Debian Bug report logs -
#934026
python-django: CVE-2019-14232 CVE-2019-14233 CVE-2019-14234 CVE-2019-14235
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Tue, 6 Aug 2019 09:06:02 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in versions 1.7.11-1+deb8u6, 2:2.2.3-5
Fixed in version python-django/2:2.2.4-1
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#934026; Package python-django.
(Tue, 06 Aug 2019 09:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Tue, 06 Aug 2019 09:06:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-django
Version: 1.7.11-1+deb8u6
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for python-django.
CVE-2019-14232[0]:
| An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before
| 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's
| chars() and words() methods were passed the html=True argument, they
| were extremely slow to evaluate certain inputs due to a catastrophic
| backtracking vulnerability in a regular expression. The chars() and
| words() methods are used to implement the truncatechars_html and
| truncatewords_html template filters, which were thus vulnerable.
CVE-2019-14233[1]:
| An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before
| 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying
| HTMLParser, django.utils.html.strip_tags would be extremely slow to
| evaluate certain inputs containing large sequences of nested
| incomplete HTML entities.
CVE-2019-14234[2]:
SQL injection possibility in key and index lookups for JSONField/HStoreField
CVE-2019-14235[3]:
| An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before
| 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs,
| django.utils.encoding.uri_to_iri could lead to significant memory
| usage due to a recursion when repercent-encoding invalid UTF-8 octet
| sequences.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-14232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232
[1] https://security-tracker.debian.org/tracker/CVE-2019-14233
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14233
[2] https://security-tracker.debian.org/tracker/CVE-2019-14234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14234
[3] https://security-tracker.debian.org/tracker/CVE-2019-14235
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14235
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Added tag(s) fixed-upstream and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 06 Aug 2019 09:18:05 GMT) (full text, mbox, link).
Message sent on
to "Chris Lamb" <lamby@debian.org>:
Bug#934026.
(Tue, 06 Aug 2019 09:18:08 GMT) (full text, mbox, link).
Message #10 received at 934026-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #934026 in python-django reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/python-team/modules/python-django/commit/0aa461b77c83d4f417fd59f9f7c467b87f429040
------------------------------------------------------------------------
New upstream security release. <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/> (Closes: #934026)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/934026
Added tag(s) pending.
Request was from Chris Lamb <lamby@debian.org>
to 934026-submitter@bugs.debian.org.
(Tue, 06 Aug 2019 09:18:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#934026; Package python-django.
(Tue, 06 Aug 2019 09:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Tue, 06 Aug 2019 09:21:05 GMT) (full text, mbox, link).
Message #17 received at 934026@bugs.debian.org (full text, mbox, reply):
[Adding team@security.debian.org to CC]
Chris Lamb wrote:
> The following vulnerabilities were published for python-django.
>
> CVE-2019-14232[0]:
> CVE-2019-14233[1]:
> CVE-2019-14234[2]:
> CVE-2019-14235[3]:
I have just fixed this in sid and will fix this in jessie LTS shortly.
Security team (added to CC), would you be interested in uploads for
buster (currently 1:1.11.22-1~deb10u1) and stretch (currently
1:1.10.7-2+deb9u5)?
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Tue, 06 Aug 2019 09:39:20 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 06 Aug 2019 09:39:20 GMT) (full text, mbox, link).
Message #22 received at 934026-close@bugs.debian.org (full text, mbox, reply):
Source: python-django
Source-Version: 2:2.2.4-1
We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 934026@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated python-django package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 06 Aug 2019 10:08:25 +0100
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 2:2.2.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 934026
Changes:
python-django (2:2.2.4-1) unstable; urgency=medium
.
* New upstream security release. (Closes: #934026)
<https://www.djangoproject.com/weblog/2019/aug/01/security-releases/>
Checksums-Sha1:
9d6966a16c1c7dfaee35ad53e2c693304a07c65f 2741 python-django_2.2.4-1.dsc
42640e8381bbf041bb2e09400251cd53694902a8 8856979 python-django_2.2.4.orig.tar.gz
8839c49662e6b91d054c73fb4d1e1d5a06946c02 25712 python-django_2.2.4-1.debian.tar.xz
f7d7d7e65236881ccefd11b3935b9c48e1d80e5b 7292 python-django_2.2.4-1_amd64.buildinfo
Checksums-Sha256:
50b20c5bdf006bfb0b0a9d952b63c7f0db55d0b2c03089d7a75dadb0636e0018 2741 python-django_2.2.4-1.dsc
16a5d54411599780ac9dfe3b9b38f90f785c51259a584e0b24b6f14a7f69aae8 8856979 python-django_2.2.4.orig.tar.gz
21b9f42277409d27b6469513288a081a86f4a001d637d37ceb25c8a3d80dfff8 25712 python-django_2.2.4-1.debian.tar.xz
4b04b52caaa26ae0fee3d40bad7e8300bca84aab123ac26739455d9235447560 7292 python-django_2.2.4-1_amd64.buildinfo
Files:
9a2991889de8f5caf01316353b58cec0 2741 python optional python-django_2.2.4-1.dsc
b32e396c354880742d85a7628a0bdd5a 8856979 python optional python-django_2.2.4.orig.tar.gz
41de8c0369b1907583e05cd23cad33c6 25712 python optional python-django_2.2.4-1.debian.tar.xz
fae010be4ec9d8a79ca54cd8e232c3ac 7292 python optional python-django_2.2.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl1JRVsACgkQHpU+J9Qx
HlhEIA//fV9UqNaRYBSTKiBeNvjdi8aWDL2PrcruS9DHcrOwvWMc38l+anBAUXK/
aGIDjh+OKe1PQeZcggcYi4c8TQMB903nO2WCIDneO22qf2VLBjA1bKk7cDQufrFW
vzt158IjQL7ayw01KXj6gSkNSsy7rDj4hEx5f6MXQ0m2v7Jf6K2V+iM+oZQ8l9mm
guMXa+PJRM6gSvvT+vh/0aEVtpvziVZDm3PGY4wpVENoeVMBJ6akKRJzmGYFsQ+q
K/4PI82vIaQFZkZWFGTESB5E+W9FmSSqEFKsWm7UkJ1yUTqrgUI5W4RSeYEpx8uu
BFB0hbns+BGf8jzTJ69NfACeoFOaPYuptFYwiQ/1m6w3W3pir8eSdaeVdlsyTIzG
cqppWooffBAq8REnsd7MWRqYPRLmbT+vCRNDThjVW1TjfrOSk/+N+n1VwIAL1Kkr
vT/zKoDmuCKqUhq6vzVeyOhxeocBymKQZMsc7TXU734GfVXEB459mZNDklDVVSvi
sPaFKh9rvy7WVSHyTPw8z0aYcJcksImVN490RHAF7SD+QIYFyxsTx0OzOwX6jmmT
U1yNG61SaoJUWqIP4fhiM320WM0Zni5DHpckQW7ogPECt3szKSKp4kanmxb/xNPf
frcA5PSnpPdFXQpTb53wBWazxqODqv69ScroYN7CZYLWC3sbbEo=
=pzP6
-----END PGP SIGNATURE-----
Marked as found in versions 2:2.2.3-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 06 Aug 2019 10:15:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Aug 7 09:34:35 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon