python-django: CVE-2023-41164

Related Vulnerabilities: CVE-2023-41164  

Debian Bug report logs - #1051226
python-django: CVE-2023-41164

version graph

Reported by: "Chris Lamb" <lamby@debian.org>

Date: Mon, 4 Sep 2023 17:45:01 UTC

Severity: grave

Tags: security

Found in version 1:1.11.29-1+deb10u9

Fixed in versions python-django/3:4.2.5-1, python-django/3:3.2.21-1

Done: Chris Lamb <lamby@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>:
Bug#1051226; Package python-django. (Mon, 04 Sep 2023 17:45:04 GMT) (full text, mbox, link).


Acknowledgement sent to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>. (Mon, 04 Sep 2023 17:45:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>
To: submit@bugs.debian.org
Subject: python-django: CVE-2023-41164
Date: Mon, 04 Sep 2023 10:40:24 -0700
Package: python-django
Version: 1:1.11.29-1+deb10u9
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for python-django.

CVE-2023-41164[0]:

  Potential denial of service vulnerability in
  django.utils.encoding.uri_to_iri(); this was subject to potential
  denial of service attack via certain inputs with a very large number
  of Unicode characters.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-41164
    https://www.cve.org/CVERecord?id=CVE-2023-41164


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-




Reply sent to Chris Lamb <lamby@debian.org>:
You have taken responsibility. (Mon, 04 Sep 2023 18:09:08 GMT) (full text, mbox, link).


Notification sent to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer. (Mon, 04 Sep 2023 18:09:08 GMT) (full text, mbox, link).


Message #10 received at 1051226-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1051226-close@bugs.debian.org
Subject: Bug#1051226: fixed in python-django 3:4.2.5-1
Date: Mon, 04 Sep 2023 18:07:22 +0000
Source: python-django
Source-Version: 3:4.2.5-1
Done: Chris Lamb <lamby@debian.org>

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1051226@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 04 Sep 2023 10:41:05 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:4.2.5-1
Distribution: experimental
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1051226
Changes:
 python-django (3:4.2.5-1) experimental; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2023-41164: Potential denial of service vulnerability in
       django.utils.encoding.uri_to_iri(). This method was subject to potential
       denial of service attack via certain inputs with a very large number of
       Unicode characters. (Closes: #1051226)
 .
     <https://www.djangoproject.com/weblog/2023/sep/04/security-releases/>
Checksums-Sha1:
 bbae6d0f24d251bbd07638005d6f0a62179293e0 2782 python-django_4.2.5-1.dsc
 30bc939dc9135daef931499a936a26e1670b2267 10418606 python-django_4.2.5.orig.tar.gz
 b0896524f9747da417324d3dbc55a4c5e26fd84f 28840 python-django_4.2.5-1.debian.tar.xz
 acb89039f32a1cbf6c27fef2e4184f668f2438ed 7854 python-django_4.2.5-1_amd64.buildinfo
Checksums-Sha256:
 d5d4f32350465fc257381bb53ebbd7aaa31f992c7a81c7392a56f0324225606d 2782 python-django_4.2.5-1.dsc
 5e5c1c9548ffb7796b4a8a4782e9a2e5a3df3615259fc1bfd3ebc73b646146c1 10418606 python-django_4.2.5.orig.tar.gz
 4acbc609f213c7d7fb02e63f2ecfb9fffb8830753b165ef309758f572d3fc72f 28840 python-django_4.2.5-1.debian.tar.xz
 c2a9c8a8d1671cac80eb0c826606350973a77d13aa07784998d75999f18aac05 7854 python-django_4.2.5-1_amd64.buildinfo
Files:
 269d75d080a8eeeed63dc85a72bde6c8 2782 python optional python-django_4.2.5-1.dsc
 63486f64f91bdc14a2edb84aa3001577 10418606 python optional python-django_4.2.5.orig.tar.gz
 a1c9b739517b21e0f0846ba377b5b5e8 28840 python optional python-django_4.2.5-1.debian.tar.xz
 ca5e0d7271bb881e2599a88da4d77243 7854 python optional python-django_4.2.5-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmT2GPYACgkQHpU+J9Qx
HlivzQ//aRWH/OdXbnfIYWAyDW69w2tyaduNt5fHfTdZWEWgPlV2dLlXqHHLmOfG
W3IOF4yGKO6S/jWRu+xRTB3Lg9qJ04Ov33MuENGZdAOq5SaG7EVuCbQrTfgV4zIP
NMNUMVntARQMv6n2m08glPNxR2khEddzT4NlgHPUSyaJcENmMQ/i6H61SgYA0VGt
mv0VhJzr7Yskmyq4zscNSW2SCsUGpbWcHgNSpPYkkH23WXLvAT2Rl1ZkSKhPGLlt
NFKhRZSjOCmcplfYkNtSJ+T65sNmpeEJGn3Vjeku0qScG7eG6/uX61vTgqaK67T+
sZ0+bfrLU1sSTRJqOXiMKTRlBXNxgoOMVmKoOuxdHWf019S8tHzvkw0tiZa7HKom
CNyJO4JXpULuwg85BT0zN+oXk81JWZnCIFvFsdbtL6HqRcM1TudGL0KCAk9HEPnp
vp29D/D2kBkjRUb2va/vx89DvmpysrvBRArK+pcF+s50wXki08I2/D2O8/lMufLF
1MDiqwt7mqSWEhEH6xFuywU3TF5plstMeJ5y6n3NokWLkKck5kUUu/76QOB+KVo7
dohuvRGoX7G5sUgP33V4Vpx/xmHA6rqgV+vm3ht5IQzyuwhFVPKZqS6AtzIAmHf4
AdI5wgxrWoJfI4h8K8zN7YjE+aMvvNbgpr4vCaatYS3eQo+Jp6U=
=nfUX
-----END PGP SIGNATURE-----




Reply sent to Chris Lamb <lamby@debian.org>:
You have taken responsibility. (Mon, 04 Sep 2023 18:27:12 GMT) (full text, mbox, link).


