-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 05 Oct 2023 09:17:06 +0200
Source: python-django
Built-For-Profiles: nocheck
Architecture: source
Version: 3:4.2.6-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Changes:
python-django (3:4.2.6-1) unstable; urgency=high
.
* New upstream security release.
.
- CVE-2023-43665: Address a denial-of-service possibility in
django.utils.text.Truncator.
.
Following the fix for CVE-2019-14232, the regular expressions used in the
implementation of django.utils.text.Truncator’s chars() and words()
methods (with html=True) were revised and improved. However, these
regular expressions still exhibited linear backtracking complexity, so
when given a very long, potentially malformed HTML input, the evaluation
would still be slow, leading to a potential denial of service
vulnerability.
.
The chars() and words() methods are used to implement the
truncatechars_html and truncatewords_html template filters, which were
thus also vulnerable.
.
The input processed by Truncator, when operating in HTML mode, has been
limited to the first five million characters in order to avoid potential
performance and memory issues.
.
<https://www.djangoproject.com/weblog/2023/oct/04/security-releases/>
Checksums-Sha1:
a022246e71830ebaa3f8933bb65c5e99359f0607 2782 python-django_4.2.6-1.dsc
6e912eeabd1df0b652e0da44cd3a556a496a1811 10407018 python-django_4.2.6.orig.tar.gz
429bd69ce5db87684b9fa1463ebdcc1afd0a1306 31088 python-django_4.2.6-1.debian.tar.xz
4fed491e4e2d99927dec1bbbbf83d085ab0ec325 7860 python-django_4.2.6-1_amd64.buildinfo
Checksums-Sha256:
bcf1d2abcd4a9a086a8dd458f36d78a16f53e7faeb7bbe46079418c3f85c2dd8 2782 python-django_4.2.6-1.dsc
08f41f468b63335aea0d904c5729e0250300f6a1907bf293a65499496cdbc68f 10407018 python-django_4.2.6.orig.tar.gz
ffbfbeb66ee754f0e257d8052253285d24306f561d202d87e4d4040b144ddb4d 31088 python-django_4.2.6-1.debian.tar.xz
8809b83840e73dd1dc16b718d7c557dc5726133a344f8445673041422542eff7 7860 python-django_4.2.6-1_amd64.buildinfo
Files:
fe4bed0b7bfe3781a39030879685c41d 2782 python optional python-django_4.2.6-1.dsc
ad84c2b9bbebaa26427a2a656fe5ceea 10407018 python optional python-django_4.2.6.orig.tar.gz
d385194f311ee720d8532bf49f2fa7ce 31088 python optional python-django_4.2.6-1.debian.tar.xz
a5003824855baacdbdefa106e7969842 7860 python optional python-django_4.2.6-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmUeZUIACgkQHpU+J9Qx
HliXtQ//ZZKR5xRtO0faYGoxxFVyloQc1dTH4XhbsFtH9NTxbxNRvVkJJ8Q1IkZR
kSJJM336s3IN2zOIINrb6IrF3rdZpbUdK0CgMCYtaiP0f1ktboFw6L0YIbxaqecl
5lHS3z1U6okgZLDSv4yJg/lIMmipSaYTNxxJozYWOPs5unAUgZQN64xpjfNEnr96
aTMU5dkaH8tLJVhrE8M+9dqQv4+dO69yYos55nEoXM4dEbtfaUT2k9UkdCkr/8hS
Xkw/Nlu7EAGOuFcneZH3/Rltai5Hh4Ar9FWCYhuGNJgzXy93RCk+FF8FrRD28Bc5
+DIe/1KzRflhbQORVUDUWs6fjV5a6COlArgKGE+RXPtGv1M2pR7ZtqNVs/UQ78ct
v2YlTpyj4CDMLw6/za9Yh0oDeGeb5uW5SnPNqL+NBEA890ky6E92vb2XYQhtAc5a
7SaNZQ69Ny76cWbM+OPACU5/o43554Ouqw4JMUxBwBRAdkmvEPgxco11+jSbv+nf
I69AoKgQolV3s8vVdbQyrTOBs6SgvxDYUv1XRJLbbIhoB67XCxjrZeNkgyyGUxhe
r8J40H6iLNDlegQ7npvIyjRrRWnSSZsEbAiBOaByjQSJ3hiM0Qb/1N6h2qF9lFJ7
wpM66R4eZMqaabUwMJr9H0fPANwCviWfG4PYsAEzxCKnVXTwCVk=
=7Q/z
-----END PGP SIGNATURE-----
