1.debian.tar.xz
4a54c6f643b23edb4a7fbdde57a655ffe0cc2430 1536636 python-django-common_1.11.20-1_all.deb
f55166c4e41231ad48f1da4034083343cff11d14 2638800 python-django-doc_1.11.20-1_all.deb
98ddeb211ce9b804ef1b7dff5a76e041a92c80cc 915720 python-django_1.11.20-1_all.deb
0018a5250785e5c1a31ff24a06a279d49776f9f5 8301 python-django_1.11.20-1_amd64.buildinfo
d940423fd8c9962638715a06efdcb29d8c82a81b 915620 python3-django_1.11.20-1_all.deb
Checksums-Sha256:
cb567aef6ea25c01df129882f575eeaf2601433a20106befc67ecf245706d422 3235 python-django_1.11.20-1.dsc
43a99da08fee329480d27860d68279945b7d8bf7b537388ee2c8938c709b2041 7846576 python-django_1.11.20.orig.tar.gz
ab6b5cf165f0a43d64f2226c8e4be59d39a0f605fb93576b56d675ba1bad8be0 26124 python-django_1.11.20-1.debian.tar.xz
fc997d4e9d5e0ac1ea494b7544c01db3ff3a24164ac5a73e299d2b88091d33b7 1536636 python-django-common_1.11.20-1_all.deb
6f00f30fa9288a0ebe311708ad34925dd98d988de0bee31fcd67a8d3709e456f 2638800 python-django-doc_1.11.20-1_all.deb
8017261596ee1627af2b415810a2cd7c3512390db9c946b53571903843ec5aef 915720 python-django_1.11.20-1_all.deb
edb74bcf418fb849601311ddff716713f04d141c934e75a0c455656fedd64b53 8301 python-django_1.11.20-1_amd64.buildinfo
ef046903e5a3dfcc5de826e57ef21fdd603ab1e38ff76d944c4d07298b22a1b7 915620 python3-django_1.11.20-1_all.deb
Files:
eb38dd3db3af35c42f64626e59bf204d 3235 python optional python-django_1.11.20-1.dsc
096091c29c00f36cce4356054119b702 7846576 python optional python-django_1.11.20.orig.tar.gz
ff707896938ad32c5a0aa6d1715b9ea6 26124 python optional python-django_1.11.20-1.debian.tar.xz
a57ad1a871b4fd53ee899d8b0ba5b697 1536636 python optional python-django-common_1.11.20-1_all.deb
1bc7dbfe81f4ee2a72d676552db00936 2638800 doc optional python-django-doc_1.11.20-1_all.deb
e1628a562c5bca9d2260a9976344e980 915720 python optional python-django_1.11.20-1_all.deb
c0acfe64419cc0580edf90e71041203c 8301 python optional python-django_1.11.20-1_amd64.buildinfo
067d0c8ee171f8cc330193a420b3004b 915620 python optional python3-django_1.11.20-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlxhu6EACgkQHpU+J9Qx
Hli11g/8CYAOKadB7NccE/FjpidnD1VKcbArkbxhsIgz+VyWgJeAv9xfPI74Fiiu
JKSXqeG1gXDlXBjoiJIRgq5j6jOwmWVsftz/Fpf1TtN+EWIvB8jeUcJuRKNpxI16
gjE3rBj7mLTa105j+45mZWk+6TdInA1XKM7TJ1czYXFc7Z9wiJwzG1n05sOlHuMj
GPiLXZDcLREEQjAlslI6kd6UNnwlmUqxD5Ih0v6Z9JGb+e24F8CYhNAVL92RFkr6
O/AjLCAkeZnl7k3Va8U9PiwJo30AojzatAI72BP22rHU11MKs/elvdStxn4LRImN
LNOm7VPkh/IuH4rwvwVBkt8DfqPirfM5uVkU7A8aG8u2hfs/kDQir5pjSF241M7P
Eu9LH1Wdl38x5m48lYbAr1/hUHo9pGIp0+2qXkR20JTyR4Mfg7jokwhidKj45GBD
f7uz9mK9Zk7xc3iQi4o617sCs6IBmE8QzM/JQgi5y3dRvsLraxYrbEI9LamcQ7qv
HQa7YS1T5cx9Eu7b2Vev7UeCEGBNktqJhadOTnBn1XeaqlqbgnVnSZBo1w88ERGV
lwcmjCnuIOdTM8aFbjBs2xqCqYO0DYOUD+lFDfdas/L73p1UFOwYs113HRNMAfOA
xRCLhBxIaNPfnJiu5LhuncjVnztY6K16G5Ez9yQnh5/vKQan8is=
=ksh4
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#922027
; Package python-django
.
(Wed, 13 Feb 2019 08:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Wed, 13 Feb 2019 08:00:03 GMT) (full text, mbox, link).
Message #51 received at 922027@bugs.debian.org (full text, mbox, reply):
Chris Lamb wrote:
> [Adding team@security.debian.org to CC]
>
> > retitle 922027 CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()
> > severity 922027 grave
> > found 922027 1:1.10.7-2+deb9u3
> > tags 922027 + security
> > thanks
>
> Security team, may I upload this to stretch-security? Diff attached.
Gentle ping on this? :)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#922027
; Package python-django
.
(Thu, 14 Feb 2019 21:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Thu, 14 Feb 2019 21:24:04 GMT) (full text, mbox, link).
Message #56 received at 922027@bugs.debian.org (full text, mbox, reply):
On Mon, Feb 11, 2019 at 03:07:36PM +0100, Chris Lamb wrote:
> [Adding team@security.debian.org to CC]
>
> Chris Lamb wrote:
>
> > retitle 922027 CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()
> > severity 922027 grave
> > found 922027 1:1.10.7-2+deb9u3
> > tags 922027 + security
> > thanks
>
> Security team, may I upload this to stretch-security? Diff attached.
This doesn't warrant a DSA, let's postpone this until more severe comes up.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
:
Bug#922027
; Package python-django
.
(Thu, 14 Feb 2019 21:24:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
.
(Thu, 14 Feb 2019 21:24:05 GMT) (full text, mbox, link).
Message #61 received at 922027@bugs.debian.org (full text, mbox, reply):
Hi Moritz,
> > Security team, may I upload this to stretch-security? Diff attached.
>
> This doesn't warrant a DSA, let's postpone this until more severe comes up.
Noted. Can you update data/CVE/list?
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 12:57:00 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.