-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 08 Aug 2019 10:42:49 +0100 Source: python-django Binary: python-django python3-django python-django-common python-django-doc Architecture: source all Version: 1:1.10.7-2+deb9u6 Distribution: stretch-security Urgency: high Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Description: python-django - High-level Python web development framework (Python 2 version) python-django-common - High-level Python web development framework (common) python-django-doc - High-level Python web development framework (documentation) python3-django - High-level Python web development framework (Python 3 version) Closes: 934026 Changes: python-django (1:1.10.7-2+deb9u6) stretch-security; urgency=high . * Backport four security patches from upstream. (Closes: #934026) <https://www.djangoproject.com/weblog/2019/aug/01/security-releases/> . - CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator . If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable. . The regular expressions used by Truncator have been simplified in order to avoid potential backtracking issues. As a consequence, trailing punctuation may now at times be included in the truncated output. . - CVE-2019-14233: Denial-of-service possibility in strip_tags() . Due to the behavior of the underlying HTMLParser, django.utils.html.strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable. . strip_tags() now avoids recursive calls to HTMLParser when progress removing tags, but necessarily incomplete HTML entities, stops being made. . Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape(). . - CVE-2019-14234: SQL injection possibility in key and index lookups for JSONField/HStoreField . Key and index lookups for django.contrib.postgres.fields.JSONField and key lookups for django.contrib.postgres.fields.HStoreField were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.filter(). . - CVE-2019-14235: Potential memory exhaustion in django.utils.encoding.uri_to_iri() . If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to excessive recursion when re-percent-encoding invalid UTF-8 octet sequences. . uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8 octet sequences. Checksums-Sha1: e4c794483d1479af946eeea752961d20a12448c2 2804 python-django_1.10.7-2+deb9u6.dsc 5edd13a642460c33cdaf8e8166eccf6b2a2555df 7737654 python-django_1.10.7.orig.tar.gz feab4bd57a62673926a3089667c625ab395c3741 43076 python-django_1.10.7-2+deb9u6.debian.tar.xz 7ebe2c2077bb53cd39df0e45a09b7c0bf7a77944 1514716 python-django-common_1.10.7-2+deb9u6_all.deb 1677744710e8471218b165cc907c93057ba0706a 2536628 python-django-doc_1.10.7-2+deb9u6_all.deb b216433020dd160e046db6b00edd4256eb7e4dd5 904768 python-django_1.10.7-2+deb9u6_all.deb 2058552727dcb0ced961d1ae5f74bef48927ce04 9329 python-django_1.10.7-2+deb9u6_amd64.buildinfo 9142557285e2d19f39e9acd053f066c97fb7b55a 886550 python3-django_1.10.7-2+deb9u6_all.deb Checksums-Sha256: 31b4b068e1d93983fcf41f48c6d03356d180dcd6ae257f6d0e677207c62a90f1 2804 python-django_1.10.7-2+deb9u6.dsc 593d779dbc2350a245c4f76d26bdcad58a39895e87304fe6d725bbdf84b5b0b8 7737654 python-django_1.10.7.orig.tar.gz 61382e22d2c377a3897365f20119d98230289c67973dc512853b2abb41ff88dc 43076 python-django_1.10.7-2+deb9u6.debian.tar.xz 74d0de4efcbc8ac8d0d4ec39aed86f0f843e935a39028d3e0f5b76dd609443c3 1514716 python-django-common_1.10.7-2+deb9u6_all.deb cb1e96c5c3f1b17b89a5df81fbc774c0c1b0abc680100d8d0778e51c035e602f 2536628 python-django-doc_1.10.7-2+deb9u6_all.deb 6bf000c33f8bb17ad8a257bd78952ad6e35658a5d4be806f9ff6f2daf8a1b653 904768 python-django_1.10.7-2+deb9u6_all.deb 0f9c2eaadfb56b187b2aef853329eb6705940399e26c1075b246628bd486fc11 9329 python-django_1.10.7-2+deb9u6_amd64.buildinfo 6122ac69a7e6a6fc896f740273bed3264a8939baca4ef6c34c62dd08c6a41439 886550 python3-django_1.10.7-2+deb9u6_all.deb Files: 28e7abea4ed8cf9aa53950deb52603bd 2804 python optional python-django_1.10.7-2+deb9u6.dsc 693dfeabad62c561cb205900d32c2a98 7737654 python optional python-django_1.10.7.orig.tar.gz 6c63fd07ef43706fd86b67f07e204b86 43076 python optional python-django_1.10.7-2+deb9u6.debian.tar.xz 4ba563d58feed3e7818d1f4c72deb6d9 1514716 python optional python-django-common_1.10.7-2+deb9u6_all.deb 67667859611c2db6c30ad48803fe7a42 2536628 doc optional python-django-doc_1.10.7-2+deb9u6_all.deb fa18d0d0099d0fa68689b16da088c089 904768 python optional python-django_1.10.7-2+deb9u6_all.deb ea3a0e4efb7e475b90b8b0cec832eb2d 9329 python optional python-django_1.10.7-2+deb9u6_amd64.buildinfo e80305618a1b280d09ac4dc0d60dd84b 886550 python optional python3-django_1.10.7-2+deb9u6_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl1OzZ0ACgkQHpU+J9Qx HljGtg//ULQz2jZgue2kaaByCiQCZzH1tDP+nThkea1ZVxsYlkMskJDvNIdtAlKB MzoRfb1yJR81WSmg4OCKlnzitqmvtcKDuIqlzCpSzBqJicY2pu2vT4GkpUNfpwK2 PIrCQrpEp5+ArWTDW6+gRmj1vLCNYg1xpPyMSUWQ9EqQSAoOctwt1FAjfVcOEvDB XEJ3rbwbeezpN/kPRLTSsHXFLFyptJANFaAC7Lg0JAQUmEkCIVZboojo6sizKXpp k+XB8qRJySCrp+gW09vx0+Gzs8wNszuJuzUnbDICgCBRIPkBUlicdna5ZojqzIH7 f0Qvpue5LzcGF2+8TBydaERqg1WX09FiGUHFM0+S2GKXEsPVnARRMD4DGfxPQ0hf cPHK/kxWX1DWCeaW5eimoZK4upft2UZF5pBqEZ07n6CN6qKOM1FW4wcLXfjAEwdB rhTT+/hWjzSO50rxQS8OSu8JspdvtLcgJgu4qV2arzFcIJGUDZWgq8lXMLHJKCLq b3tjREYbl/sUFmGtYTRxbfDotKjKu9lM5wxRL++ffYYGBDzWrRAPXogGE1N3wt/R xo+GrAAvgblalDty79vYPSRIrEDKXniPYxmJIAVUu/FP80s2P5a/b2fAZorCo/HJ wsXt833bBGKfFkg6XsdfuTULK9ntUgsIHR7RfItYRLL0VVyk4m4= =5Zq5 -----END PGP SIGNATURE-----