Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted python-django 2:2.2.28-1~deb11u7 (source) into oldstable-security
Date: Thu, 05 Jun 2025 23:10:20 +0000
Signed by: Chris Lamb <lamby@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 05 Jun 2025 15:40:11 -0700
Source: python-django
Architecture: source
Version: 2:2.2.28-1~deb11u7
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1051226 1104872 1107282
Changes:
 python-django (2:2.2.28-1~deb11u7) bullseye-security; urgency=high
 .
   * CVE-2025-48432: Potential log injection via unescaped request path.
 .
     Django's internal HTTP response logging used request.path directly,
     allowing control characters (e.g. newlines or ANSI escape sequences) to
     be written unescaped into logs. This could enable log injection or
     forgery, letting attackers manipulate log appearance or structure,
     especially in logs processed by external systems or viewed in terminals.
     (Closes: #1107282)
 .
   * CVE-2025-32873: Denial-of-service possibility in strip_tags()
 .
     django.utils.html.strip_tags() would be slow to evaluate certain inputs
     containing large sequences of incomplete HTML tags. This function is used
     to implement the striptags template filter, which was therefore also
     vulnerable. strip_tags() now raises a SuspiciousOperation exception if it
     encounters an unusually large number of unclosed opening tags.
     (Closes: #1104872)
 .
   * CVE-2023-41164: Potential denial of service vulnerability in
     django.utils.encoding.uri_to_iri(). This method was subject to potential
     denial of service attack via certain inputs with a very large number of
     Unicode characters. (Closes: #1051226)
 .
   * CVE-2023-43665: Address a denial-of-service possibility in
     django.utils.text.Truncator.
 .
     Following the fix for CVE-2019-14232, the regular expressions used in the
     implementation of django.utils.text.Truncator’s chars() and words()
     methods (with html=True) were revised and improved. However, these
     regular expressions still exhibited linear backtracking complexity, so
     when given a very long, potentially malformed HTML input, the evaluation
     would still be slow, leading to a potential denial of service
     vulnerability.
 .
     The chars() and words() methods are used to implement the
     truncatechars_html and truncatewords_html template filters, which were
     thus also vulnerable.
 .
     The input processed by Truncator, when operating in HTML mode, has been
     limited to the first five million characters in order to avoid potential
     performance and memory issues.
 .
   * CVE-2024-24680: Potential denial-of-service in intcomma template filter.
     The intcomma template filter was subject to a potential denial-of-service
     attack when used with very long strings.
 .
   * CVE-2024-27351: Fix a potential regular expression denial-of-service
     (ReDoS) attack in django.utils.text.Truncator.words. This method (with
     html=True) and the truncatewords_html template filter were subject to a
     potential regular expression denial-of-service attack via a suitably
     crafted string. This is, in part, a follow up to CVE-2019-14232 and
     CVE-2023-43665.
Checksums-Sha1:
 3c3a02df5744afe7fc781794e2a1c4879ca1c6a0 2811 python-django_2.2.28-1~deb11u7.dsc
 046a08b5f2e54af1439bd45771707e1570966e48 52680 python-django_2.2.28-1~deb11u7.debian.tar.xz
 1b56315f21be1c51c231d13e23482c8281173de5 14326 python-django_2.2.28-1~deb11u7_amd64.buildinfo
Checksums-Sha256:
 f1ad665823c648e41198f4db2e7253eca689cafcb029a4eaf98bc1d4a9844800 2811 python-django_2.2.28-1~deb11u7.dsc
 72f95b4f95cb34c0e8f3c59c42e642b3e664533aff4efb273effcd0ddbe39a71 52680 python-django_2.2.28-1~deb11u7.debian.tar.xz
 e83db38bd58414defd6ad0a59e2c44da2f16f7a7ff74664f9f19f740983b769f 14326 python-django_2.2.28-1~deb11u7_amd64.buildinfo
Files:
 41cc50a404ba85283c4dec2f2f76d953 2811 python optional python-django_2.2.28-1~deb11u7.dsc
 85ac238a34ca99d098110056db4c7aaa 52680 python optional python-django_2.2.28-1~deb11u7.debian.tar.xz
 60b592562f9789de461b8d2e63d3e00b 14326 python optional python-django_2.2.28-1~deb11u7_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmhCITYACgkQHpU+J9Qx
HljqGRAAxBer0PE9V45qI7EiQR0PMuebe9ih9JxgLDdDXFJS4zu7s3vPpTyvAUh/
ZSlCxl2hDlo/EjD/BVnd+d5/r9CcvYcijNLJn5ypfg2++hXuglwac+GWGN3iUbRZ
1zMJuZ/xvBVy+QayTPzxi9UOQhIzrjCe+7TW5nooodixeR4ReZ2MgMwb8M4TKA8m
fA7HqJH9CaghDj+bKUUE6lDlzeY5NVgjuSGW4vH+Gt5gqX15nkYiT1L6A/nC2rBm
XMlq9etCFaQYV50rsO0bubpxV11NYiobrqXiAegbjuAuOyMWEELJrJuNvpBxJD9k
BbKI75Ot3fthKzv3jrHdjXOFrsPblzTZmC1eZyE9MHQf/wBPJGaKUPR2dOvCtNG6
ZJeJcPwT3A5ZA5E36lLzdXkVaj+6VJJEfD1uNXj4WK8LkRjF5KeK8lu0GEdQXntj
Tx/VmyaTuMxb6Byvo5aXtSg4EQQWjxsgTQfrAIhaRHjIxXcNO1XZ4MjsS3A6n525
Ir/4pGauCnM9jtdtCU+4JPU1TjAgJ3qflJ89G0h5/T/TBUwTvrBmKEglnMGiYU+N
1yUfCxbnnLxhgB2/HuFEOu4/I2x9I2cLTfml3wRn4lhVaEuryp6oaegQIjufKDm8
xZycqh7RoPJderkNzViFtX7Nr1SpRsyw7Y73mv+icrhkyXIt0co=
=6QrJ
-----END PGP SIGNATURE-----
News for package python-django
