[SECURITY] [DLA 4210-1] python-django security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4210-1] python-django security update
From: "Chris Lamb" <lamby@debian.org>
Date: Mon, 9 Jun 2025 11:47:24 -0400 (EDT)
Message-id: <[🔎] 174948401719.170078.8678739384130260029@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4210-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
June 09, 2025                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : python-django
Version        : 2:2.2.28-1~deb11u7
CVE IDs        : CVE-2025-48432 CVE-2025-32873 CVE-2023-41164 CVE-2023-43665 CVE-2024-24680 CVE-2024-27351
Debian Bugs    : 1107282 1104872 1051226

A number of vulnerabilities were discovered in Django, a popular
Python-based web-development framework:

 * CVE-2025-48432: Potential log injection via unescaped request path.

   Django's internal HTTP response logging used request.path directly,
   allowing control characters (e.g. newlines or ANSI escape sequences) to
   be written unescaped into logs. This could enable log injection or
   forgery, letting attackers manipulate log appearance or structure,
   especially in logs processed by external systems or viewed in terminals.
   (Closes: #1107282)

 * CVE-2025-32873: Denial-of-service possibility in strip_tags()

   django.utils.html.strip_tags() would be slow to evaluate certain inputs
   containing large sequences of incomplete HTML tags. This function is used
   to implement the striptags template filter, which was therefore also
   vulnerable. strip_tags() now raises a SuspiciousOperation exception if it
   encounters an unusually large number of unclosed opening tags.
   (Closes: #1104872)

 * CVE-2023-41164: Potential denial of service vulnerability in
   django.utils.encoding.uri_to_iri(). This method was subject to potential
   denial of service attack via certain inputs with a very large number of
   Unicode characters. (Closes: #1051226)

 * CVE-2023-43665: Address a denial-of-service possibility in
   django.utils.text.Truncator.

   Following the fix for CVE-2019-14232, the regular expressions used in the
   implementation of django.utils.text.Truncatorâ??s chars() and words()
   methods (with html=True) were revised and improved. However, these
   regular expressions still exhibited linear backtracking complexity, so
   when given a very long, potentially malformed HTML input, the evaluation
   would still be slow, leading to a potential denial of service
   vulnerability. The chars() and words() methods are used to
   implement the truncatechars_html and truncatewords_html template
   filters, which were thus also vulnerable. The input processed by
   Truncator, when operating in HTML mode, has been limited to the
   first five million characters in order to avoid potential
   performance and memory issues.

 * CVE-2024-24680: Potential denial-of-service in intcomma template
   filter. The intcomma template filter was subject to a potential
   denial-of-service attack when used with very long strings.

 * CVE-2024-27351: Fix a potential regular expression denial-of-service
   (ReDoS) attack in django.utils.text.Truncator.words. This method (with
   html=True) and the truncatewords_html template filter were subject to a
   potential regular expression denial-of-service attack via a suitably
   crafted string. This is, in part, a follow up to CVE-2019-14232 and
   CVE-2023-43665.

For Debian 11 bullseye, these problems have been fixed in version
2:2.2.28-1~deb11u7.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmhHAdcACgkQHpU+J9Qx
HliqSBAAxp3hFaSH5IYaFafxfqE+CJ3fZweEtYsSlS24ujIxyUKHIiJh2xIbTh3R
trSotapJan4K5wL8b/1GEM8lQiKiodlfLwK5PmF8QzshqSCd6aTasHRABcUyVRC1
rwUUhYwc7IfIghpHNV/8PLQsZCcWnSCjMGsN32JiVAYo8OBqo6pxub0d/tQ8IuBx
PxkOEhuD8rd4Ygy9EAYJrOKKzDOXCj9A0DTBESMf0BC+4MGGZyvk0/gpEH/hka1C
b+Yn66OKFQqhRORU08UWZpTkRWzf/aOp16DGNkRq2Dgh3QeNztrVWibUuzR4c21t
EPW/F1XWRjLTijpydPiT20vx5Vp3D4mRTQ74xomXZxHo6HBkP8X1aN42HQjvjYiC
f1bxJR2RFyoyTmPfJJKj/cPOjdl+ZmuY4Er/DGD1OzF5PML6mKuoMADvWMBV//pq
lv/z3la6YQtCbYssKM/oA385aFdUDeX9ucNToUS0XzehyEZgUXuzpwfPqmocRjz7
p1u2zopHgHHvmeKC7cYwO9l/7zcJfh7mrVquQE6JZ3RnhOZGgtiaYFYQvoS5hQke
B3U7SFYS5YAB7WX0oaGbqpjMlag2cYraCDFkulOyy/da1Mzq1rpUk+9mf/lHOPor
WRvfa+NddoG49NbqIKn5n0SyNk8lHzSpZ31UQbvfFeBX4MpEZ04=
=HuKj
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4212-1] modsecurity-apache security update
Next by Date: [SECURITY] [DLA 4213-1] curl regression update
Previous by thread: [SECURITY] [DLA 4212-1] modsecurity-apache security update
Next by thread: [SECURITY] [DLA 4213-1] curl regression update
Index(es):
- Date
- Thread