Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

python-django: CVE-2023-24580 (denial-of-service vulnerability in file uploads)

Related Vulnerabilities: CVE-2023-24580  

Source

Debian Bug report logs - #1031290
python-django: CVE-2023-24580 (denial-of-service vulnerability in file uploads)

version graph

Package: python-django; Maintainer for python-django is Debian Python Team <team+python@tracker.debian.org>; Source for python-django is src:python-django (PTS, buildd, popcon).

Reported by: "Chris Lamb" <lamby@debian.org>

Date: Tue, 14 Feb 2023 17:15:05 UTC

Severity: grave

Tags: security

Found in versions 1:1.11.29-1+deb10u6, 3:3.2.17-1

Fixed in version python-django/3:3.2.18-1

Done: Chris Lamb <lamby@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>:
Bug#1031290; Package python-django. (Tue, 14 Feb 2023 17:15:07 GMT) (full text, mbox, link).

Acknowledgement sent to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>. (Tue, 14 Feb 2023 17:15:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>
To: submit@bugs.debian.org
Subject: python-django: CVE-2023-24580 (denial-of-service vulnerability in file uploads)
Date: Tue, 14 Feb 2023 09:12:49 -0800
Package: python-django
Version: 1:1.11.29-1+deb10u6
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for python-django.

CVE-2023-24580[0]:

  Potential denial-of-service vulnerability in file uploads

  Passing certain inputs to multipart forms could result in too many
  open files or memory exhaustion, and provided a potential vector for
  a denial-of-service attack.

  The number of files parts parsed is now limited via the new
  DATA_UPLOAD_MAX_NUMBER_FILES setting.

  <https://www.djangoproject.com/weblog/2023/feb/14/security-releases/>

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-24580
    https://www.cve.org/CVERecord?id=CVE-2023-24580


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Reply sent to Chris Lamb <lamby@debian.org>:
You have taken responsibility. (Tue, 14 Feb 2023 17:54:03 GMT) (full text, mbox, link).

Notification sent to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer. (Tue, 14 Feb 2023 17:54:03 GMT) (full text, mbox, link).

Message #10 received at 1031290-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1031290-close@bugs.debian.org
Subject: Bug#1031290: fixed in python-django 3:3.2.18-1
Date: Tue, 14 Feb 2023 17:50:53 +0000
Source: python-django
Source-Version: 3:3.2.18-1
Done: Chris Lamb <lamby@debian.org>

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1031290@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 14 Feb 2023 09:12:57 -0800
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:3.2.18-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1031290
Changes:
 python-django (3:3.2.18-1) unstable; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2023-24580: Potential denial-of-service vulnerability in file uploads
 .
       Passing certain inputs to multipart forms could result in too many open
       files or memory exhaustion, and provided a potential vector for a
       denial-of-service attack.
 .
       The number of files parts parsed is now limited via the new
       DATA_UPLOAD_MAX_NUMBER_FILES setting.
 .
       Thanks to Jakob Ackermann for the report. (Closes: #1031290)
Checksums-Sha1:
 698d15a21d198aa340fefd2ec158dbb0d17126d5 2807 python-django_3.2.18-1.dsc
 27010f09a149773fe9d19b6ee69c597a428fadc8 9848949 python-django_3.2.18.orig.tar.gz
 9573bf6b748250469c6fd702dcabae574734fe6b 37760 python-django_3.2.18-1.debian.tar.xz
 d794cd315ceeb8c2046109134695721dd6940594 7905 python-django_3.2.18-1_amd64.buildinfo
Checksums-Sha256:
 9f1680ee17b33372ac8b399dd68859f54b96ed8545cb899d0cacc5a57de491f1 2807 python-django_3.2.18-1.dsc
 08208dfe892eb64fff073ca743b3b952311104f939e7f6dae954fe72dcc533ba 9848949 python-django_3.2.18.orig.tar.gz
 003420cd5c9f886e9bc2bf6675588e10023612f570ba74a6bba44ecc78a365ab 37760 python-django_3.2.18-1.debian.tar.xz
 d5973ee8402bde6ca76f953c1290f60569536503154ed5732a449d54bb5c65cd 7905 python-django_3.2.18-1_amd64.buildinfo
Files:
 c13581162bcd79ba9ff521b6a9dc5302 2807 python optional python-django_3.2.18-1.dsc
 03831fdb086d0efb7ba0b4e1c521427e 9848949 python optional python-django_3.2.18.orig.tar.gz
 c1f320d1824e8a58d06babfc4a4eab20 37760 python optional python-django_3.2.18-1.debian.tar.xz
 a688889a8880f5d0510221817c178537 7905 python optional python-django_3.2.18-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmPrwsIACgkQHpU+J9Qx
Hli0NxAAiHVkfBVXaz4hPKYq0McDwn5pX3/Fu5Ehtp/Aaa9Jh0rZeL0fStrq8EvT
ktGwx79qif1/m+OCqA5ktJPt0cSE6+hOLnX1hrl8Zs0lxDH5FsBdXgigund5jS0/
Te3VaqRMFTTaWU7pduGE4yCadiEeEohYM2G85p3uxmiihx8pJiD8v30kE5VmMClB
LA14FVNFLRrWCGP6wr3epCgWSx03mTej+gcyggFOAuUY6e9nlHwNt7DmUnQzqBvt
U7l+Dz8gA4cWLh4A+SO8XhxZD6uc+eknUhT8Wxjaadj/bUi4IVz9WaPbP4RI5BSW
IFhpSgO7XjxjCeiqk8DFLnVsoAfJbOxWkSCEgLpuDzlIbCzc0OiNHSJtD+21XYpA
Fykj/g93kAIjZTb4v+y/NbzFVT87kAgypcmTIgEn1QJFjQdYZAQQFAEPjkY4nl81
YP7jDVzZH6wwCzwsLXbVvijU4VwkiJKdeummBxw6aV/YAgUZoEBkGQyMBVq+WIEe
1RRyteWq1NKmtAhqkhfUEggPIXCkx1Txt3grrwrwYF7eiG+wFKVy1zQm3fPYB5lJ
g3ybzfKyWfe2+ESqjFKyI5mrI38tiCyfFpEEjn9HaGLBCOjsbZVstOzW4+GSN4yw
U9BIvNl7vbOI7GIl78OQe7IjzFUH/EoPuy/f1Z7RvHVMAeICbvc=
=6R/Q
-----END PGP SIGNATURE-----

Marked as found in versions 3:3.2.17-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 14 Feb 2023 19:39:02 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Feb 15 13:07:02 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started