Notification sent to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer. (Mon, 04 Sep 2023 18:27:12 GMT) (full text, mbox, link).


Message #15 received at 1051226-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1051226-close@bugs.debian.org
Subject: Bug#1051226: fixed in python-django 3:3.2.21-1
Date: Mon, 04 Sep 2023 18:24:12 +0000
Source: python-django
Source-Version: 3:3.2.21-1
Done: Chris Lamb <lamby@debian.org>

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1051226@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 04 Sep 2023 11:02:53 -0700
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:3.2.21-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1051226
Changes:
 python-django (3:3.2.21-1) unstable; urgency=high
 .
   * New upstream security release:
 .
     - CVE-2023-41164: Potential denial of service vulnerability in
       django.utils.encoding.uri_to_iri(). This method was subject to potential
       denial of service attack via certain inputs with a very large number of
       Unicode characters. (Closes: #1051226)
 .
     <https://www.djangoproject.com/weblog/2023/sep/04/security-releases/>
 .
   * Refresh patches.
Checksums-Sha1:
 a2bc24a5f42f4b72c50a06cd7655f96f39dc9ca1 2807 python-django_3.2.21-1.dsc
 3b5106ad5bba06c2a79e50a22e1524f5f272522a 9836824 python-django_3.2.21.orig.tar.gz
 53a2649481755d92c3d5c08e8829e9088e8cffac 39004 python-django_3.2.21-1.debian.tar.xz
 915518c901d0876977e9c0edb4692872b7973fd8 8026 python-django_3.2.21-1_amd64.buildinfo
Checksums-Sha256:
 5eee722e0e7199ba8dca4693af8d407b8f03598bf8cb5640aa1a55326c0add51 2807 python-django_3.2.21-1.dsc
 a5de4c484e7b7418e6d3e52a5b8794f0e6b9f9e4ce3c037018cf1c489fa87f3c 9836824 python-django_3.2.21.orig.tar.gz
 2f6891c4f1794e596bdb23460c278a634426b71ad83bc6e0957b52a5d377d813 39004 python-django_3.2.21-1.debian.tar.xz
 4f8cfbd5b7c16bd37f1cf6e0fa1e3d34d80d91e339820d2066a5849edf40320e 8026 python-django_3.2.21-1_amd64.buildinfo
Files:
 a6fd9381522738922ee064d6f371d8ce 2807 python optional python-django_3.2.21-1.dsc
 38c4eba2d11374a9c1dd73300df7771d 9836824 python optional python-django_3.2.21.orig.tar.gz
 228f6791c4842c56447b701f33b37833 39004 python optional python-django_3.2.21-1.debian.tar.xz
 c4013e39acea3e521dfee71275378348 8026 python optional python-django_3.2.21-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmT2HOIACgkQHpU+J9Qx
HlgXLw//btF3bQ2VCdjRzE9TrEwmSLENoMcAVVNki41Yqt86kt1J4uenvmXpUni/
2T+V2E4nqXw0nFzqTbAPPBoJPeMjiwO0oLTGqtm8KC+8w/tJsE+J8+QjZ9HNSbTU
yi+4uEOBiPLsX5WwNfrAF+/j5D20QLbvnZZd1UfjrGtyVrzy+xMMEtO7HziYy9Pl
vFjhdSDf0vm/bNcf7f0av5XC+405nrwzhPL4dTj+CmMKKK4CGxJg8BxDIsYkae+V
6A6tD6ZrXybnmgy4+ip15d8ISfQxbV5a8H6uWl8tjKfQzXHEr5wafDN8V1tjMyxw
Fn9GP9P6kOn5DVf0TGqvNBb1GTy/beuo01Ck2veB16WCth4BzGiAb8hbdEIhtZXI
32HLs7GiUa4IjqBgIIvGVXurVYcnsgbi08bKTvO3dJQmz66/EusOoP4oNmJM4HFL
ztxoWXAchgrb9iWiwv/xN0IggqGUzkn2GdH0EK5EldIE0bFxwUBCvDRSWdsXGh8N
fc9lZIn4sUGCyRt0K8vlLyF7I9OXS5C2UU+4vPy6uaDXPtvFS6eM4lia7TlG/dnV
Apz0aKvdhGqLfUv3fyWSUgNDFl7bksmWHFtjO0D1CusK1Qx1wekAZwNosnQurrVu
efqIbcAAHAtBkRMgsayPt17+bgsGNHplqLYD97tyg1zXIw+ZFFQ=
=Vuv3
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Sep 5 17:51:03 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.