Colin Watson uploaded new packages for python-django which fixed the following security problems: CVE-2024-45230 Potential denial-of-service vulnerability in django.utils.html.urlize(). urlize and urlizetrunc were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. CVE-2024-45231 Potential user email enumeration via response status on password reset. Due to unhandled email sending failures, the django.contrib.auth.forms.PasswordResetForm class allowed remote attackers to enumerate user emails by issuing password reset requests and observing the outcomes. To mitigate this risk, exceptions occurring during password reset email sending are now handled and logged using the django.contrib.auth logger. CVE-2024-53907 Potential DoS in django.utils.html.strip_tags. The strip_tags() method and striptags template filter were subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. CVE-2024-53908 Potential SQL injection in HasKey(lhs, rhs) on Oracle. Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle was subject to SQL injection if untrusted data is used as a lhs value. Applications that use the jsonfield.has_key lookup through the __ syntax are unaffected. CVE-2024-56374 Potential denial-of-service vulnerability in IPv6 validation. A lack of upper bound limit enforcement in strings passed when performing IPv6 validation could have led to a potential denial-of-service (DoS) attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address were vulnerable, as was the GenericIPAddressField form field, which has now been updated to define a max_length of 39 characters. The GenericIPAddressField model field was not affected. For the bookworm-backports distribution the problems have been fixed in version 3:4.2.18-1~bpo12+1. -- Colin Watson (he/him) [cjwatson@debian.org]
Attachment:
signature.asc
Description: PGP signature